S 2.173 Determining a web security strategy

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: Administrator, Head of IT

Web servers are very attractive targets for attackers since a successful attack often attracts a lot of publicity. For this reason, high value must be placed on protecting web servers. Before setting up a web server, a web security strategy should be formulated that describes which security safeguards need to be implemented and in what scope. The requirements specified in the web security strategy can then be used as a basis for regular checks conducted to see if the safeguards implemented are still adequate.

The security strategy for the operation of a web server should answer the following questions:

• Have persons responsible for secure operation of the web server (administrators) and for contents (editors) been named?
• How will the persons responsible be trained, especially in terms of potential threats and on the security safeguards to follow?
• Who gets access to the web server, and with which rights?
• Who is allowed to publish what information on the web server?
• Who is responsible for ensuring the information is correct and up to date? If several organisational units or persons are allowed to post information in a certain area, then someone must be appointed overall responsibility to resolve any conflicts that arise.
• Which other systems and network connections are essential to the secure operation of the web server? Can malfunctions or failures of these systems be compensated for when necessary?
• Which information is not allowed to be published on the web server (because the content is confidential, is not suitable for publication, or is not in accordance with the policies of the company or government agency, for example)?
• Do the integrity and the confidentiality of the data need to be protected during transmission from the web server to the client? Is an authentication of the web server with regard to the clients or of the clients with regard to the web server required?
• What access restrictions should be realised on the web server (see also S 2.175 Setting up a web server)?

Organisational rules and policies or the technical implementation should guarantee the following points in particular:

• Web servers must only include files that are approved for publication. The type of information suitable for publication as well as the corresponding person approving such publication must be identified.
• Before publication of files on a web server, such files must be checked explicitly for malicious software and remaining information. Furthermore, they should be checked (at least randomly) that the contents actually are approved for publication.
• It is recommended not realising the required functions of the own web offer by means of active content, but implementing this at the server side, if possible.

All regulations on the use of web servers should be recorded in writing and should be available to the employees at any time.

The editors must be trained before use of the web servers to avoid errors during operation and to ensure that they abide by the organisation's internal guidelines. In particular, they must be made aware of the possible threats involved in using the web and informed which security safeguards they need to take.

In particular, the reactions to certain security incidents possible specifically on web servers must be specified in the security strategy if the web server hosts a public web site (see also module M 1.8 Handling of security incidents).

• The strategy should specify how to proceed when non-approved information is published on the web server. It may not be enough simply to delete the corresponding documents from the server because the documents may have already been read by visitors. Such an incident must be documented at a minimum. Depending on the sensitivity of the information, it may be necessary to inform the press office, the IS management, the management of the government agency or company, or external bodies.

• The strategy should describe what to do if it is suspected that a hacker has attacked the web server. The question of when it is necessary to take the server off the network and who will make this decision are especially important questions to answer.

• The strategy should define a reaction in the event of defacement of the web server, i.e. in case an attacker successfully breaks into the web server and changes data or, in particular, the home page of the organisation. In such cases, it is generally necessary to inform the management of the government agency or company as well as the press office or the organisational unit responsible for public relations.

These points also need to be taken into account even if the protection requirement of the web site is otherwise considered low. In particular, attacks by hackers and defacements can happen to any public web site, regardless of the actual protection requirements of the web site.

The regular gathering of information on potential security gaps must also be part of a security strategy so that precautions can be taken promptly. In addition to the sources of information mentioned in S 2.35 Obtaining information on security weaknesses of the system, the "World Wide Web Security FAQ" is a particularly valuable source of information on secure use of the web. The latest version of this document can be found at http://www.w3.org/Security/Faq/.

Review questions:

• Is there a web security strategy that includes the security safeguards and their corresponding scope?
• Are there rules regarding the reaction to certain web server-specific security incidents?
• Are regular information provided for timely provisions against security gaps?