Page 89 - GiGW3
P. 89

5. Guidelines









             user uses their private information to access a site, it should use HTTPS, not HTTP, to deliver it.
                   Note: HTTPS (Hypertext Transfer Protocol Secure) is a protocol used to provide security over
                   the Internet. HTTPS prevents interceptions and interruptions from occurring while the content
                   is in transit. To create a secure online connection, a website also needs an SSL Certificate. If

                   the website asks visitors to register, sign-up, or make a transaction of any kind, the
                   connection must be encrypted. SSL (Secure Sockets Layer) is another necessary website
                   protocol. This transfers visitor’s personal information between the website and the database.
                   SSL encrypts information to prevent it from others reading it while in transit. It denies those

                   without proper authority the ability to access the data, as well. GlobalSign is an example of an
                   SSL certificate that works with most websites.


             (h)     Mandatorily use a valid SSL Certificate on all websites. The SSL Certificate should use at least

             2048-bit SHA 256 encryption or higher.
             (i)     Ensure that the SSL Certificate is valid and keep track of the certificate expiry date and take
             necessary action to renew/replace the certificate before expiry.
             (j)     Configure the HTTP Service banner so that Web Server and Operating System type & version

             will not be disclosed.
             (k)     The configuration files of the Web Server must be protected by the Web Server process. One
             can find them in the root web directory. Web server configuration files permit to administer server
             rules. This includes directives to improve website security. There are different file types used with

             every server, following may be referred for their usage:
                       (i)     Apache web servers use the .htaccess;
                       (ii)     Nginx servers use nginx.conf; and
                       (iii)     Microsoft IIS servers use web.config.

             (l)     Open source/Freeware software should be used with due diligence.

             (m)   Remove or disable all superfluous drivers, services and software.
             (n)    Remove or replace obsolete software libraries.
             (o)    Remove or replace outdated security level protocols.

             (p)    Limit unauthorised or unauthenticated or administrative privileged user access to the system.
                   Note:  Initially, one  may feel  comfortable giving several  high-level employees  access to  a
                  website. Administrative privileges are given thinking those would be used carefully. Although
                  this is the ideal situation, it is not always the case. Unfortunately, employees do not think about

                  website security when logging into the Servers or the CMS. Instead, their thoughts are on the
                  task at hand. If they make a mistake or overlook an issue, this can result in a significant security
                  issue. It is vital to access employees before giving website access. Find out if they have
                  experience using the CMS and if they know what to look for to avoid a security breach.





                                                             89
   84   85   86   87   88   89   90   91   92   93   94