Securing your company’s network consists of: (1) identifying all devices and connections on the network; (2) setting
boundaries between your company’s systems and others; and (3) enforcing controls to ensure that unauthorized
access, misuse, or denial-of-service events can be thwarted or rapidly contained and recovered from if they do occur.
Cyber Plan Action Items:
1. Secure internal network and cloud services
Your company’s network should be separated from the public Internet by strong user authentication mechanisms
and policy enforcement systems such as firewalls and web filtering proxies. Additional monitoring and security
solutions, such as anti-virus software and intrusion detection systems, should also be employed to identify and stop
malicious code or unauthorized access attempts.
After identifying the boundary points on your company’s network, each boundary should be evaluated to determine
what types of security controls are necessary and how they can be best deployed. Border routers should be
configured to only route traffic to and from your company’s public IP addresses, firewalls should be deployed to
restrict traffic only to and from the minimum set of necessary services, and intrusion prevention systems should be
configured to monitor for suspicious activity crossing your network perimeter. In order to prevent bottlenecks, all
security systems you deploy to your company’s network perimeter should be capable of handling the bandwidth that
your carrier provides.
Cloud based services
Carefully consult your terms of service with all cloud service providers to ensure that your company’s information
and activities are protected with the same degree of security you would intend to provide on your own. Request
security and auditing from your cloud service providers as applicable to your company’s needs and concerns.
Review and understand service level agreements, or SLAs, for system restoration and reconstitution time.
You should also inquire about additional services a cloud service can provide. These services may include backup-
and-restore services and encryption services, which may be very attractive to small businesses.
2. Develop strong password policies
Generally speaking, two-factor authentication methods, which require two types of evidence that you are who you
claim to be, are safer than using just static passwords for authentication. One common example is a personal
security token that displays changing passcodes to be used in conjunction with an established password. However,
two-factor systems may not always be possible or practical for your company.
Password policies should encourage your employees to employ the strongest passwords possible without creating
the need or temptation to reuse passwords or write them down. That means passwords that are random, complex
and long (at least 10 characters), that are changed regularly, and that are closely guarded by those who know them.
3. Secure and encrypt your company’s Wi-Fi
Wireless access control
Your company may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and
visitors. If so, it is important that such a WLAN be kept separate from the main company network so that traffic
from the public network cannot traverse the company’s internal systems at any point.
Internal, non-public WLAN access should be restricted to specific devices and specific users to the greatest extent
possible while meeting your company’s business needs. Where the internal WLAN has less stringent access
controls than your company’s wired network, dual connections — where a device is able to connect to both the
wireless and wired networks simultaneously — should be prohibited by technical controls on each such capable
device (e.g., BIOS-level LAN/WLAN switch settings). All users should be given unique credentials with preset
expiration dates to use when accessing the internal WLAN.
Due to demonstrable security flaws known to exist in older forms of wireless encryption, your company’s internal
WLAN should only employ Wi-Fi Protected Access 2 (WPA2) encryption.
4. Encrypt sensitive company data
Encryption should be employed to protect any data that your company considers sensitive, in addition to meeting
applicable regulatory requirements on information safeguarding. Different encryption schemes are appropriate
under different circumstances. However, applications that comply with the OpenPGP standard, such as PGP and
GnuPG, provide a wide range of options for securing data on disk as well as in transit. If you choose to offer secure
transactions via your company’s website, consult with your service provider about available options for an SSL
certificate for your site.
5. Regularly update all applications
All systems and software, including networking equipment, should be updated in a timely fashion as patches and
firmware upgrades become available. Use automatic updating services whenever possible, especially for security
systems such as anti-malware applications, web filtering tools and intrusion prevention systems.
6. Set safe web browsing rules
Your company’s internal network should only be able to access those services and resources on the Internet that are
essential to the business and the needs of your employees. Use the safe browsing features included with modern
web browsing software and a web proxy to ensure that malicious or unauthorized sites cannot be accessed from your
7. If remote access is enabled, make sure it is secure
If your company needs to provide remote access to your company’s internal network over the Internet, one popular
and secure option is to employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor
authentication, using either hardware or software tokens.
Website security is more important than ever.
