Beyond the basics: more data on the state of business website security
- 8 months ago
- 7 min read
In our previous post, we examined fundamental measures for website security and their implementation on business websites in diverse countries. In this second part, we build on these basics discussed in our first post, examining more sophisticated strategies that can be implemented to defend websites against evolving cyber threats.
These strategies include securing DNS communication with DNSSEC, email communications through SPF, DMARC and DKIM protocols, enhancing domain security by specifying HTTP headers, and incorporating a security.txt file. As we explore the technical aspects, our goal is to provide you with a comprehensive understanding of the multi-layered approach that is needed to safeguard websites.
Adding cryptography to DNS with DNSSEC
Domain Name System Security Extensions (DNSSEC) help protect the system that translates domain names into IP addresses, a crucial step in cybersecurity. DNSSEC adds cryptographic signatures to existing DNS records. These signatures are used to verify that the source of the DNS data is authentic, i.e., the data is coming from where it claims to be coming from and that the data has not been tampered with during transmission.
The objective of DNSSEC is to safeguard against certain types of attacks, such as man-in-the-middle attacks, wherein a user’s attempt to access a legitimate website is hijacked and redirected to a fraudulent website.
We identified just two countries where a mere half of business websites had DNSSEC enabled, namely the Czech Republic (55%) and Norway (52%). France, Estonia, and Brazil, with respective percentages of 19%, 18%, and 13%, are ranked as the third, fourth, and fifth most secure countries, with between 10% and 29% of their business websites being protected by DNSSEC. The vast majority of websites in the remaining nations are not protected.
Enabling DNSSEC typically requires coordination between domain registrars and DNS hosting providers, indicating that many could do more to protect clients. The .no country code top-level domain (ccTLD) is known to be one of the TLDs with the highest protection through DNSSEC, and our results support this. Several countries have issued directives regarding the implementation of DNSSEC to enhance their national cybersecurity infrastructure. In Brazil, for example, the implementation of DNSSEC has been pushed to improve internet security within the country. Various initiatives within the EU, including ENISA (European Union Agency for Cybersecurity), have advocated for the implementation of DNSSEC. However, due to the absence of an EU-wide directive, there are significant disparities among EU nations when it comes to the implementation of DNSSEC.
Prevent phishing and spam with three key DNS records
Phishing and email spam are the most common ways for hackers to enter a network. It takes just one employee clicking on a malicious link or email attachment to compromise an entire enterprise with ransomware. To prevent a domain from being abused for phishing, just three key DNS records need to be set properly. Those records are SPF, DKIM, and DMARC. The three can help ensure the legitimacy of emails, making it more challenging for attackers to impersonate trusted senders.
The Sender Policy Framework (SPF) enables domain owners to specify which mail servers are authorized to send emails on behalf of their domain.
Domain Keys Identified Mail (DKIM) provides a way for an email to be signed with a digital signature, which is then verified by the recipient using the sender's public key published in the DNS. This ensures the email's content has not been tampered with during transit and that the email genuinely originates from the specified domain, making it harder for phishers to forge emails.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) allows domain owners to specify how receiving mail servers should handle emails that fail SPF or DKIM checks. It also specifies an address to send reports on pass/fail statistics, providing visibility into attempts to spoof or forge emails. DMARC helps prevent phishing by ensuring that only authenticated emails are delivered to users and by informing domain owners of potential abuse.
Most business websites in the countries we researched specify SPF, ranging from 64% in Norway to 86% in South Africa. The Czech Republic is the online nation with less than 50% of business websites protected with SPF. DMARC coverage ranges from 8% in Mexico to 24% in Norway, indicating that a lot more could be done to improve the coverage of the DMARC framework. DKIM is not shown in Figure 6 due to its very limited coverage. In no country did the coverage exceed 0.5%. Although it appears that the majority of business websites have taken at least one measure to prevent phishing attacks, a significant proportion of domains have yet to utilize all available security measures to prevent the misuse of email fraud.
