Website Security

Website security consists of properly securing your web servers and the network infrastructure that supports them. Web servers host the data and other content available to your customers or clients on the internet.

The following are examples of specific security threats to web servers:

• Cyber criminals may exploit software bugs in the web server, underlying operating system, or active content to gain unauthorized access to the web server.
  • Examples of unauthorized access include gaining access to files or folders that were not meant to be publicly accessible, and being able to execute commands and/or install malicious software on the web server.
• Denial-of-service attacks may be directed at the web server, to prevent or hinder your website users from using the website.  These attacks can prevent the user from accessing email, websites, online accounts, or other services. Typically, a denial of service attack is carried out by flooding a network with information, so that it can't process the user's request.  
• Sensitive information on the web server may be read or modified without authorization.
• Sensitive unencrypted information transmitted between the web server and the browser may be intercepted.
• Information on the web server may be changed for malicious purposes. Website defacement—an attack on a website that changes its visual appearance—is a commonly reported example of this threat.
• Cyber criminals may gain unauthorized access to resources elsewhere in the organization's network, via a successful attack on the web server.
• Cyber criminals may also attack external entities after compromising a web server. These attacks can be launched directly (e.g., from the compromised server against an external server) or indirectly (e.g., placing malicious content on the compromised web server that attempts to exploit vulnerabilities in the web browsers of users visiting the site).
• The server may be used as a distribution point for attack tools, pornography, or illegally copied software.

To defend against such threats, your company should develop a website security policy. Consider carefully planning and addressing the security aspects of the deployment of a public web server.

Because it is much more difficult to address security once deployment and implementation have occurred, security should be considered from the initial planning stage.

• Businesses may be more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. Your business should also consider the human resource requirements for the deployment and continued operation of the web server and supporting infrastructure. Consider the following:
  • Types of personnel required—e.g., system and web server administrators, webmasters, network administrators, and information systems security personnel.  
  • Individual (i.e., the level of effort required of specific personnel types) and collective staffing (i.e., overall level of effort) requirements.

How to Secure a Web Server

Here are four simple steps for securing a web server.