This is a great question and one that is important to understand. All ComWeb sites offer a high level of security already built in with some customization options based on user requirements. We pride ourselves in going above and beyond that of our competitors and provide security options that meets every situation's needs.
Login and User Security
Users are required to login using a user name and password. Passwords have to be a minimum of 6 characters with at least one uppercase and one numeric character. Higher strength requirements can be set in your User Configuration Settings. Account lockouts will occur after multiple failed attempts thereby thwarting brute force login attacks. Passwords can be stored where they are recoverable for the user or they can be encrypted forcing a password reset when forgotten.
Https and SSL/TLS Certificates
ComWeb offers the ability for customers to have SSL/TLS certificates installed when needed. This is typically requested and required when any financial transactions using credit card or bank account details are to be processed on the site. The entire site will automatically switch to using the https protocol.
For email hosted on ComWeb email servers, we offer both standard and secure based communication. Our recommendation is to always access your inbox using the secure protocol using our https://mail1.comwebcorp.net/ site. Email clients can be configured to use SSL/TLS for IMAP and POP. Webmail can also be access securely on this domain.
All our servers have strict security policies in place ensuring access is only gained by authorized personnel. All servers are behind both hardware and software based firewalls and are protected by Intrusion Detection Services (IDS) hardware. Three failed login attempts to any of our servers puts in an immediate IP address ban that block that computer from accessing the server.
Passwords are stored in our database in an encrypted form (encrypted) that requires a specific unique key to decrypt. We also offer enhanced encryption (hashed) where each password is encrypted using a different key however this removes the ability for password recovery and forces users to reset their password if forgotten. This is the stronger and preferred option. Any financial data like credit card numbers or bank account details are also fully encrypted when and if they are stored on the site. At no time is bank or credit card information returned to the user once entered. Even if the user's account was compromised, all sensitive data is kept hidden.
Third Party integration
All data sent and received between our servers and those systems we integrate with where possible are always send via secure SSL/TLS based encryption. Any time financial data is sent we insist on using a secure connection or we do not send.
Most Common Forms of User Account Compromises
It is a common misconception that just having an SSL/TLS certificate on your site will secure it from hacking and protect your user's data. Over 99.99% of compromised systems use other methods of gaining access. Often the user's computer is compromised via a Trojan malware program installed via phishing email attachment or vulnerable browser visiting a compromised site. In that case, a key logger is recording keystrokes and an SSL/TLS certificate will have no effect. Basic or simple passwords that are easy to guess are the next source of someone gaining unauthorized access. Next is actual server compromises where access to the database files is gained allowing the retrieval of sensitive data. And finally "sniffing" someone's WiFi data at an open hotspot could provide some information to the sites they are visiting and the data they are accessing.
How Much Security Should We Have?
It is suggested that you set your security parameters as high as your users will tolerate to ensure that risk of compromise is reduced. You can set password strength requirements, password expiry lengths, and many other options within your User Configuration settings on your site. We are often asked on whether an SSL/TLS certificate should be purchased as well. This should be evaluated on an individual basis, but is not typically required unless you are capturing and processing financial transactions. In that case, it should be mandatory. In evaluating the risk versus cost you should look at the data being kept on the site. For the most part, there is nothing a hacker really wants here. Without access to credit card or banking information there is little more than what they could get out of the white pages telephone directory. While every breach should be taken seriously and addressed as such, there is currently little incentive for a hacker to compromise a user's account. This could change in the future and you should always reevaluate the situation based on those changes.
ComWeb strives to maintain the highest security levels for all its products and continues to monitor and evaluate new vulnerabilities that present themselves. We also ensure we communicate to our client base best practices to follow when deploying their sites.