The United States Computer Emergency Readiness Team of the Department of Homeland Security (US-CERT) is urging all organizations and individuals operating websites to confirm the adequacy of the website security measures and practices of their organizations’ websites to reduce their organizations to the financial, operational and reputational disruptions and risks created by the increasingly persistent ransomware and other hacking, data breach and cybersecurity threats.
Website security refers to the protection of personal and organizational public-facing websites from cyberattacks.
Cyberattacks against public-facing websites—regardless of size—are common. An attack to your website could
- Cause defacement,
- Cause a denial-of-service (DoS) condition,
- Enable the attacker to obtain sensitive information, or
- Enable the attacker to take control of the affected website.
Depending on the content and functionality of the particular website, organization and personal websites that fall victim to defacement or DoS may experience financial loss, legal liability, operational disruptions, reputational damage and other material costs and disruptions due to eroded user trust or a decrease in website visitors.
Liability can arise from a host of sources. For instance, a cyberattack that causes a data breach places your company’s intellectual property and users’ personally identifiable information (PII) at risk of theft. Businesses whose websites collect or receive credit, credit card, or other personal financial information generally are required to monitor and maintain the security of such information under the federal Fair and Accurate Credit Transactions Act (FACTA) and various other federal and state data security, identity theft and other identity theft, electronic crimes and data security laws. Meanwhile, the Internal Revenue Code and various other federal or state tax and other laws obligate employers, tax advisors and tax prepares and others collecting or maintaining tax information to take appropriate steps to safeguard tax information they create or maintain electronically against misuse. Beyond these and other commonly applicable data and cybersecurity requirements, certain industries also often face industry specific mandates concerning the security of websites and other electronic systems containing sensitive information. For instance, the Privacy, Security and Breach Notification rules of the Health Insurance Portability and Accountability Act (HIPAA) and most states impose detailed requirements for maintaining the security of websites and other operating systems containing electronic protected health information (ePHI) on health care providers, health plans or health insurers, health care clearing houses and their business associates including affirmative requirements to monitor data and systems for threats or occurrences of unauthorized access and to take corrective action and provide specific notifications within specific timeframes. Moreover, virtually all organizations maintaining or using websites also are subject to specific requirements to provide notifications about privacy and data security practices under various laws, as well as various contractual obligations concerning the protection of website data. Beyond the liabilities and sanctions that various applicable laws may impose for violations of their applicable requirements, noncompliance with these and other specific legal website and data security responsibilities, breaches of contractual, statutory or regulatory duties, misrepresentations about the adequacy of safeguards, and common law privacy theories also can create substantial damage exposure. Even where this is not the case, however, organizations websites or website data are breached typically incur substantial operational expense, disruption, public, investor relations and other reputational harm, and other damages as a result of the security breaches. Consequently, all organizations should tailor and monitor their website security to ensure these requirements are met as well as following other website security best practices.
What security threats are associated with websites?
US-CERT says cyber criminals may attack websites because of financial incentives such as the theft and sale of intellectual property and PII, ransomware payouts, and cryptocurrency mining (see Defending Against Illicit Cryptocurrency Mining Activity). Cyber criminals may also be motivated to attack websites for ideological reasons, e.g., to gain publicity and notoriety for a terrorist organization through defacing a government website.
Possible cyberattacks against your website include those commonly reported in the media, such as website defacement and DoS—which make the information services provided by the website unavailable for users (see Understanding Denial-of-Service Attacks). An even more severe website attack scenario may result in the compromise of customer data (e.g., PII). These threats affect all aspects of security—confidentiality, integrity, and availability—and can gravely damage the reputation of the website and its owner.
A more subtle attack—one that may not be immediately evident to the website’s owner or user—occurs when an attacker pivots from a compromised web server to the website owner’s corporate network, which contains an abundance of sensitive information that may be at risk of exposure, modification, or destruction. Once an attacker uses a compromised website to enter a corporate network, other assets may be available to the attacker, including user credentials, PII, administrative information, and technical vulnerabilities. Additionally, by compromising the website platform, an attacker may be able to repurpose the website infrastructure as a platform from which they can launch attacks against other systems.
How to improve cybersecurity protection against website attacks?
Organizations covered by affirmative federal or state mandates such as HIPAA, FACTA, the Internal Revenue Code or other federal or state data security, data breach, identity theft or other requirements should ensure that their website security at all times fulfills all of these applicable requirements and maintain clear documentation of these efforts. Beyond meeting these specific legal mandates, US-CERT recommends that organizations and individuals act to protect their websites by applying the following the best practices to their web servers:
- Implement the principle of least privilege. Ensure that all users have the least amount of privilege necessary on the web server (including interactive end users and service accounts).
- Use multifactor authentication. Implement multifactor authentication for user logins to web applications and the underlying website infrastructure.
- Change default vendor usernames and passwords. Default vendor credentials are not secure—they are usually readily available on the internet. Changing default usernames and passwords will prevent an attack that leverages default credentials.
