Recent news on cyberattacks has everyone scrambling to ensure their website isn’t the next victim. The fact is, the attacks never stop coming, and any public-facing website can be attacked—all you can do is put forth your best defenses to protect sacred company data. In the US-CERT Guide to Website Security IT Download, you will learn how to reduce your company website’s weaknesses and also how to mitigate damage from an attack should one occur.
This technical information paper (TIP) covers web server security, including protection of back-end data and the use of SQL services. It explains which applications are necessary and which can be disabled:
… a web server does not require web browsing capability and if a web server is not performing FTP functionality there is no need to have that service running. Removing or disabling any unused components will reduce the attack surface area.
On operating system security, you will find information on how to limit server access and what type of authentication is recommended. This TIP also provides detailed information on how administrators should create a strong password policy, with recommendations on how often it is appropriate to change passwords and how to prevent reuse of passwords.
To further protect the company’s web presence, the paper lists additional web services and applications that can be used, depending upon need, risk and budgeting limitations. The list includes information on:
- Extensive logging
- Data service replication
- Secure software development
- Demilitarized zones
Arm yourself with the right information to continually improve your site’s security stance and help keep your company’s web presence safe from vulnerabilities or outright attacks.