National Cyber Awareness System:
11/01/2018 12:20 PM EDT
Original release date: November 01, 2018
What is website security?Website security refers to the protection of personal and organizational public-facing websites from cyberattacks. Why should I care about website security?Cyberattacks against public-facing websites—regardless of size—are common. An attack to your website could
Organization and personal websites that fall victim to defacement or DoS may experience financial loss due to eroded user trust or a decrease in website visitors. A cyberattack that causes a data breach places your company’s intellectual property and your users’ personally identifiable information (PII) at risk of theft. Cyber criminals may attack websites because of financial incentives such as the theft and sale of intellectual property and PII, ransomware payouts, and cryptocurrency mining (see Defending Against Illicit Cryptocurrency Mining Activity). Cyber criminals may also be motivated to attack websites for ideological reasons, e.g., to gain publicity and notoriety for a terrorist organization through defacing a government website. What security threats are associated with websites?Possible cyberattacks against your website include those commonly reported in the media, such as website defacement and DoS—which make the information services provided by the website unavailable for users (see Understanding Denial-of-Service Attacks). An even more severe website attack scenario may result in the compromise of customer data (e.g., PII). These threats affect all aspects of security—confidentiality, integrity, and availability—and can gravely damage the reputation of the website and its owner. A more subtle attack—one that may not be immediately evident to the website’s owner or user—occurs when an attacker pivots from a compromised web server to the website owner’s corporate network, which contains an abundance of sensitive information that may be at risk of exposure, modification, or destruction. Once an attacker uses a compromised website to enter a corporate network, other assets may be available to the attacker, including user credentials, PII, administrative information, and technical vulnerabilities. Additionally, by compromising the website platform, an attacker may be able to repurpose the website infrastructure as a platform from which they can launch attacks against other systems. How can I improve my cybersecurity protection against website attacks?Organizations and individuals can protect their websites by applying the following the best practices to their web servers:
What are some additional steps I can take to protect against website attacks?
For additional guidance, visit the Open Web Application Security Project Top 10 Cheat Sheet on common critical risks to web applications, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-44: Guidelines on Securing Public Web Servers, and NIST SP 800-95: Guide to Secure Web Services. Subscribe to NCCIC Current Activities to stay current on the latest website technology vulnerabilities.
|