- Disable unnecessary accounts. Disable accounts that are no longer necessary, such as guest accounts or individual user accounts that are no longer in use.
- Use security checklists. Audit and harden configurations based on security checklists specific to each application (e.g., Apache, MySQL) on the system.
- Use application whitelisting. Use application whitelisting and disable modules or features that provide capabilities that are not necessary for business needs.
- Use network segmentation and segregation. Network segmentation and segregation makes it more difficult for attackers to move laterally within connected networks. For example, placing the web server in a properly configured demilitarized zone (DMZ) limits the type of network traffic permitted between systems in the DMZ and systems in the internal corporate network.
- Know where your assets are. You must know where your assets are in order to protect them. For example, if you have data that does not need to be on the web server, remove it to protect it from public access.
- Protect the assets on the web server. Protect assets on the web server with multiple layers of defense (e.g., limited user access, encryption at rest).
- Practice healthy cyber hygiene.
- Patch systems at all levels—from web applications and backend database applications, to operating systems and hypervisors.
- Perform routine backups, and test disaster recovery scenarios.
- Configure extended logging and send the logs to a centralized log server.
Beyond these steps, US-CERT also suggests the following steps:
- Sanitize all user input. Sanitize user input, such as special characters and null characters, at both the client end and the server end. Sanitizing user input is especially critical when it is incorporated into scripts or structured query language statements.
- Increase resource availability. Configure your website caching to optimize resource availability. Optimizing your website’s resource availability increases the chance that your website will withstand unexpectedly high amounts of traffic during DoS attacks.
- Implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections. Protect your website system, as well as visitors to your website, by implementing XSS and XSRF protections.
- Audit third-party code. Audit third-party services (e.g., ads, analytics) to validate that no unexpected code is being delivered to the end user. Website owners should weigh the pros and cons of vetting the third-party code and hosting it on the web server (as opposed to loading the code from the third party).
- Implement hypertext transfer protocol secure (HTTPS) and HTTP strict transport security (HSTS). Website visitors expect their privacy to be protected. To ensure communications between the website and user are encrypted, always enforce the use of HTTPS, and enforce the use of HSTS where possible. For further information and guidance, see the U.S. Chief Information Officer (CIO) and the Federal CIO Council’s webpage on the HTTPS-Only Standard.
- Implement additional security measures. Additional measures include
- Running static and dynamic security scans against the website code and system,
- Deploying web application firewalls,
- Leveraging content delivery networks to protect against malicious web traffic, and
- Providing load balancing and resilience against high amounts of traffic.
For additional guidance, US-CERT recomends visiting the Open Web Application Security Project Top 10 Cheat Sheet on common critical risks to web applications, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-44: Guidelines on Securing Public Web Servers, and NIST SP 800-95: Guide to Secure Web Services. Subscribe to NCCIC Current Activities to stay current on the latest website technology vulnerabilities.
About The Author
The author of this update, Cynthia Marcotte Stamer is widely recognized for her nearly 30 years’ work with health care, insurance and financial services and other public and private organizations, publications, presentations, advocacy and other work on cybersecurity and other data and privacy protection and compliance, risk management and investigation and mitigation.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Former Chair of the RPTE Employee Benefits and Compensation Committee, a current Co-Chair of the Committee, and the former Chair of its Welfare Benefit and its Defined Compensation Plan Committees and former RPTE Joint Committee on Employee Benefits Council (JCEB) Representative, Ms. Stamer is a Martindale-Hubble “AV-Preeminent” practicing attorney and management consultant, author, public policy advocate, author and lecturer repeatedly recognized for her 30 plus years’ of work and pragmatic thought leadership, publications and training on leadership and management, and compliance concerns as among the “Top Rated Labor & Employment Lawyers in Texas,” a “Legal Leader,” a “Top Woman Lawyer” and with other awards by LexisNexis® Martindale-Hubbell®; as among the “Best Lawyers In Dallas” for her work in the field of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, in International Who’s Who of Professionals and with numerous other awards and distinctions.
Highly valued for her ability to meld her extensive legal and industry knowledge and experience with her talents as an insightful innovator and pragmatic problem solver, Ms. Stamer provides legal, operational and strategic advice, representational and coaching to organizations and their management.
Ms. Stamer also is active in the leadership of a broad range of other public policy advocacy and other professional and civic organizations and involvements. Through these and other involvements, she helps develop and build solutions, build consensus, garner funding and other resources, manage compliance and other operations, and take other actions to identify promote tangible improvements in health care and other policy and operational areas.
Before founding her current law firm, Cynthia Marcotte Stamer, P.C., Ms. Stamer practiced law as a partner with several prominent national and international law firms for more than 10 years before founding Cynthia Marcotte Stamer, P.C. to practice her unique brand of “Solutions law™” and to devote more time to the pragmatic policy and system reform, community education and innovation, and other health system improvement efforts of her PROJECT COPE: the Coalition on Patient Empowerment initiative.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™. For information about republication, please contact the author directly. All other rights reserved.