Risk mitigation for low-risk web systems — summary
Measures:
- OWASP review
- Patching strategy and confirmation
- Monitoring tools
- Encryption
- Authentication mechanisms
- Password policy (if not using RealMe)
- Hosting agreements
- Procedures and documentation
1. OWASP review
An OWASP review could include:
- vulnerability assessment required prior to release of new functionality
- automated testing annually
- architecture and code review prior to release of new functionality.
Benefits
An OWASP review:
- provides a minimum level of assurance that the system is protected from most forms of attack
- vulnerability assessment and code review validate that defensive measures are properly implemented.
Cost
An OWASP review has moderate cost:
- vulnerability assessment for low-risk sites can be in the order of $6k to $10k
- architecture and code review depends on complexity of the system.
Risk if you don't do it
The risk is high:
- untested systems may contain serious vulnerabilities with unknown consequences
- business owners are exposed to unknown risks
- code review provides extra assurance beyond penetration testing.
Likelihood of compromise if you don't do it
The likelihood of compromise is high.
Unidentified users can use tools and hosted services to scan sites for vulnerabilities to exploit.
Get started
Hosted services such as Qualys can provide continuous OWASP monitoring.
2. Patching strategy and confirmation
Patching strategy and confirmation could mean:
- all available updates applied at least every 3 months
- version upgrades assessed annually
- critical patches applied within 2 days
- NIST1 Vulnerability Database reviewed every 6 months, and recommendations acted on.
National Vulnerability Database
Benefits
A patching strategy and confirmation:
- provides a measure of confidence that systems are protected from recently identified vulnerabilities
- minimises risk of exposure to critical security vulnerabilities.
Cost
The cost is low if not already specified in provider SLAs.
The cost is moderate for version upgrades that depend on the system.
Risk if you don't do it
The risk is high.
Unpatched systems become vulnerable to unauthorised access, which may result in defacement, data loss, hijacking or malware insertion.
Likelihood of compromise if you don't do it
The likelihood of compromise is high.
Expect to find vulnerabilities in most software, unless security updates are regularly applied.
3. Monitoring tools
Recommended:
- Web Application Firewall (WAF), or cloud-based WAF service.
You could also use cloud-based scanning and monitoring tools deployed, for example combinations of Pingdom, Qualys, Sucuri, Incapsula.
Benefits
Monitoring tools:
- provide ongoing monitoring and scanning, and alerts to site managers as necessary
- enable site managers to take proactive defensive measures
- are continuously updated to notify of vulnerability to evolving threats.
Cost
The cost is low for hosted services — hundreds of dollars per year per site.
The cost is high for dedicated in-house WAFs.
Risk if you don't do it
The risk is moderate.
Without real-time monitoring and alerting of events on the web server, proactive defensive response is not possible.
Hosted monitoring tools are continuously updated which allows proactive response to emerging threats.
Likelihood of compromise if you don't do it
The likelihood is moderate.
Potential attackers may discover a recently identified vulnerability before it is detected in a future security review.
Get started
You could use:
- Pingdom: Availability
- Qualys: OWASP monitoring
- Sucuri: Malware scanning
- Incapsula, WAF, DoS protection
4. Encryption
Encryption includes:
- admin login pages are SSL encrypted
- SSL Certificates applied to entire site (recommended)
- certificates must be renewed periodically — a renewal register should be maintained.
Benefits
Encryption:
- prevents manipulation of data in transit
- makes it much harder to impersonate a govt site
- prevents interception (man-in-the-middle) attacks
- prevents exploitation of other potential vulnerabilities.
Cost
The cost is low to nil. SSL encryption must be applied to admin logon pages (for sites not using RealMe), so effective cost of applying certificate to entire site is nil.
SSL Certificates are a few hundred dollars per year.
Risk of not doing it
The risk is moderate — a somewhat escalated risk profile across the site.
However, SSL encryption is required for admin logon (for sites not using Realme authentication) so effort of treating this risk is minimal.
Likelihood of compromise if you don't do it
Likelihood is moderate.
Encryption provides assurance of authenticity of information, and prevents some common forms of attack (for example, man-in-the-middle).
5. Authentication mechanisms
Authentication mechanisms include:
- admin accounts managed by RealMe
- two-factor authentication or IP whitelist controls in place.
IN CONFIDENCE: Non-pseudonymous public user accounts managed by RealMe.
Benefits
RealMe:
- provides significantly higher levels of confidence in security of logon and authentication process
- eliminates risk of weaknesses in product or bespoke authentication systems.
Cost
Cost is moderate to high.
RealMe integration processes can add cost and time to development projects.
Some vendors provide integration services which may reduce cost.
Risk if you don't do it
Risk is moderate.
Bespoke or product authentication facilities may contain unidentified vulnerabilities.
A need to manage multiple password systems may result in unsafe practices by users and duplicate investment across agencies.
Likelihood of compromise if you don't do it
Likelihood is moderate.
Systems may be exposed through defects in authentication processes, weak passwords, or interception or disclosure of credentials.
6. Password policy (if not using RealMe)
A password policy could include:
- two-factor authentication for admin accounts (recommended)
- strong passwords system-enforced
- measures in place to limit and log failed login attempts
- admin passwords kept to a minimum and whitelisted
- unneeded accounts deleted
- password management policy for all admin staff.
Benefits
A password policy provides defence against unauthorised access through password-related attacks, which are often the weakest point in a web site.
Cost
Cost is low to moderate.
The cost of implementing system-enforced strong passwords can be trivial but depends on the system.
All other measures are BAU.
Risk if you don't do it
The risk is high.
Password attacks can be common and easy to carry out.
A successful attack results in unauthorised access which can result in defacement, data loss, or hijacking, or malware insertion.
Likelihood of compromise if you don't do it
Likelihood is high.
Weak password policies are a significant attack vector exploitable by dictionary or brute-force attacks. Tools for this purpose are freely available on the web.
7. Hosting agreements
SLAs include vendor security responsibilities.
Should include logging and audit, monitoring, Incident Management, network security, server and stack maintenance, and environment hardening.
Should consider Intrusion Detection / Protection, application whitelisting.
Benefits
Hosting agreements provide assurance that:
- the level of security provided by vendor is adequate
- monitoring procedures are in place
- procedures are in place in advance of a security incident.
Cost
The cost is low to nil.
Standard requirements specified in provider SLAs.
Intrusion detection or prevention may be expensive. Monitoring and scanning tools may suffice.
Risk if you don't do it
The risk is moderate.
No assurance of security profile of site, or division of responsibilities in regard to maintenance and security.
No Incident Event Management processes.
Likelihood of compromise if you don't do it
Risk cannot be quantified.
8. Procedures and documentation
Procedures and documentation could include:
- Standard Operating Procedures
- System Security Plan and Risk Management Plans
- Incident Response Procedures
- Hosting Agreement
- Business Continuity plan
Documentation is reviewed and updated annually.
Benefits
Benefits include:
- system operating knowledge is captured and available to relevant parties
- security strategy is available for review
- incident response is available in advance and necessary parties are coordinated when necessary
- clear statement of provider responsibilities.
Cost
Cost is low.
Production and maintenance of standard suite of documents is BAU.
Risk if you don't do it
Risk is moderate.
No assurance of management and maintenance procedures, responsibilities in regard to maintenance and security are unclear.
No Incident Event Management processes.
Likelihood of compromise if you don't do it
Risk cannot be quantified.
Last updated
