For some groups, the website is a low-risk front door for general marketing; for others, the site is tied to web commerce and the daily revenue figures. The website may list addresses, phone numbers, hours of operation, and key personnel. It may advertise detailed job openings. It may be the gateway to web applications and portals servicing different clients, suppliers, partners, employees, and others.
So, if you’ve done your homework and kept your basic information up to date — including (1) your list of assets needing protection, (2) your modeled threats, and (3) your lists of who should and should not be able to access what — then you have a basis for a plan to monitor, test, and periodically review that everything is in order. Consider some very basic questions:
- Is uptime critical? Do you monitor load and availability? Who is alerted when something goes awry? When is the last time you tested that system?
- How long would it take to notice that your website has been defaced? How will you detect it? Who is notified? Do you have a plan to recover from such an event? Are those systems tested?
- The website is often a first stop for open source intelligence gathering ahead of focused attacks — especially “social engineering” efforts. When was the last time you had a fresh pair of eyes review your public content as part of a risk assessment?
- When were your web applications last tested? Here, “web application” may mean your proprietary systems with online access, or it may mean your ordinary WordPress deployment for your basic website, or it may mean anything in between. Do you track and monitor attempts to access? Are you alerted to odd behavior?
- Are your systems kept up to date with security patches? If the systems are hosted, do you have contractual guarantees in place from the providers?
- Etc.
If you haven’t done so in a number of years, I’d propose a simple experiment for you: Throw up a simple website at a public IP address, register a domain name, then point that name to that server address. Now sit back with a bowl of popcorn and watch the logs… The amount of time between registration and being swarmed by automated attacks and probes is essentially nil — and those probes are looking for all vulnerabilities, from the ancient to the ones just announced yesterday. All have come to accept that this is just the way it is now, so the defense is up to you.
Stay current. Review your posture and test your systems, from detection through response and recovery.
TCM Labs works with clients to help ensure that your defenses are current and that your compliance checks occur at a manageable pace throughout the year, giving you ample time to make mitigations before the final reports. For more information contact us via our web form.