Page 85 - GiGW3
P. 85
5. Guidelines
data loss of the organisations or users. (iv) Access Control (j) Turn on node checking to verify applications and users. Statement: Hosting Environment has been secured for ensuring
The government organisation will ensure and monitor that the host (v) Cryptographic Practices (k) Turn off all unnecessary database functionality (e.g., unnecessary stored procedures or confidentiality, integrity and availability (CIA). 5.3.2
(vi) Error Handling & Logging services, utility packages, install only the minimum set of features and options required (surface
service provider and the developer adhere to the industry best (vii) Data Protection area reduction)
security practices and guidelines such as ISO 27001, OWASP ASVS, (viii) Communication Security (l) Enforce a strict access control policy and introduce role-based access control (RBAC) Benefits: The goal of securing a hosting environment is to maintain the confidentiality, integrity and
OWASP Top 10 vulnerabilities and CIS benchmarks as per the (ix) System Configuration privileges. availability of information resources leading to successful operations. This goal is accomplished
(x) Database Security (m) Enable audit trail logs on the database servers. through the implementation of security controls. Hosting service providers should follow industry
prevailing security policy. Following guidelines are to secure web
(xi) File Management (n) Ensure appropriate logging and monitoring of database logs. best practices for securing the hosting environment. Attacks could cause both personal
resources & associated infrastructure: (xii) Memory Management (o) Consider fine grained record/row level auditing based on the sensitivity of data. embarrassment and financial risks. Secure hosting as well as doing regular backups save the time
(n) Implement logging functionality and periodically auditing the web logs for suspicious activity. (p) Implement a backup solution to store data and system configurations from the website, web and money put into the site.
Statement: Website, web application, web portal or mobile app (o) Configure website, web application or web portal caching to optimize resource availability. application or web portal that should be backed up periodically. Government organisation action: Think of a website’s domain name as a street address. Now, think
(p) Sanitise user input at both the client end and the server end with both syntactical as well as Note: One of the best methods to keep a website/app safe is to have a good backup solution of the web host as the plot of “real estate” where the website exists online. As one would research
have been Security Audited and an Audit Clearance certificate has a semantic approach. and the user should have more than one data backup. Each of these two backups is crucial to a plot of land to build a house, it needs to examine potential web hosts to find the right one. Many
been issued by NIC/ STQC/ STQC empanelled laboratory/CERT (q) The technology to be implemented should be chosen after careful consideration. Various recovering a website after a major security incident occurs. There are several different hosts provide server security features that better protect a website and its data.
-In empanelled laboratory before hosting in production client-side Active Content Technologies are available e.g., Java scripts etc. Each has its own solutions one can use to help recover damaged or lost files. Keep the website information
environment. strengths and weaknesses along with an associated risk. off-site. Do not store the backups on the same server as of the website; they are as vulnerable A. There are certain mandatory aspects to check for when choosing a hosting service provider
(r) Disable the root user access to run the code on Linux/Unix hosts. to attacks too. Choose to keep the website backup on a home computer or hard drive. Find (HSP):
(s) Use explicit path names when invoking external programs and not rely on the PATH an off-site place to store the data and to protect it from hardware failures, hacks and viruses. (a) Ensure the hosting of the web infrastructure within geographical boundaries of India.
Benefits: The goal of securing a website, web application, web portal or mobile app is to maintain
Protecting web resources from unauthorised use, access, environment value. Another option is to back up the website in the cloud. It makes storing data easy and allows (b) The government organisation to ensure the HSP is providing data centre, business continuity
the confidentiality, integrity and availability of information and services. This goal is accomplished plan and disaster recovery environments with state-of-the-art secure infrastructure configured in
changes, destruction, or disruption is generally termed as through the implementation of best security practices in design, development and deployment. B. Securing databases: Database being the core of any application and/or organisation and is access to information from anywhere. Besides choosing where to back up the website, one high availability (HA) mode for hosting the websites, web applications, web portals or mobile apps
used to store large amounts of highly sensitive and personal information. Therefore, appropriate
must consider automating them. Use a solution where one can schedule the website/app
“Website Security” or “Secured Website”. Attacks could cause both personal embarrassment and financial risks. technical controls should be in place to safeguard the databases and information stored in them. backups. It has to be ensured that the solution has a reliable recovery system. Be redundant and their respective CMS.
