Security Page

[rvizena]

For the new site we will have a dedicated section for Security. I have started the page skeleton with the following sections:

• Best Practices

• Hosting

• Passwords

I think this is a good starting point, and would love some feedback and input, @garster. If we need to make additional pages, so be it. Just looking for a comprehensive overview of general website security. If we want to touch on WordPress or Drupal specifically, that would be fine too.

https://dev-webguide-ucsb-edu-v01.pantheonsite.io/website-security

[garster]

@rvizena assign this to me. I will work on some content this weekend and run it by you all.

Here are some ideas:

The primary goal to to keep control of your site and content. Don't let your site be taken over by bad actors who might inject bad information or malicious software onto your site.

• HTTPS (why, even if its just static public content)
• Never send passwords in the clear (FTP, site admin logins, etc.)
• Careful of data leakage in comments or "hidden" folders
• Sanitize images and PDFs of location data and personal information
• Protect your personal info in your domain revision, use PO box or anonymizer service.
• Keep on top of renewing your domain, don't let it expire and get picked up by phishers
• Keep content versioned or backed up so it can be easily replaced
• Use reputable transparent hosting providers, shady hosts may be more lax on security and allow your site to get hacked.
• Keep software up to date. Set up auto updaters, subscribe to alerts for software you use, set a regular calendar reminder to update your stuff.

[rvizena]

@garster I started a little work on this page. I was thinking of keeping it one page broken up into (at least) 3 sections:

• Best Practices
• Passwords
• Hosting

I'm thinking we can split some of your bullets above. The stuff that doesn't have to do with passwords or hosting can be in the Best Practices and then we can grow the other two sections with resource links and helpful tips.

https://dev-webguide-ucsb-edu-v01.pantheonsite.io/website-security/

[garster]

This is my first stab at it. I will update the DEV site soon:

Everyone plays an important role in protecting the confidentiality, integrity, and availability of our institutional information and IT resources.

Website Security

All UCSB websites and web apps must meet minimum security standards, as outlined by UCSB IT [https://www.it.ucsb.edu/security] and the University of California electronic information security policy [https://policy.ucop.edu/doc/7000543/BFB-IS-3].

All websites are under constant automated attack. Poor security practices lead to compromised sites that leak private information or spread malware to infect other systems and end users.

Good planning is crucial to ensure that you have a solid strategy for website security as an integral part of a wider cybersecurity stance. This includes developing formal strategy procedures, fostering a security-first culture throughout the organization, and documenting your web assets so you know what you’re working with.

Best Practices Keep software up to date, be aware of security bulletins and critical vulnerabilities. The Cybersecurity & Infrastructure Security Agency [https://us-cert.cisa.gov/] has comprehensive alerts and bulletins.

Be careful of what you put on your site. All HTML comments and JavaScript code can be seen by site users.

Review user accounts for your site on a regular basis. Remove user accounts no longer performing admin tasks or content creation.

Be cautious of allowing non-authenticated guests to submit data thru forms especially files.

Hosting

Always use HTTPS (SSL/TLS certificates) on your sites, this prevents "not secure" web browser warnings, helps guarantee information integrity, and protects passwords and submitted data.

Use automatic renewing certificates or set up calendar reminders to manually renew certificates.

Do not share credentials amongst anyone administering your website, web app, hosting provider, etc.

Passwords

Always use encryption (HTTPS, SFTP, SSH, etc.) to log into a system, never send passwords in the clear.

Use complex and long passwords. The best passwords are auto-generated by and stored in a password manager.

Create unique logins and passwords for each person that works on your site.

Use multi-factor authentication when possible like email/SMS/authenticator one-time codes or push notifications.

[garster]

Ok I tried to edit the dev site but could not figure it out. Drupal wins again!

[rvizena]

page has been updated with Gary's copy. https://dev-webguide-ucsb-edu-v01.pantheonsite.io/website-security

[loganfranken]

Tagging #384