Skip to Content
  1. 1Software updateSoftware update
  2. 2Data encryptionData encryption
  3. 3Remote administrationRemote administration
  4. 4Authentication passwordAuthentication password
  5. 5Alert notificationAlert notification
  6. 6Search indexingSearch indexing
  7. 7Security scanSecurity scan
  8. 8OutsourcingOutsourcing
1

Update operating system, application and framework libraries

RISK

Software, such as operating system, application and framework libraries, with known security weaknesses are more susceptible to cyber attacks, in particular, those installed on web server and other Internet facing components.

CHECK STEPS

Tool(s) available

Function: Detect outdated operating system and software.

 

Manual Check Tips

Note: You can identify what known vulnerabilities are affecting your software by manual check -

MORE TIPS

  • Keep an update and comprehensive list of software inventory, including operating system, application and framework libraries. For Windows, you may list out the installed software via Microsoft Windows Installer (MSI).
  • Pay attention to security news and obtain relevant information, such as software update and security alerts, by subscribing notification service of software vendor.
  • If no possible solution is available for fixing the vulnerability, you should assess the security risks and adopt compensating security measures, such as disabling the vulnerable functionality of the software and using other more secure software.
  • Make sure all server and computer are protected by firewall and anti-malware software.
Next
2

Encrypt sensitive information in web page

RISK

Unauthorised person can steal or modify sensitive information in a web page to conduct identity theft, credit card fraud and other crimes.

CHECK STEPS

Tool(s) available

Function: Detect outdated / invalid server certificate, weak encryption algorithm and protocol supported by a web server.

 

Manual Check Tips

Note: You can identify whether a web page is partially encrypted or fully encrypted by manual check -

  • Understand the indication of encryption status of a webpage in Firefox, Internet Explorer and Google Chrome
  • Review the encryption status of a webpage by browsing it by one of the web browser.

MORE TIPS

  • Avoid displaying both secure (HTTPS) and non-secure (HTTP) content in a web page processing sensitive information because the non-secure content (e.g. script) might be able to access information from the secure content.
  • Server certificate should be assigned by recognised Certificate Authority (CA) and in "Trusted" condition.
  • Strong cipher suites and protocols, such as TLS 1.2 and AES 256 bit, should be assigned with a higher priority in the preferred order setting at the web server, while the risks of weaker ones should be assessed before use.
Next
3

Adopt secure remote access solution for website administration

RISK

Insecure remote access can leak login password as the data is transmitted over the Internet without encryption.

CHECK STEPS

Tool(s) available

Function: Detect insecure remote access services (e.g. telnet, ftp, rlogin, etc.) supported by a server.

 

Manual Check Tips

Note: You can identify whether your remote access solution is secure by manual check –

  • Understand the settings of your remote access solution by reading the official user manual.
  • Use strong password
  • Enable strong authentication mechanism if available, such as certificate-based and 2-factor authentication.
  • Enable secure encryption protocol, such as HTTPS, SFTP and SSH v2.
  • Allow remote connection from specific IP address of internal network only.
  • Assign unique account to each individual user following principle of least privilege.

MORE TIPS

  • Use remote access software with security updates.
  • Research and select remote access software with support of security features commensurable with the security requirement.
  • Consider local login to web server and disable remote website administration for better security.
Next
4

Adopt strong authentication and password

RISK

Weak password, which is easy to guess, increases the chance of unauthorised access to VPN gateway, web server, and interfaces for website administration.

CHECK STEPS

Tool(s) available

Function: Assist users to learn and practice on how to create strong passwords.

 

Manual Check Tips

Note: You can identify whether 2-factor authentication mechanism is adopted for remote access by manual check -

  • Login to the VPN gateway, web server, interfaces for website administration and other Internet-facing critical services.
  • Verify whether a combination of any two factors of: what you know (e.g. password), what you have (e.g. digital certificate and one time password via SMS) and what you are (e.g. fingerprint) is required for authentication during the login process.

MORE TIPS

  • Keep an update and comprehensive list of user account inventory and change password regularly, in particular, those for remote administration.
  • Assign unique account to each individual user to enforce accountability and enhance investigation capability if an incident occurs.
  • Assign user right and permission to user account following principle of least privilege, for example, segregating users into editor and approver group for web content update.
  • Adopt 2-factor authentication at the VPN gateway, which allows remote access from the Internet. Please visit InfoSec website for more information on 2-factor Authentication.
  • Automatic lock out nuisance user after too many attempts.
  • Develop and enforce strict password policy for better security. Please visit InfoSec website for more good practices on Handling User Account and Passwords.
Next
5

Enable and review event logs and alerts

RISK

Inadequate monitoring alert and log review mechanism could latent detection of security incident.

CHECK STEPS

Tool(s) available

Function: Assist to monitor availability and integrity of website and generate email alerts to notify administrator.

 

Manual Check Tips

Note: You can identify whether security logging functions are enabled for your web server by manual check -

MORE TIPS

  • Develop security incident monitoring and handling procedures, including escalation procedures and an effective mechanism for reporting, identifying, notifying and handling of security incident.
  • Generate and retain audit logs for user and privileged accounts with sufficient details of information, such as sign-in, sign-out times, user id, activity time and activity details.
  • Audit records should be reviewed regularly to detect suspicious events.
  • Access to the audit records must be restricted to authorised user only.
Next
6

Prevent data leakage through public search engine

RISK

Sensitive and internal data can be discovered and cached by public search engine.

CHECK ITEMS

Tool(s) available

Function: Detect orphan files / broken links and test whether Public search engine can index and cache a web page / file of your website.

MORE TIPS

  • Sensitive data, such as personal information and credit card details should not be stored onto Internet-facing web server; instead, it should reside in backend server protected by firewall.
  • Use server-side authentication mechanism to protect web contents that should not be disclosed to the public, such as a website under development.
Next
7

Conduct security vulnerability scanning or penetration test

RISK

Newly disclosed security vulnerabilities can be exploited by attackers to compromise the website.

MORE TIPS

  • Consider conducting periodic third party security risk assessment and audit on your website for better security.
  • Assess risks before conducting penetration testing because the tests may bring negative impacts to system, such as service disruption, data loss, etc.
Next
8

Select web hosting service that can meet your security requirements

RISK

Web hosting service provider can put your business at risk because the overall security of your website is only as strong as its weakest link.

CHECK STEPS

When selecting web hosting service provider, you should read the Terms of Service and Security & Privacy Policy carefully and assess security risks. In general, you should find out -

  • how your website is stored and protected.
  • whether the required security features can be supported and clearly explained, preferably supported by an independent information security management certification (e.g. ISO/IEC 27001).
  • whether secure remote website administration is supported.
  • whether a simple and clear reporting mechanism is provided for service problems, security incidents.
  • whether service level agreement is commensurable with the importance of your business function.
  • how to terminate the service and transfer your data and service to another service provider.

MORE TIPS

Note to user adopting outsourced web hosting service: Although web hosting service provider usually provides little control on network and server platform to user, you are recommended to understand all check items and make sure the service provider able to deliver a secure service to you.

Disclaimer: The health check settings here are proactive in nature and intended for improving website security, as they may change the user experience and interfere with the functionality and utility of some applications. The exact process for applying the security features during the health check will vary between different products. It is recommended to follow the instructions contained in the user manual provided at the official website of the manufacturer where possible.

Users are also recommended to observe the Important Notices of CSIP and read the user agreements and privacy policies of the security software and tools before download and use them.

Back to Top