Web servers, which host the data and other content available to your customers on the Internet, are often the most
targeted and attacked components of a company’s network. Cyber criminals are constantly looking for improperly
secured websites to attack, while many customers say website security is a top consideration when they choose to
shop online. As a result, it is essential to secure servers and the network infrastructure that supports them. The
consequences of a security breach are great: loss of revenues, damage to credibility, legal liability and loss of
The following are examples of specific security threats to web servers:
Cyber criminals may exploit software bugs in the web server, underlying operating system, or active
content to gain unauthorized access to the web server. Examples of unauthorized access include gaining
access to files or folders that were not meant to be publicly accessible and being able to execute commands
and/or install malicious software on the web server.
Denial-of-service attacks may be directed at the web server or its supporting network infrastructure to
prevent or hinder your website users from making use of its services.
Sensitive information on the web server may be read or modified without authorization.
Sensitive information on backend databases that are used to support interactive elements of a web
application may be compromised through the injection of unauthorized software commands. Examples
include Structured Query Language (SQL) injection, Lightweight Directory Access Protocol (LDAP)
injection and cross-site scripting (XSS).
Sensitive unencrypted information transmitted between the web server and the browser may be intercepted.
Information on the web server may be changed for malicious purposes. Website defacement is a
commonly reported example of this threat.
Cyber criminals may gain unauthorized access to resources elsewhere in the organization’s network via a
successful attack on the web server.
Cyber criminals may also attack external entities after compromising a web server. These attacks can be
launched directly (e.g., from the compromised server against an external server) or indirectly (e.g., placing
malicious content on the compromised web server that attempts to exploit vulnerabilities in the web
browsers of users visiting the site).
The server may be used as a distribution point for attack tools, pornography or illegally copied software.
Cyber Plan Action Items:
1. Carefully plan and address the security aspects of the deployment of a
public web server.
Because it is much more difficult to address security once deployment and implementation have occurred, security
should be considered from the initial planning stage. Businesses are more likely to make decisions about
configuring computers appropriately and consistently when they develop and use a detailed, well-designed
deployment plan. Developing such a plan will support web server administrators in making the inevitable tradeoff
decisions between usability, performance and risk.
Businesses also need to consider the human resource requirements for the deployment and continued operation of
the web server and supporting infrastructure. The following points in a deployment plan:
Types of personnel required — for example, system and web server administrators, webmasters, network
administrators and information systems security personnel.
Skills and training required by assigned personnel.
Individual (i.e., the level of effort required of specific personnel types) and collective staffing (i.e., overall
level of effort) requirements.
2. Implement appropriate security management practices and controls when
maintaining and operating a secure web server.
Appropriate management practices are essential to operating and maintaining a secure web server. Security
practices include the identification of your company’s information system assets and the development,
documentation and implementation of policies, and guidelines to help ensure the confidentiality, integrity and
availability of information system resources. The following practices and controls are recommended:
A business-wide information system security policy.
Server configuration and change control and management.
Risk assessment and management.
Standardized software configurations that satisfy the information system security policy.
Security awareness and training.
Contingency planning, continuity of operations and disaster recovery planning.
Certification and accreditation.
3. Ensure that web server operating systems meet your organization’s
The first step in securing a web server is securing the underlying operating system. Most commonly available web
servers operate on a general-purpose operating system. Many security issues can be avoided if the operating
systems underlying web servers are configured appropriately. Default hardware and software configurations are
typically set by manufacturers to emphasize features, functions and ease of use at the expense of security. Because
manufacturers are not aware of each organization’s security needs, each web server administrator must configure
new servers to reflect their business’ security requirements and reconfigure them as those requirements change.
Using security configuration guides or checklists can assist administrators in securing systems consistently and
efficiently. Initially securing an operating system initially generally includes the following steps:
Patch and upgrade the operating system.
Change all default passwords
Remove or disable unnecessary services and applications.
Configure operating system user authentication.
Configure resource controls.
Install and configure additional security controls.
Perform security testing of the operating system.
4. Ensure the web server application meets your organization’s security
In many respects, the secure installation and configuration of the web server application will mirror the operating
system process discussed above. The overarching principle is to install the minimal amount of web server services
required and eliminate any known vulnerabilities through patches or upgrades. If the installation program installs
any unnecessary applications, services or scripts, they should be removed immediately after the installation process
concludes. Securing the web server application generally includes the following steps:
Patch and upgrade the web server application.
Remove or disable unnecessary services, applications and sample content.
Configure web server user authentication and access controls.
Configure web server resource controls.
Test the security of the web server application and web content.
5. Ensure that only appropriate content is published on your website.
Company websites are often one of the first places cyber criminals search for valuable information. Still, many
businesses lack a web publishing process or policy that determines what type of information to publish openly, what
information to publish with restricted access and what information should not be published to any publicly
accessible repository. Some generally accepted examples of what should not be published or at least should be
carefully examined and reviewed before being published on a public website include:
Classified or proprietary business information.
