What security is in place on my website and should I be using SSL/TLS/https?

What security is in place on my website and should I be using SSL/TLS/https?

This is a great question and one that is important to understand. All ComWeb sites offer a high level of security already built in with some customization options based on user requirements. We pride ourselves in going above and beyond that of our competitors and provide security options that meets every situation's needs.

Login and User Security
Users are required to login using a user name and password. Passwords have to be a minimum of 6 characters with at least one uppercase and one numeric character. Higher strength requirements can be set in your User Configuration Settings. Account lockouts will occur after multiple failed attempts thereby thwarting brute force login attacks. Passwords can be stored where they are recoverable for the user or they can be encrypted forcing a password reset when forgotten.

Https and SSL/TLS Certificates
ComWeb offers the ability for customers to have SSL/TLS certificates installed when needed. This is typically requested and required when any financial transactions using credit card or bank account details are to be processed on the site. The entire site will automatically switch to using the https protocol.

Email Security
For email hosted on ComWeb email servers, we offer both standard and secure based communication. Our recommendation is to always access your inbox using the secure protocol using our https://mail1.comwebcorp.net/ site. Email clients can be configured to use SSL/TLS for IMAP and POP. Webmail can also be access securely on this domain.

Server Security
All our servers have strict security policies in place ensuring access is only gained by authorized personnel. All servers are behind both hardware and software based firewalls and are protected by Intrusion Detection Services (IDS) hardware. Three failed login attempts to any of our servers puts in an immediate IP address ban that block that computer from accessing the server.

Data Encryption
Passwords are stored in our database in an encrypted form (encrypted) that requires a specific unique key to decrypt. We also offer enhanced encryption (hashed) where each password is encrypted using a different key however this removes the ability for password recovery and forces users to reset their password if forgotten. This is the stronger and preferred option. Any financial data like credit card numbers or bank account details are also fully encrypted when and if they are stored on the site. At no time is bank or credit card information returned to the user once entered. Even if the user's account was compromised, all sensitive data is kept hidden.

Third Party integration
All data sent and received between our servers and those systems we integrate with where possible are always send via secure SSL/TLS based encryption. Any time financial data is sent we insist on using a secure connection or we do not send.

Most Common Forms of User Account Compromises
It is a common misconception that just having an SSL/TLS certificate on your site will secure it from hacking and protect your user's data. Over 99.99% of compromised systems use other methods of gaining access. Often the user's computer is compromised via a Trojan malware program installed via phishing email attachment or vulnerable browser visiting a compromised site. In that case, a key logger is recording keystrokes and an SSL/TLS certificate will have no effect. Basic or simple passwords that are easy to guess are the next source of someone gaining unauthorized access. Next is actual server compromises where access to the database files is gained allowing the retrieval of sensitive data. And finally "sniffing" someone's WiFi data at an open hotspot could provide some information to the sites they are visiting and the data they are accessing.

How Much Security Should We Have?
It is suggested that you set your security parameters as high as your users will tolerate to ensure that risk of compromise is reduced. You can set password strength requirements, password expiry lengths, and many other options within your User Configuration settings on your site. We are often asked on whether an SSL/TLS certificate should be purchased as well. This should be evaluated on an individual basis, but is not typically required unless you are capturing and processing financial transactions. In that case, it should be mandatory. In evaluating the risk versus cost you should look at the data being kept on the site. For the most part, there is nothing a hacker really wants here. Without access to credit card or banking information there is little more than what they could get out of the white pages telephone directory. While every breach should be taken seriously and addressed as such, there is currently little incentive for a hacker to compromise a user's account. This could change in the future and you should always reevaluate the situation based on those changes.

ComWeb's Commitment
ComWeb strives to maintain the highest security levels for all its products and continues to monitor and evaluate new vulnerabilities that present themselves. We also ensure we communicate to our client base best practices to follow when deploying their sites.






    • Related Articles

    • Re-Setting a Member's Username & Password

      Re-Setting a Member's Username & Password There will be times when a member of your websites has either lost their password, or is having difficulty logging in. Generally speaking we recommend just re-setting their log in information and inviting ...
    • How to Update a Website's Menu

      This article will show you how to edit your website’s menu and add new pages to the site. You can create a new menu group, create new pages under a menu group, insert a web link, or edit the name of any menu items.  Navigation  The Association's ...
    • How To: Enable Google Analytics Tracking on your Website

      One of the best tools for tracking your website and your residents activities is provided for free from Google: Google Analytics. There are two steps to this process: Create a Google Analytics Account securing a unique Google Analytics ID View this ...
    • Password Options and settings

         
    • Turn Off the News Feed

      To turn off the newsfeed on your website, click on the Welcome Drop-Down menu and click Site Admin In the first row of tabs, select Modules, and in the second row of tabs, click Newsfeed Select the Settings tab, uncheck the box for Display Newsfeed  ...