Government organisation action: It should be ensured that the website, web application, web
The following are the guidelines for securing databases: in the backup process — backup the backups. By doing this, one can recover files from any (c) Conduct periodic drills of disaster recovery environment - at least once in a year.
portal or mobile app don’t have any security risks as identified by the latest OWASP Top 10 (d) HSP to ensure that the servers are protected against environmental, physical and cyber threats.
Sometimes web resources become unavailable due to vulnerability list. The design and development agency or the developers should follow industry (a) Implement strong encryption and key management mechanism for the information both at point before the hack or virus occurs.
denial-of-service attacks or display modified information on the best practices such as OWASP ASVS and OWASP MAVS. rest and transit. (q) Keep the backup media file in safe custody and access to it should be restricted and logged. (e) Ensure the HSP has implemented all security controls of the Data Centre including physical
security and appropriate access control mechanisms.
(r) Conduct periodic auditing of Web Application - at least once in a year or as and when any
(b) Implement strong hashing and salting algorithms to store passwords in the database.
webpages. Millions of passwords, email addresses and credit card Developer action: Securing critical web resources is more important than ever as the focus of (c) Use secure credentials for database access. Remove or change all default database changes are done in the source code, whichever is earlier. (f) Servers, Network devices used to host the website should be hardened with latest security
attackers has steadily moved towards the application layer and they are exploiting the weaknesses
details have been leaked into the public domain exposing web users administrative passwords. (s) Report any web application-related security incidents observed to NIC-CERT & CERT-In patches and periodic Vulnerability Assessment (VA) and Penetration Testing (PT) followed by
in the code. corrective actions should be performed as per the security policy.
to both personal embarrassment and financial risks. The purpose of (d) Utilise strong passwords//phrases or implement multi-factor authentication. immediately at Incident Response Helpdesk:
(e) Disable unnecessary accounts such as orphaned accounts, unused accounts, generic and NIC-CERT: incident@nic-cert.nic.in (g) Ensure the HSP of the hosting environment has deployed and configured a Web Application
Website Security is to prevent such risks. A. Securing Code service accounts. CERT-In: incident@cert-in.org.in Firewall (WAF), which is hardened with latest security patches and is available for use by the
Website Security requires vigilance in all aspects starting from (a) Ensure that all websites, web applications, web portals or mobile apps and their respective (f) Enable access to the database only from the Web Server on a whitelisted port and it should Toll free phone: CERT-In - +91-1800-11-4949 government organisation on demand.
CMS, 3rd party plugins, codes, etc. are updated to the latest vers ions.
design, coding and implementation to testing and deployment. Note: Every day, there are countless websites/apps compromised due to outdated software. not be assigned publicly accessible IP. Evaluator action: The evaluator shall check that the website/ web application/ web portal/ mobile Note: It sits between the website server and the data connection. The purpose is to read
Organisations should implement appropriate security majors, Potential hackers and bots are scanning websites/apps to attack. Updates are vital to the (g) TLS should be enabled in databases for secure communications between web servers and app under evaluation has a valid security audit certificate issued by NIC/STQC/STQC empanelled every bit of data that passes through it to protect the site. Most WAFs are cloud-based and
databases. laboratory/ Cert-IN empanelled laboratory fulfilling Cert-IN requirements. are a plug-and-play service. The cloud service is a gateway to all incoming traffic that blocks
defences and countermeasures to protect web resources against health and security of the website/app. If the website’s software or applications are not (h) Create admin restrictions, such as by controlling privileged access on what users can do in a all hacking attempts. It also filters out other types of unwanted traffic, like spammers and
malfunctioning, phishing, cyber-crimes or cyberattacks to avoid up-to-date, the website/app is not secure. Take all software and plugin update requests database. malicious bots.
seriously. Updates often contain security enhancements and vulnerability repairs. Check the
(i) The application should use the lowest possible level of privilege when accessing the database.
85