Win-Pro achieved Hall of Fame for website scan by CSA IHP. It is certified by Cyber Security Agency of Singapore. Only domains that score 100% for the website security scan are automatically entered into the hall of fame.
Who is Cyber Security Agency CSA of Singapore?
As Singapore harnesses technology to improve lives and livelihoods for all, it is imperative that our plans are built on a strong foundation of cybersecurity, without which we would be exposing ourselves to the multitude of threats that lurk in cyberspace.
The Cyber Security Agency of Singapore (CSA) was formed in 2015 and has been given the task of protecting Singapore’s cyberspace. It is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information.
Cyber Security Agency (CSA) of Singapore – Cyber Health Lookup Tool
Cyber Health Lookup is a free online tool developed by the CSA that allows Singaporeans to check the security status of their internet-connected devices, such as laptops, smartphones, and tablets. The tool scans the devices for known vulnerabilities and security weaknesses and provides users with a report on their overall cyber health.
1) Secure Website Connection
Data transmitted between your website and visitor’s browser is protected against eavesdropping (theft of information) and tampering (altering of data for malicious activities). Having a good website hosting provider is important for a secure and reliable website connection.
2) Web Domain Security
The web domain is sufficiently secured because it is signed and validated with Domain Name System Security
Extensions (DNSSEC).
Visitors with DNSSEC validation enabled systems are protected against DNS spoofing (redirection to malicious websites).
3) Modern IP Address
The web server is either unreachable via IPv6 or does not have IPv6 support.
Implement IPv6 for your web server to be able to connect to other devices over IPv6 for broader device functionality support.
1) Secure Website Connection
HTTP Configuration Security (HTTPS)
HTTPS Existence – Hypertext Transfer Protocol Secure (HTTPS) enables secure data in transit communication between the client and the
server. All y
HTTPS Redirection
HTTPS redirection ensures that your website can only be accessed via HTTPS protocol. Your website should automatically redirect visitors from HTTP to HTTPS to force a secure connection.
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a response HTTP header that protects your website against protocol downgrade attacks. When HSTS is implemented, web browsers are informed that they should only interact with HTTPS connection. It is recommended to implement HSTS to force a secure connection.
HTTP Compression
HTTP Compression can be used to increase website performance. With HTTP Compression enabled, web pages are compressed before sending the responses out. However, the attackers take advantage of the compression size to monitor the traffic between your website and your visitors. Hence, HTTP Compression support is not recommended,
and it should be disabled.
Transport Layer Security (TLS)
TLS Protocols
TLS Protocols are used to protect the data transmitted over the internet against eavesdropping. Websites should only support strong TLS Protocols to enhance secure data transmission and prevent data breaches
TLS Cipher Suites
TLS Cipher Suites are used along with the TLS Protocols to protect the data transmitted over the internet against eavesdropping. Websites should only support strong TLS Cipher Suites to enhance secure data transmission and prevent data breaches
TLS Compression
TLS Compression should be disabled to protect your website against CRIME (Compression Ratio Info-leak Made Easy) attacks in which sensitive information can be recovered by an attacker.
Downgrade Attack Prevention
Downgrade Attack Prevention ensures that the client and the server communicate using secure protocol versions by preventing TLS downgrade. It is one of the mitigations against MITM (man in the middle) attacks in which attackers can obtain the data in transit information and use it for malicious activities. TLS Signaling Cipher Suite Value (SCSV) is
used to prevent downgrade attacks so it should be supported by your web server.
Secure Renegotiation
Renegotiation is a process where parties wish to send more data even after the session has expired and therefore requires authentication. However, renegotiation can be susceptible to MITM (man in the middle) attacks. Only the latest protocol TLS 1.3 forbids renegotiation. To reduce the susceptibility to MITM attacks, secure renegotiation for TLS
version 1.2 and below should be enabled.
Client-Initiated Renegotiation
If Client-Initiated Renegotiation is enabled, your web server can be overloaded with renegotiation requests which open a window for Denial of Service.
Session Resumption
Session resumption is a mechanism where an encrypted session between the client and the web server can be
resumed. With session resumption support, the handshake between the client and your web server is significantly
reduced. However, it can also open a window for replay attacks (data transmission is maliciously repeated) if not
configured properly.
TLS Early Data Indication
Early Data Indication is a TLS extension for TLS 1.3 that helps to improve performance connection. However, it also opens a window for replay attacks (data transmission is maliciously repeated).
Certificate
Certificate Validity
Valid certificate dates prove that your website’s certificate is using the latest security standards and confirm the domain control of your organisation’s identity. Your website certificate dates should be valid with a maximum 1 year or less validity period based on the National Cybersecurity Center of Excellence (NCCoE).
Public Key Algorithm
A website’s certificate contains a public key that is used to authenticate your web server’s identity. The algorithm used to sign the public key must be secure enough to be resistant to certificate forgery attacks in which attackers can spy on the data being transmitted.
Signature Hash Algorithm
Hashing is used during the creation of a digital signature to provide integrity to the certificate. The signature hash algorithm must be secure enough to be resistant to certificate forgery attacks in which attackers can spy on the data being transmitted.
Valid Domain Name
The domain name (subject name) of a website’s certificate is used to identify to which the certificate is issued. Therefore, the domain name (subject name) of your website’s certificate should match your website’s domain name.
Extended Validation (EV)
Extended Validation (EV) certificates provide a higher level of verifying the entity of the certificate requestor which ensures stronger identity assurance to website visitors by providing
recourse against fraudulent transactions in the website
Legacy Symantec Anchor
Browser vendors are deprecating existing Symantec certificates. To comply with this requirement, your website certificates should not have a distrusted Symantec Anchor
HTTP Security Headers
X-Frame-Options
X-Frame-Options is a response HTTP header that protects your website against clickjacking in which attackers deceive users with hidden links that can be used to retrieve sensitive information.
X-Content-Type-Options
X-Content-Type-Options is a security protects your website against MIME-type sniffing (malicious manipulation of website contents).
Content-Security-Policy
Content-Security-Policy is a response HTTP header that defends your website from code injection, XSS, clickjacking by informing the browsers what content sources can be trusted.
X-Permitted-Cross-Domain-Policies
X-Permitted-Cross-Domain-Policies is a response HTTP header that instructs the browsers on how requests should be handled across domains.
Referrer-Policy
Referrer-Policy is a response HTTP header that prevents the leaking of internal URLs via the Referrer header
2) Web Domain Security
DNSSEC – DNS Security Extensions (DNSSEC) adds an authentication layer to your DNS to guarantee that your visitors are directed to your website, preventing DNS spoofing or redirection to malicious websites. A domain’s DNSSEC status has to be signed and validated to be secured.
3) Modern IP Address
IPv6 Existence – IPv6 is the latest version of the Internet Protocol which will eventually replace IPv4. In order for other devices to discover your website over IPv6, a DNS record type AAAA is pointed to your web server’s IPv6 address.
What is your current wordpress website security level now?
Final Thoughts
In conclusion, Cyber Health Lookup is an important tool for Singaporeans looking to stay safe online. With its easy-to-use interface and comprehensive scan, Cyber Health Lookup provides users with a clear picture of their device’s security status and personalized recommendations for improving it. By taking advantage of this free tool provided by the CSA, Singaporeans can take proactive measures to protect their digital assets and stay one step ahead of cyber threats.
