Guide to Securing Web Presence for Businesses

Published on 06 Nov 2013

by GOsafeonline


Preventive Measures

Once your organisation decides to have a web presence (such as having a website), you need to prepare to deal with cyber threats on the Internet. You need to be mindful of three aspects for information that are being posted, processed or received through your web front. The first aspect is the information’s confidentiality. All sensitive information needs to be protected, to prevent it from being stolen by attackers. Next is the integrity of the information. Attackers may compromise the integrity of the information that you present on your website by exploiting  vulnerabilities that are present in your web site. By finding loopholes on your website’s codes or scripts, attackers may deface (i.e. changing its visual appearance), alter information, and even plant malicious codes or files on your website. The third  aspect is the availability of your web front, which is about having your website to be accessible by users. If the IT infrastructure supporting your website does not have sufficient resources to cater to all visitors’ transaction requests, it may hit its maximum load and subsequent visitors will not be able to access your website. Attackers may also cause your website to be unavailable through the simulation of a large number of transaction requests, known as Denial of Service attack (DoS). 

To secure your website from cyber threats, we recommend that you review your IT setup and adopt the appropriate security measures. The following are recommended cyber security practices.

Conduct Regular Vulnerability Assessment

Prior to launching any web-based systems, and after every functional change on your website, conduct web application vulnerability scanning to identify and patch known vulnerabilities to minimise risks of attacks. There are many commercial and free tools that could assist you with this. You may also refer to OWASP Top 10 for the list of common vulnerabilities and steps to secure them.

Secure Your Website Infrastructure

  • If your website infrastructure contains a database layer, adopt a multi-tier architecture (i.e. preferably web tier, app tier and database tier) where possible. The middle layer (i.e. app tier) will act as an intermediary layer to process the data collected from the web tier before request is passed on to the database tier. This segregation prevents an attacker from gaining direct access to database records residing in the database tier.
  • To protect your website from unauthorized access and application-level attacks, deploy a Web Application Firewall (WAF).
  • Perform regular backups of your website including your database records (where appropriate). If your website has high transaction volume, it is recommended that you perform frequent incremental backups (e.g. hourly), on top of full backup.
  • For user accounts that you need for accessing your website, require the use of complex password that is at least 8 characters long using a mix of upper and lowercase characters, numbers and symbols. The longer the password, the longer it takes for an attacker to crack your password using brute force approach. As even the strongest password can be cracked given sufficient time, change your passwords regularly, at least once every three months.
  • To reduce the likelihood of unauthorised access to your systems, avoid allowing remote access to your servers. If there is an operational need, limit the number of users that can do this, log all such access and regularly review this log and if possible implement 2-factor authentication.
  • Ensure that all the software used for your website, including your operating system, content management system, your own developed applications are regularly updated to patch all known vulnerabilities.

Security Monitoring

There is a need to deploy some form of security monitoring of your website so that you are alerted when there are abnormal access patterns (e.g. many failed login attempts over a sustained period, unusual error messages from your web application) and also when there are attempts to compromise or break into your website. You can deploy the solutions yourself or subscribe to commercial services – typically referred to as managed security services.

Overview of Steps to Recover from a Cyber Attack

In the unfortunate event that your website has been compromised, you will need to take appropriate steps to recover your system. The following are recommended steps for recovering your website, depending on the type of attack encountered.

Suggested Steps to Recover from a Website Defacement Attack
  1. Firstly, assess if any data was lost. If data is lost, the following are suggested:
    a. Assess the type and amount of data lost
    b. Where data such as account credentials are lost, inform customers of possible account compromise and request customers to change password. Ensure strong password policy is applied.
    c. Where financial data such as credit card details are lost:
    i. Inform payment gateway service provider immediately and seek their advice on follow up actions.
    ii. Suspend all goods and/or services delivery until the transactions can be proven authentic.
    iii. Seek advice on ensuring that the website is compliant to PCI security standards(PCI-DSS).
  2. Ensure containment on the affected system has been performed so that follow-up investigations can be conducted. Containment prevents further damage to the compromised system and stop/discontinue potential loss of data.  This will also preserve information for further analysis on how the compromise was carried out and will become digital evidence for investigation or legal prosecution. Some common procedures for containment include securing the affected system(s) to prevent alteration until a backup using forensic approach is done. 
  3. Procedures to preserve information
    a. Identify the location and/or owner of the system(s) involved in the incident
    b. Disconnect the system or appliance from the network or access to other systems by disconnecting the network cable at the network jack in the wall, switch or router.
    c. Do not power off the device as this could delete useful information for an investigation.
    d. Remove drives or media known or suspected to be compromised.
    e. Isolate the device to discontinue its use
    f. Capture and preserve system, appliance and application logs, network flows, drives and removable media to aid in forensic analysis.
  4. If the defaced website does not carry out transactions and purely present information, consider opting for a static website. i.e. a website which have text-only pages and have no programmes or scripts running in the background to present information.
  5. If a dynamic (non-static) website is required, perform vulnerability assessment and/or penetration testing prior to bringing the website online again. This can be done in-house by your security team or you can procure professional security services.
  6. After information preservation/containment, perform the following steps prior to bringing the website online again:
    a. Reinstall version of the operating system (on another system or use another hard disk in order to preserve the evidence of the defacement)
    b. If a website and/or database backup have previously been done, restore the system with the latest backup record available.
    c. Install all relevant patches for operating system, middleware application, web server, database
    d. Secure your system (including the operating system, web server and database) by reducing its vulnerabilities. In computing terms, this procedure is known as system hardening (e.g. disable or uninstall services such as FTP if not required).
    e. Ensure recommendations from vulnerability assessment and/or penetration testing have been applied
    f. Ensure strong password policy is applied for all accounts (administrators and users accounts)
  7. Enable website monitoring and turn on logging to monitor for any suspicious activities and bring the website online. This can be done either in-house or by engaging professional service.

Suggested Steps to Recover from a Distributed Denial of Service (DDoS) Attack

  1. Work with your upstream Internet Service Providers (ISPs) to mitigate the DDoS traffic. If possible, this arrangement with your ISP should be done before the attack happens.
  2. Consider subscribing to a content delivery network service, which hosts your website across multiple data centres. This serves to distribute network traffic and ensure your website remains accessible. 
  3. Limit websites to static and text information only, where possible. 
  4. Limit the use of images/videos or highly dynamic content.


Help Channels

You can refer to the Singapore Computer Emergency Response Team (SingCERT) for phone assistance should the need arises. SingCERT can be contacted at (+65) 6323 5052 or singcert@csa.gov.sg. You may also visit the SingCERT website at https://www.csa.gov.sg/singcert for more information. 

If you are interested in pursuing the intruder through a formal investigation or seek legal prosecution, you may wish to contact the Singapore Police Force Technology Crime Investigation Branch at (+65) 6435 0000. SingCERT does not have legal expertise and cannot offer legal advice or opinions.
Tags