The U.S. Department of Homeland Security issued guidance on website security.
Website security is aimed at protecting public-facing websites from cyberattacks. A website attack could cause denial of service or could enable the attacker to obtain sensitive information.
To improve cybersecurity protection against website attacks, the U.S. Department of Homeland Security recommends the following best practices:
- Implement the principle of least privilege. Ensure that all users have the least amount of privilege necessary on the web server.
- Use multifactor authentication. Implement multifactor authentication for user logins to web applications and the underlying website infrastructure.
- Change default vendor usernames and passwords. Changing default usernames and passwords will prevent an attack that leverages default credentials.
- Disable unnecessary accounts. Disable accounts that are no longer necessary, such as guest accounts or individual user accounts that are no longer in use.
- Use security checklists. Audit and harden configurations based on security checklists specific to each application on the system.
- Use application whitelisting. Use application whitelisting and disable modules or features that provide capabilities that are not necessary for business needs.
- Use network segmentation and segregation. Network segmentation and segregation makes it more difficult for attackers to move laterally within connected networks
- Know where your assets are. You must know where your assets are in order to protect them.
- Protect the assets on the web server. Protect assets on the web server with multiple layers of defense (e.g., limited user access, encryption at rest).
- Practice healthy cyber hygiene.
- Patch systems at all levels—from web applications and backend database applications, to operating systems and hypervisors.
- Perform routine backups, and test disaster recovery scenarios.
- Configure extended logging and send the logs to a centralized log server.
