Page 40 - index
P. 40
review
The first step in securing websites is to conduct a thorough review to identify security loopholes.
This can be done by using security scanning tools or hiring expert security consultants to review
the websites. Loopholes identified through this step should be fixed up as soon as possible.
Security reviews should be scheduled and carried out at least once every six months.
2. Protect
After the security review, measures should be put in to protect the website. It is important to
have web application firewalls(WAF) in addition to network firewalls. WAFs provide filters that
apply a set of rules to an HTTP conversation. WAFs are able to detect and prevent common
“Layer 7” web application attacks such as cross-site scripting (XSS) and SQL injections.
3. Detect
No protection is foolproof, especially since cyber threats morph very fast, and hacking methods
are ever-changing. Therefore, it is important to have a proactive detection mechanism in the
unfortunate event that the website is defaced or breached. Sometimes, defacement to a website
is first detected by external parties, such as members of the public or a customer, before the
internal team gets wind of it. Such a situation could be a major embarrassment and could do
damage to reputation of the organization. Thus, proactive monitoring will allow the
organization's security team to act quickly before external parties discover the security breach,
so as to maintain a good reputation. Monitoring and detection can be done manually, by having
someone to scan web pages on a regular basis. There are also automated softwares that can
help to scan websites, and provide reports, as frequently as every few minutes.
4. Response and Recovery
Organizations need to work out an incident response and recovery plan before a website
defacement or security breach happens. Such “crisis management plans” could include backing
up web servers, creating temporary landing pages, etc. It is important to note that security
vulnerabilities should be remedied before restoring websites from backups, so as to prevent
repeat incidences of the same type of security breaches. The affected organization can consider
having secure temporary landing pages on stand-by. This way, the organization can
consistently show a decent corporate website, even in the face of attacks, and have time to do
back-end incident handling and forensics processes.
After the “response and recovery” stage, the organization should go back to the first step of
doing a “security review”, so as to plan for and prevent future attacks. Thus, the job of securing
websites can be done effectively, if it is viewed as a continuous process of ongoing activities
mentioned above.
Many organizations tend to have lax security-controls in place for websites, as different groups
of people (e.g. marketing department, managers / administrators, webmaster, etc.) are able to
make changes to the corporate website. It is thus important to get these personnel to work
closely with the IT-security team to have a tight change management process. The combination
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
