HTTPS Additional Considerations

Revision as of 15:47, 22 February 2019 by Tim.allardyce (talk | contribs)

Additional Considerations of HTTPS

Website Security

To protect GC electronic networks, devices and information, the following is a non-exhaustive list of security considerations that can be implemented in a layered manner to support a defence-in-depth approach for web services and minimize opportunities for cyber attacks:

  • Deploy modern operating systems (OS) and applications that are maintained with supported, up-to-date, and tested versions of software.
  • Actively manage software vulnerabilities, including fixing known vulnerabilities quickly following a timely patch maintenance policy for OS and applications, and taking other mitigating steps, where patches can’t be applied.
  • Implement appropriate host-based protections to protect systems against both known and unknown malicious activity.
  • Minimize available services and control connectivity by removing or disabling all non-essential ports and services as well as removing unnecessary accounts from systems.
  • Enable system logging to improve the ability to detect and identify anomalous behaviours, perform system monitoring, and to assist with incident response and forensic analysis of compromised systems.
  • Carefully control and manage privileges assigned to users and administrators. Provide a reasonable (but minimal) level of system privileges and rights needed for their role.
  • Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access.
  • Design web services so that they are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the Open Web Application Security * Project (OWASP) Top 10.

For more information on best practices, refer to Communications Security Establishment’s (CSE’s) IT security advice and guidance.

Additional Guidance: Website Security | US-CERT