Website
Security
Website security consists of
properly securing your web servers and the network infrastructure that supports
them. Web servers host the data and other content available to your customers
or clients on the internet.
The following are examples of
specific security threats to web servers:
- Cyber criminals may exploit software
bugs in the web server, underlying operating system, or active content to gain
unauthorized access to the web server.
- Examples of unauthorized access
include gaining access to files or folders that were not meant to be publicly
accessible, and being able to execute commands and/or install malicious software
on the web server.
- Denial-of-service attacks may be directed at the web server, to prevent or
hinder your website users from using the website. These attacks can prevent the user from
accessing email, websites, online accounts, or other services. Typically, a denial of service attack is carried out by flooding a network with information, so that it can't
process the user's request.
- Sensitive information on the web
server may be read or modified without authorization.
- Sensitive unencrypted information
transmitted between the web server and the browser may be intercepted.
- Information on the web server may be
changed for malicious purposes. Website
defacement—an attack on a website that changes its visual appearance—is a
commonly reported example of this threat.
- Cyber criminals may gain
unauthorized access to resources elsewhere in the organization's network, via a
successful attack on the web server.
- Cyber criminals may also attack
external entities after compromising a web server. These attacks can be
launched directly (e.g., from the compromised server against an external
server) or indirectly (e.g., placing malicious content on the compromised web
server that attempts to exploit vulnerabilities in the web browsers of users
visiting the site).
- The server may be used as a
distribution point for attack tools, pornography, or illegally copied software.
To defend against such threats, your
company should develop a website
security policy. Consider carefully planning and addressing the security
aspects of the deployment of a public web server.
Because it is much more difficult to
address security once deployment and implementation have occurred, security
should be considered from the initial planning stage.
- Businesses may be more likely to
make decisions about configuring computers appropriately and consistently when
they develop and use a detailed, well-designed deployment plan. Your business
should also consider the human resource requirements for the deployment and
continued operation of the web server and supporting infrastructure. Consider
the following:
- Types of personnel required—e.g.,
system and web server administrators, webmasters, network administrators, and
information systems security personnel.
- Individual (i.e., the level of
effort required of specific personnel types) and collective staffing (i.e.,
overall level of effort) requirements.
How
to Secure a Web Server
Here
are four simple steps for securing a web server.