How HTTP headers play a vital role in website security
Hypertext Transfer Protocol (HTTP) headers play an important role in the secure and efficient operation of web communications by enabling browsers and servers to exchange information beyond the content of the web page itself. They are used for various purposes, one of which is to specify security policies. For this research, we examined five security-related HTTP headers (X-XXS-protection, X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options). The technical details of these headers are beyond the scope of this article, but each of these headers can add another layer of security to a website. Figure 7 shows the percentage of business websites per country that specify between one and five headers.
In general, the data indicates that well over two-thirds of business websites could significantly enhance their security by defining one or more security-related HTTP headers. In many countries, between 10% and 20% of business websites include at least one or two security-related HTTP headers, but, less than 5% specify four or five of these. Overall, Norway, Indonesia, and the Philippines possess the highest coverage, whereas South Africa, Spain, and Turkey are the lowest ranked. The large share of business websites in all countries that do not utilize these extra layers of protection suggests more could be done to educate domain owners about the utility of specifying HTTP headers. This would provide them with the necessary ‘how to’ to implement them.
Security.txt offers direct contact methods for reporting
Before concluding this two-part series on business website security and naming a winner, let’s take a look at a lesser known text file called security.txt. This file is a standardized method for websites to define security policies. It's typically placed in the website's root directory, providing contact information for reporting security vulnerabilities. The objective of security.txt is to facilitate the responsible disclosure of potential security issues.
Last year, the Dutch government mandated the implementation of the file on any websites maintained by public institutions. This is not a requirement in most countries, but it’s still a good idea. Who wouldn’t want to be informed if someone discovers a security gap on a website or in your digital product?
Surprisingly, only one country out of the thirteen under investigation had a mentionable percentage of sites with a security.txt available. 6.5% of Czech business websites have such a file. This percentage is relatively high, in comparison we detected coverage of 5% on Dutch business websites where all government websites are required to implement one. For all other countries, the share was less than 0.6%. Having a security.txt is certainly not a strong tool against major cyber threats, but being alerted to vulnerabilities can’t hurt and may in the best cases mitigate actual breaches before any actual damage is done.
No country boasts a high level of secure websites
Having examined fundamental and less well-known security measures to reduce website vulnerabilities, it's possible to draw a couple of conclusions. First, no country is exceptionally well-secured. Although business websites have some security measures set in place, they are often limited to just a single factor. For instance, instead of specifying SPF, DKIM, and DMARC, just one of them is covered.
Furthermore, not a single nation performs well on all security indicators. Norway may have performed well in several areas, but is among the worst when it comes to fraudulent online stores. Equally, the Czech Republic seems quite secure in most measures, but SSL coverage is lower than in other countries, as is phishing protection. All researched countries would benefit from significant security improvements.
Our overall winner is Norway, followed by Estonia and the Czech Republic (see Figure 8). But It would be incorrect to assume that this is representative of other European countries. Spain, ranking second-lowest, is a sure indicator of that. Following the European winners, the three Latin American countries included in this research rank 4th, 5th and 6th. Countries from Asia come in at lower overall ranks.
With SSL certificates being a notable exception, there is still a lot of room for corporate websites across the globe to enhance their security measures. An approach that takes multiple measures into account, from improving DNS records to HTML headers and SSL, can create a safer internet for all.
Website security is a responsibility for website owners and governments
The responsibility of securing a website, however, should not solely rest with business owners. Governments and organizations have a responsibility to fulfill, as do registrars and hosting providers. The state of business website security is a glaring issue that demands immediate and collective action. Web data is a potent ally in this battle, but it requires the support and active participation of governments and organizations to translate insights into tangible action. The issue of cybersecurity is a concern that affects all individuals and has the potential to impact beyond the digital realm. Therefore, it is imperative that we collectively strive to enhance the security of the web.