About this document

This may be a strange thing to find publicly on a corporate website.  However, we believe strongly in security and want to make this document public for the following reasons:

  1. To encourage our customers, peers, competitors, and everyone to adopt a similar policy.  There is not an open source publicly available best practices security policy that we could find, that was reasonable for a small to medium sized company so we wrote this one.
  2. To allow our customers, piers and others to contribute to or make suggestions to this policy, improving it over time.
  3. To let our customers know what we are doing to protect their sites, and the work we do for them.
  4. To provide a guideline of policies which can be adopted by our customers to help protect their websites, work, and personal information

This isn't perfect, but is a work in progress, your suggestions are appreciated.

Security begins at the workstation

  1. Each computer shall have a good anti-virus software installed that has real time protection such as Avast Anti Virus.  For home users we can recommend avast http://www.avast.com/free-antivirus-download
  2. Each computer shall have software on it to manage changes to that machine.  Spybot Search and Destroy is one we can recommend for home users.  It will tell you when software is making registry changes or installing something on your computer.  This can be very useful and you can say no when something is being installed that you may not want.
  3. Sites shall only be accessed from work computers, and passwords shall not be saved on those computers and their browsers.  Saving passwords allows anyone who has physical access to that machine to access anything that there is a saved password for.  If a computer was lost or stolen then it would result in access to things that shouldn't be accessed.
  4. Passwords shall not be saved in files on personal computers.

iBCScorp's Simple Care Plan for Workstations

Weekly

  1. Have Anti-Virus scheduled to run a full scan during off-hours.
  2. Have Spyware/Malware detection/cleaning software perform a scan during off-hours, on a separate day from the virus scan

Every 6 months

  1. Make sure that each user on each machine has a password
  2. Make sure that each password is over 8 characters long, is not a dictionary word, and contains both upper, and lowercase characters, and at least one number, and one special character.
  3. Make sure that the anti-virus software, or tea-timer-type software is up-to-date.
  4. Make sure that the OS - Windows, Linux or Mac is up to date.
  5. Clean the machine and blow out any dust and verify that the machine is working properly.

Securing the Network

Securing the Servers

General Care Plan for server maintenance

Each server shall have an inventory of the relevant software and version number running on that server. This list is used when reviewing that server to make sure that all appropriate patches and fixes are applied.

Weekly

  1. Review Server log files
  2. Review Server software inventory and check for any relevant patches or exploits on that software which require further maintenance and schedule that maintenance as required.

Every 6 months or

  1. Change all passwords root passwords and user passwords

Every changing of the guard - if someone leaves the company

  1. Remove that users account
  2. Change the root passwords to the machine
  3. Change database passwords and any configuration files which rely on those passwords.

Securing Web Sites

The following recommendations and procedures are best used together, we recommend following all of them and implementing any others that you may see fit.

  1. All forms should submit through a system that filters input before submitting, and tools such as HTML Purfiy should be used.
  2. Sites should be checked for XSS exploits, CSRF exploits, and  SQL Injection Exploits, either manually or by using a number of both paid and free tools available.
  3. All login forms should use HTTPS, while not required it is recommended to keep passwords secure.
  4. All passwords should be stored in the database encrypted with a salt, using at the very least a SHA-1 encryption scheme. MD5 is no longer recommended as it has been compromised
  5. Admin sections should have a secure login and pages should not be visible unless logged in as admin.  It is best to have admin sections using https, while not required, it is recommended.
  6. Check to make sure no sensitive information is stored or passed in an in-secure manner, such as passing DOB, and passwords using GET, or storing login sessions using COOKIES.
  7. Verify that any sensitive information that needs to be stored in the database is done so in a secure manner, such as encrypting the data and obfuscating portions of the data.
  8. Disable file directory listings, error displays, change default path for error logs, move all database connection files out side of the public html folder and place all system files outside of public html (if possible, this is highly recommended when the site was programmed using a framework).
  9. The following recommendations are for use in the HTACCESS file,
    # supress php errors
    php_flag display_startup_errors off
    php_flag display_errors off
    php_flag html_errors off
    php_value docref_root 0
    php_value docref_ext 0
    # enable PHP error logging
    php_flag log_errors on
    php_value error_log /home/path/public_html/domain/PHP_errors.log
    # prevent access to PHP error log

    Order allow,deny
    Deny from all
    Satisfy All
  10. Enable MOD_SECURITY on the server, this is an Apache web application firewall that runs on the web server itself.