I have been tasked with seeking out a best practices for the corporate website with privacy and security considerations. I thought this would be a breeze, but it seems I've found myself in uncharted territory.
Is this really not a thing (yet)?
The board is wanting best practices to consider limiting the amount of information a malicious user could ascertain from the company website, and I agree that it is something to be considered. But it seems I'm either getting the wording incorrect, or this is something that is not yet made into a best practice.
It seems like you are dealing with multiple issues here, the security of the site and content placed on the site. For security, the first question is what kind of site is it, because different sites have different risks. I would probably start with a WAF with as strict set of OWASP rules as you can. As for content, has the information that is being considered to be put on the site been given classifications? If not, consider it, if so, make a policy that only certain classifications are allowed to be placed on the site.
I will put out there that I am sure my knowledge on this is not as good as other replies I'm sure you will get, but these are just some thoughts that I hope will get the conversation started.
They are mainly concerned about the actual content of the website. Recently, malicious entities have used the data gained from our website in spear phishing campaigns. C-levels' names have been used as the sender on emails to mid-management who took action under the assumption that it was the actual person. That action was immediately corrected, but I'm sure you all get the picture of how this is panning out. End-user education aside, they are wanting to limit the amount of information they put out there. Regional industry leaders have already done something similar, but we're a best practices kind of shop. (read: Our Info Sec office is new)
I will be interested to hear what other have to say on this because I would think that such information could just be found elsewhere. Another consideration is limiting what people are allowed to post about the company on other sites. People don't realize how much insight can be gained from LinkedIn! People list the technologies they work on in the company and even in job postings. If your employees are giving a road map it makes it quicker and easier to assess possible attack surfaces.
@JKWinigerRather than best guessing what the current state of your corporate web site is, go out get it professional tested, then you have a very good idea where it is potentially lacking and what needs to be done to mitigate any issues arising. There are plenty of web services proclaiming good design and layout services, but the key thing is are you hosting, it or is it outsourced or if it is outsourced, how well is it being managed?
Unless you have full visibility, one cannot hope to fully know what the current issues or whether the web site follows best practices or whether personnel are mismanaging it on your behalf.
I would personally be proactive and find out for sure.
@Caute_cautim I would disagree on a few levels here, first the question seems to truly be more about content than configuration and that can be more on the subjective side so I don't think an outside company could make that call. As far as using an outside company to test the web site for security I think this is a mistake that happen far too often. Unless I am mistaken they are working on getting security up and running, so they really need to establish some level of blue team and have them create baselines and take care of the low hanging fruit before even considering being tested by a red team. Ok, here is what the red team found, ok great but no one here knows how to fix it! This goes back to my belief that red team should be required not only show how they were able to compromise something but also provide a way to mitigate the issue so it will not happen again!
It seems the assumption of uncharted territory is true.
I am going to bring this up with one of our vendors as a last-ditch effort. However, I don't believe they're going to provide more than you all have. All of your suggestions are helpful, and I've blended it all together for an action plan instead of a best practices implementation.
@swoolz I think that sound GREAT! One last thing to consider when you make that action plan is to just base it in logic and reason. So that way when you explain and sell it to others it makes sense and people can see that and might be able to voice other concerns. The biggest way I tend to spot BS is when people can't explain things.
If you want to share how things turn out I and I'm sure others would love to hear about it.
Interesting enough at times we go into new areas and at times are creating best practices as we do so!
@JKWinigerYes, the original question was about content, but beyond content, the web site has to be hosted somewhere locally, by outsourcing, a third party or even in Cloud. As I stated there a great number of web designers, and standards available to provide guidance on what the company wants to portray, and to provide guidance in usability, access for different people and privacy guidance as well. It is almost as though one needs a compliance audit, just to ensure one is not breaching the local or international laws, including those pertaining to digital communications, decency and many other aspects too.
As well as optimisation, to promote their ranking e.g. https://www.rankingcoach.com/en-au?utm_source=google&utm_medium=cpc&utm_campaign=collector&utm_conte...
or for Content example: https://www.jimdo.com/blog/11-golden-rules-of-writing-website-content/
Content is a very broad term, especially with respect to web sites. It does not matter how good or bad the content is, how about the security and privacy aspects as well? A holistic approach needs to be taken, and in terms of content, hire a good PR Communications person and a lawyer too.
Yes, I agree with you that a good ethical penetration testing team provides a point in time perspective of that particular target, or web site, this is plain good practice a) checking to ensure that the support team is doing its job correctly, b) or the third party supporting the web site c) or even the cloud provider etc etc.
A good penetration testing organisation, will always explicitly state how to fix problems or provide recommendations, whether they organisation takes them up or simply ignores them is another matter.