A Website Security Framework Intro

A framework should provide the underlying structure we require to build on.

Consider a home. Regardless of the type of home, they all have a similar framework. The framework keeps the house together and defines the basic structure, it starts with the foundation on which the house will sit. From there, the developers and architects build and expand it into something that fits their specific requirements. Without a basic framework, the house will collapse.

The same is true for how we should manage the security of our websites. We believe the security problems we face today to be technological in nature. I disagree. We invest all our energy into the latest technologies, making hardening and configuration changes in the hopes that we are addressing the latest perceived media threat. This approach is flawed, it lacks the structure required to adequately account for the emerging threats.

Attackers are successful not because we’re technically incapable, but because we are behaviorally weak. – @perezbox

At Sucuri we were naive to believe early on that our product was for everyone, we’ve realized over time however that it is not. It’s not that the product isn’t effective, but that the businesses leveraging the products lack a basic understanding and appreciation for basic security principles. Tools are employed with no structure in place to define why they are being deployed.

We have to do a better job of bridging the divide between the knowledge that today’s webmasters have, and those that they require to effectively manage their websites security. Start by defining a basic Website Security Framework that any organization, regardless of size, can employ.

A Basic Website Security Framework

The basis of the proposed framework is not new. It’s borrowed from the Framework for Improving Critical Infrastructure Cybersecurity, developed by the US National Institute of Standards and Technology (NIST). The idea is to educate users on a framework that already exists and can be easily leveraged for your organizations website security needs.

It is built on 5 core elements: Functions, Categories, Subcategories, and Informative References. Their relationship is as follows:

The functions are designed to organize the key security domains you should be considering. Keep the functions to these core five domains, do not over complicate.

As the illustration shows, the categories are subdivisions of the functions, and the subcategories subdivisions of categories. There is a one to many relationship between Functions and Categories, and Categories and Subcategories. The informative references have a one to one relationship with the subcategories, they are important to ensure that everyone is aligned with the exact steps being leveraged for each control and action.

Improving our Security Posture

The challenges we face today are as much human issues, as technological ones. Before looking to deploy security solutions into your stack ask yourself what your general disposition is towards security. The framework above is designed to help you in this process.

As you consider the framework, think of security as a continuous process. The threat landscape is constantly evolving, your security posture should also evolve. Revisit the process at some interval (e.g., weekly, monthly, quarterly). It’s not about the frequency as much as the simple act of actually revisiting the process.

In future posts I’ll dive into each function and category. For now, consider the questions you would ask yourself in each function, and how that will have a domino affect through the design, and eventually your deployment of security controls.

A simple thought exercise: Start with the Identification function.

When was the last time you created an inventory of a) the number of domains you manage? b) the various plugins, integrations, extensions, they leverage? or c) where they are hosted?

We do not get hacked because cyber criminals have an advantage over us, or because of the platforms we use. We get hacked because we are generally lazy. We fail to take the basic precautions required when introducing a new property to the greater internet ecosystem.

Note: Thanks AJ for your designs.