Page 90 - GiGW3
P. 90

5. Guidelines










                   Educate every CMS user about the importance of passwords and software updates. Tell them
                  all the ways they can help maintain the website’s safety. To keep track of who has access to
                  CMS and their administrative settings, make a record and update it often. Employees come
                  and go. One of the best ways to prevent security issues is to have a physical record of who

                  does what with the website. Be sensible when it comes to user access.


             (q)     Implement encryption for the transmission of all sensitive information. This should include TLS
             for protecting the connection. Disable weak cyphers (SSLv2, SSlv3, 3DES, RC4, TLS v1.0, v1.1).

             (r)     Periodically review  logs for suspicious  activity like  authentication, user access  activity &
             changes and privilege elevation & usage.
             (s)      Implementation  of  network  segmentation  and segregation  to  limit  the impact  of  network
             intrusion.

             (t)     There should be no active concurrent sessions of the web server.
             (u)     Ensure servers, frameworks and system components are running the latest approved version
             and have all patches issued for the version in use.
             (v)     Isolate development environments from the production network and provide access only to

             authorised development and test groups.
             (w)     Implement a software change control system to manage and record changes to the code both
             in development and production.
             (x)     Establish practice of hardening web servers and conduct the periodic secure configuration

             review of the same.
             (y)     The most common attacks against websites are entirely automated. What many attack bots
             rely on is for users to have their CMS settings on default. After choosing a CMS, change default
             settings immediately. Changes help prevent a large number of attacks from occurring. CMS settings

             can include adjusting control comments, user visibility and permissions e.g., default setting change

             using ‘file permissions.’ Permissions can be changed to specify who can do what to a file. Each file
             has three permissions and a number that represents every permission:
                    (i) ‘Read‘ (4): View the file contents.

                   (ii) ‘Write‘ (2): Change the file contents.
                   (iii) ‘Execute‘ (1): Run the program file or script.
                   (iv) To clarify, to allow multiple permissions, add the numbers together e.g., to allow read (4)
                   and write (2), set the user permission to (6.) Along with the default file permission settings,

                   there are three user types:
                           (I) Owner – Often, the creator of the file, but ownership can be changed. Only one
                           user can be the owner at a time.






                                                             90
   85   86   87   88   89   90   91   92   93   94   95