This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands Region to raise awareness among businesses and the public.
Advice and information is changing daily as we navigate our way through the COVID- 19 pandemic, so please ensure you only take information from reputable sources. If you require any further information, assistance or guidance please contact the EMSOU Protect Team or your local Force protect team.
Today’s Topic is Website Security
Websites are the shop window of organisations, an opportunity to display goods or services and present a professional corporate image. For cybercriminals, they represent an exploitable opportunity to adversely impact the good reputation and financial wellbeing of a company.
In August 2014, the IT security company Hold Security revealed that Russian hackers had stolen 1.2 billion logins and passwords on 420,000 websites around the world. This potentially gave a group of hackers, known as “CyberVor", access to 500 million email accounts. Hackers used specialised programmed ‘botnets’ to visit sites and perform vulnerability tests accessing back end databases where site security was weak.
Different types of attacks include: • A denial of service attack: Which overloads systems that host the web content, taking the pages offline.
• A SQL injection attack: Where an attacker will enter script to access customer data that sits within the database on the back-end of the site. An LDAP attack is similar, but targets information about internal network users, which a hacker can use to their advantage.
• Website defacement: A form of electronic vandalism to spread political messages or offensive material.
• Cross site scripting (XSS): The corruption of a website so that malicious code runs on the browser of the person visiting the site. This permits an adversary to steal credentials, install malware and mine sensitive information from the victim’s computer.
• Using insecure references: Manipulating the URL to steal data or map the internal IT infrastructure.
For example, a URL that looks like this: http://cybex.com/human-resources/fileserver1/ Gives away essential information about the setup of the organisation.
• Sanitise all user input: by treating any information entered into a field as simple text so it is rendered harmless. Limit the amount of text that can be entered into a website form and use drop downs where possible.
• Use stored procedures: And parameterised queries so communication with, and manipulation of, back-end database systems remain safe. A Database Activity Monitor (DAM) will also detect malicious code and greatly increase security.
• Use both DAST and SAST: These are testing methodologies to find vulnerabilities within a website. Static Application Security Testing (SAST) involves code scrutiny whilst, Dynamic Application Security Testing (DAST) discovers vulnerabilities by running the web application.
• Harden web servers: With secure configurations recommended by the vendor, Government agencies or industry best practice. Systems should also be in place to ensure baseline compliance and the prevention of unauthorised modifications.
• Use network segmentation: Placing the web server in a properly configured demilitarized zone (DMZ) limits the type of network traffic permitted between systems in the DMZ and systems on the internal corporate network.
• Continuously scan: For known vulnerabilities on internet-accessible systems. Replace unsupported operating systems, applications, and hardware.
• Use a web application firewall: Which monitors and filters HTTP traffic using backlists or whitelists.
• Enrol in a DoS protection service: Which redirect malicious traffic away from the network. An Internet Service Provider can also offer advice regarding firewall configurations. Finally, a load balancer or a Content Delivery Network (CDN) can be effective mitigation strategies.
• Secure data in transit: To ensure communications between the website and user are encrypted, always enforce the use of HTTPS & HSTS and disable HTTP which is vulnerable and does not give you a secure connection. It is also wise to configure your server to only use TLS 1.2 or other strong cyphers.
• Use a backup solution: That automatically and continuously backs up critical data and system configurations for the website, after being scanned for malicious code. Keep backup media encrypted and offline. Ensure backups are periodically tested.
Please report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).