Implementing a Website Security Checklist

Websites have become essential for most any modern business. But all websites are not created equal, and it’s important to ensure you are doing your part to keep your business’s website secure. When your customers and users access your business website, how do they know that it can be trusted?
 
What Can Happen
Your website faces the public. It doesn’t matter how big your website is or what it contains, cyberattacks can (and will) occur. An attack can result in:
  • Defacement of the materials and content on your site
  • A denial of service (DoS) condition
  • Your traffic being directed to the attacker’s site
  • The attacker obtaining sensitive information
  • The attacker taking control of the website
  • Your website being brought down and stop functioning
The Threats Exposed
Possible cyberattacks include website defacement and DoS. These make the information services provided by the website unavailable for users. Another attack scenario results in the compromise of customer data. These threats affect confidentiality, integrity, and availability, which can severely damage the reputation of the website and its owner.
 
A subtler attack occurs when an attacker redirects the user to a compromised Web server which contains sensitive information that will be at risk of exposure, modification, or destruction. When the attacker uses a compromised website to enter a corporate network, other assets may be available to the attacker, such as user credentials, personally identifiable information (PII), administrative information, and technical vulnerabilities that could also be exploited. An attacker may repurpose the website infrastructure as a platform from which they can launch attacks against other systems.
 
Checklist for Improvement
A checklist provides the guidance, but following the checklist does not guarantee that you will be immune to cyberattacks. However, the following checklist and other security checklists should be used as formal methods of verifying that suitable security practices and procedures are followed. Some of the actions you can take are:
  • Don’t let users have more than necessary access (limited privileges) to the website, including interactive end users and service accounts.
  • Implement multifactor authentication for user logins.
  • Don’t use default vendor usernames and passwords. Change them before going live.
  • Look for and disable unnecessary, guest, and inactive accounts.
  • Use whitelisting of applications that are necessary for business needs so they don’t get inadvertently flagged.
  • Segment and segregate your network by configuring a demilitarized zone (DMZ). This makes it more difficult for attackers to move laterally within connected networks.
  • Catalog your assets and their locations. Look for data that does not need to be on the Web server and remove it from public access.
  • Protect your assets with multiple layers of defense including encryption and limited user access.
  • Always patch systems quickly. US-CERT provides regular alerts and bulletins concerning new vulnerabilities, security patch notifications, analysis, and tips.
  • Always perform periodic and routine backups. Ensure that your disaster recovery scenarios work as expected.
  • Create extended logging and store the logs on a separate centralized log server.
More Security Actions
Here are a handful of additional action items you can take to ensure your website is properly protected:
  • Sanitize user input, which removes any illegal character from the data and validates if the data is in proper form such as special characters and null characters.
  • Configure the website caching to optimize resource availability which increases resilience if it experiences unexpected high amounts of traffic during DoS attacks.
  • Implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections.
  • Website owners should implement a content security policy (CSP) to avoid an attacker successfully loading and running malicious JavaScript on the end user device.
  • Audit third-party services by vetting the third-party code.
  • Run static and dynamic security scans.
  • Implement Web application firewalls.
  • Consider using content delivery networks that will protect your website from malicious attackers.
  • Configure your website using load balancing and resilience when there is high traffic volume.
A checklist is just a list. How you go about using the checklist, your thoroughness, and who does the verification can make or dilute the effectiveness of your security efforts.