In the news this week I’ve learned that many national and local government websites, as well as NHS ones are highly vulnerable to being hacked and defaced.
See: UK Government sites hacked with pharma spam and UK Parliament XSS flaw disclosed
When putting up any internet-facing resource or system, you need to consider:
- how important it is to you &your users
- what would be the implications if it got hacked
- how much input you’re prepared to make to keep it secure
This is always a balancing act, with no right answers, just a careful judgement of risk. The questions below might help in your assessment.
Importance
- How long do you expect the site to be live on the internet?
- How many people do you expect to use the site?
- How important to you are the people who will be using the site?
Implications
- What would the media say if your site was defaced?
- How would your shareholders react if your site was defaced?
- How much would you be fined if personal data was made public, lost or damaged?
Input
- Do you need to ensure (on a weekly basis) that all aspects of the software (from Operating System through to Application) running the site are up-to-date?
- Do you need to do an annual penetration test (usually against the OWASP Top 10 vulnerabilities)?
- Do you need to ensure that all users change their passwords regularly, and follow a strict password policy?
- Do you need to put security policies (such as multi-factor authentication) in place?
There are a multitude of opinions out there about how to best secure your site. But I would suggest that the more important it is, and the greater the implications, the more input you need to make to keep it secure – probably in the order shown above.
Posted: 26 March 2014
Tags: System implementation Supplier selection