On November 3, 2021, the Canadian Centre for Cyber Security released an important document for governments as well as small/medium and large enterprises—it is entitled, “Security considerations when developing and managing your website (ITSAP.60.005)”. It discusses security and privacy protection measures that organizations can start using in order to tackle the issue of cyber threats that can compromise websites.
Why is this important?
While websites serve an important function for organizations, it is important to acknowledge that there are some significant dangers to be aware of—cyber threats have the potential to seriously compromise a website. The resulting damage can be considerable and affect business functions, revenue, and reputation.
What exactly are the threats? Some examples include:
- injection attacks—any exploitation where a threat actor provides an untrusted input such as malicious code into a system to modify operations or data
- cross-site scripting (XSS) attacks—a threat actor uses XSS to compromise a web server and inject malicious code into trusted websites. When users visit the website, their browsers execute the script, putting cookies, session tokens, or sensitive information at risk. XSS attacks exploit the trust that a user has in a website
- cross-site request forgery (CSRF) attacks—an attack that tricks users into executing unwanted actions in their browsers, such as logging out, downloading account information, or uploading a site cookie. CSRF attacks exploit the trust that a website has in a user’s browser
Not only do these common threats affect the organizations involved, but they also affect their supply chains, affiliated organizations, and customers.
Consequently, the Canadian Centre for Cyber Security aims to reduce the likelihood and impact of threats by recommending that organizations develop and maintain their websites with security in mind. There are several security and privacy protection measures that can be taken to begin the process of properly protecting an organization’s website and minimizing the risks.
How can organizations begin to address cyber threats that can compromise a website?
The Canadian Centre for Cyber Security points out that an organization’s website is essentially a gateway between the Internet and an organization. The main goal of threat actors is to exploit vulnerabilities and misconfigurations in order to steal, alter, or delete sensitive data such as vendor portals, customer data, sales leads, or operational and financial information.
This is why it is important to observe the following recommended security and privacy best practices with the following main themes in mind:
- Secure architecture: The website’s architecture includes elements, relationships, selected components, and design principles. These things need to be secure, and this can be accomplished by applying principles such as segregation and redundancy. Another important thing to do is to require the use of HTTPS by default on the website to ensure sensitive data, such as authentication data and propriety information, is encrypted in transit
- Access control: Since access controls define who can access what resources on the website and restrict what information they can see and use, it is necessary to define specific access controls and implement the principle of least privilege to ensure that users only have the access needed to carry out their authorized functions. Organizations are also recommended to consider all web application access control layers such as application presentation layer or data layer, and permissions such as URL-based, file system and server, and application business logic. It is critical to identify access control layers in coding standards and rigorously test them before deploying web services
- Authentication: Authentication issues are critical because they deal with the mechanisms used to validate a user’s identity. It is necessary to implement a strong password policy that includes multi-factor authentication (MFA) for additional security. It is never a good idea to send passwords in plaintext over the Internet—use hashes and encryption instead. Organizations can also lock accounts and delay logins following a series of unsuccessful login attempts (make sure that there is a secure account recovery process)
- Service providers: Organizations that use a service provider may not have access to the infrastructure or control over the associated security functions. But the important thing to remember is that an organization is still legally responsible for protecting the confidentiality and integrity of the data. Therefore, organizations are recommended to review a service provider’s data security and privacy protection capabilities and policies before contracting with the company. When working with a service provider, it is a good practice to clearly define the roles and responsibilities of the organization and the service provider when it comes to security
- Input validation: This involves verifying that users and applications can only input properly formed data, such as in fields, forms, or queries. Since all inputs on the website should be considered untrusted, it is important to validate inputs within the web services, including ones in these areas: client browsers; web application firewalls; web servers; databases; and application business logic. And it is important to validate inputs as early as possible in the process to reduce strain on the servers. To control inputs, it is necessary to enforce expected input lengths to weed out invalid values and limit free-form inputs to minimize the risk of script injection. It is also necessary to protect valuable information about the database by hiding structured query language (SQL) error messages from end users
- Secure configuration: Organizations are recommended to review configurations to identify any vulnerabilities such as unused ports or services, unprotected files, or directories. Also, it is important to turn off directory browsing to protect the website’s structure. Other good practices include removing any unnecessary web operation files, disabling browser credential caching to protect sensitive information, and implementing configuration management to promote secure coding and maintain baselines across the organization
- Session management: Threat actors want to interrupt or hijack sessions to intercept data or impersonate authenticated users. Organizations are recommended to randomize session identifiers to prevent threat actors from inferring with session identifier sequences. It is also important that session identifiers have an acceptable minimum length to protect against brute force attacks. In addition, it is important to store sensitive session tracking data on web service servers with an appropriate retention period, and destroy it at the expiry date. Another good practice is to expire session data when a user logs out or is inactive for a specified time. In terms of session cookies, it is necessary to use the secure cookie attribute to prevent cookies from being sent over an unencrypted channel
- Secure operations: Organizations are recommended to prevent, identify, and respond to cyber threats and incidents involving their websites. To accomplish this goal, it is necessary to continuously monitor website activity for anomalous behaviours, such as repeated log-in or injection attempts, or credential stuffing attacks. To promote the ongoing security and functionality of web services, it is important to implement a patch management process to acquire, test, and install patches and updates on systems and devices. Organizations are also recommended to patch underlying systems, content management systems, web applications, and plug-ins. Another good practice is to promote security awareness within the organization and with customers—this can create trust with partner organizations, supply chain, and customers
What else can organizations do to protect their websites?
For further details concerning these cybersecurity best practices, it is recommended that organizations view the document entitled, “Security considerations for your website (ITSM.60.005)”.
Not only does the Canadian Centre for Cyber Security elaborate on the items discussed above, but it also provides a helpful checklist for organizations to use when developing and managing their websites. The checklist summarizes measures that are suggested to be implemented in order to address the common web application risks.