Sensitive information relating to your business’ security.
Medical records. A business’ detailed physical and information security safeguards.
Details about a business’ network and information system infrastructure — for example, address ranges,
naming conventions and access numbers.
Information that specifies or implies physical security vulnerabilities.
Detailed plans, maps, diagrams, aerial photographs and architectural drawings of business buildings,
properties or installations.
Any sensitive information about individuals that might be subject to federal, state or, in some instances,
international privacy laws.
6. Ensure appropriate steps are taken to protect web content from
unauthorized access or modification.
Although information available on public websites is intended to be public (assuming a credible review process and
policy is in place), it is still important to ensure that information cannot be modified without authorization. Users of
such information rely on its integrity even if the information is not confidential. Content on publicly accessible web
servers is inherently more vulnerable than information that is inaccessible from the Internet, and this vulnerability
means businesses need to protect public web content through the appropriate configuration of web server resource
controls. Examples of resource control practices include:
Install or enable only necessary services.
Install web content on a dedicated hard drive or logical partition.
Limit uploads to directories that are not readable by the web server.
Define a single directory for all external scripts or programs executed as part of web content.
Disable the use of hard or symbolic links.
Define a complete web content access matrix identifying which folders and files in the web server
document directory are restricted, which are accessible, and by whom.
Disable directory listings.
Deploy user authentication to identify approved users, digital signatures and other cryptographic
mechanisms as appropriate.
Use intrusion detection systems, intrusion prevention systems and file integrity checkers to spot intrusions
and verify web content.
Protect each backend server (i.e., database server or directory server) from command injection attacks.
7. Use active content judiciously after balancing the benefits and risks.
Static information resided on the servers of most early websites, typically in the form of text-based documents.
Soon thereafter, interactive elements were introduced to offer new opportunities for user interaction.
Unfortunately, these same interactive elements introduced new web-related vulnerabilities. They typically involve
dynamically executing code using a large number of inputs, from web page URL parameters to hypertext transfer
protocol (HTTP) content and, more recently, extensible markup language (XML) content. Different active content
technologies pose different related vulnerabilities, and their risks should be weighed against their benefits. Although
most websites use some form of active content generators, many also deliver some or all of their content in a static
8. Use authentication and cryptographic technologies as appropriate to
protect certain types of sensitive data.
Public web servers often support technologies for identifying and authenticating users with differing privileges for
accessing information. Some of these technologies are based on cryptographic functions that can provide a secure
channel between a web browser client and a web server that supports encryption. Web servers may be configured to
use different cryptographic algorithms, providing varying levels of security and performance.
Without proper user authentication in place, businesses cannot selectively restrict access to specific information. All
information that resides on a public web server is then accessible by anyone with access to the server. In addition,
without some process to authenticate the server, users of the public web server will not be able to determine whether
the server is the “authentic” web server or a counterfeit version operated by a cyber criminal.
Even with an encrypted channel and an authentication mechanism, it is possible that attackers may attempt to access
the site by brute force. Improper authentication techniques can allow attackers to gather valid usernames or
potentially gain access to the website. Strong authentication mechanisms can also protect against phishing attacks,
in which hackers may trick users into providing their personal credentials, and pharming, in which traffic to a
legitimate website may be redirected to an illegitimate one. An appropriate level of authentication should be
implemented based on the sensitivity of the web server’s users and content.
9. Employ network infrastructure to help protect public web servers.
The network infrastructure (e.g., firewalls, routers, intrusion detection systems) that supports the web server plays a
critical security role. In most configurations, the network infrastructure will be the first line of defense between a
public web server and the Internet. Network design alone, though, cannot protect a web server. The frequency,
sophistication and variety of web server attacks perpetrated today support the idea that web server security must be
implemented through layered and diverse protection mechanisms, an approach sometimes referred to as “defense-in-
10. Commit to an ongoing process of maintaining web server security.
Maintaining a secure web server requires constant effort, resources and vigilance. Securely administering a web
server on a daily basis is essential. Maintaining the security of a web server will usually involve the following steps:
A-Backing up critical information frequently.
B-Configuring, protecting and analyzing log files.
Maintaining a protected authoritative copy of your organization’s web content.
Establishing and following procedures for recovering from compromise.Testing and applying patches in a timely manner.
Testing security periodically.