A few reminders on computer security
The 4 main objectives:
- integrity: the data present are indeed those that we want to provide,
- availability: maintain proper functioning of the website (and its IS),
- confidentiality: some data is only accessible to authorized persons,
- authentication: access to resources only to authorized persons,
What are the origins of the risks:
-operational origin system (software bug, design, configuration, parameterization error, etc.)
– physical origin (accident, breakage, breakdowns, power cut, etc.)
– human origin (internal: error, incorrect use of the application, opening of emails dangerous or external: embezzlement, hacking, malware, fraudulent smtp use, etc.)
Security must therefore be understood
in a global context
- sensitizing users to security issues.
- logical security, that is, security at the level of data, applications and operating systems.
- telecommunications security: network technologies, company servers, access networks.
- physical security, ie security at the level of physical infrastructures (secure rooms, places open to the public, staff workstations.)
This supposes a security policy with:
- A physical and logical security system (tools and user management)
- An update management procedure
- A planned backup strategy
- A disaster recovery plan
What are the answers for a CMS:
Point 1: security of tools and CMS (joomla, WordPress, Prestashop, …)
- update of the web server: application of security patches
- password policy
- management of .htaccess files and robots.txt (exclusions)
- management of rights on the site's files and directories
- update of the CMS and the extensions used
Point 2: security of the hosting / server
- data centers placed under high protection and remote
- Network side security (speed and downtime)
- Server side security (infrastructure, power supply, card, etc.)
- Fire and electrical safety
- PHP> 5.3
- Anti-DDoS protection
Points 3 => internal policies of the company or partner
What can we conclude for a good security policy?
Applying security measures on CMS tools as well as on the server seems obvious.
On the other hand, faced with internet fashions, the obsolescence of information on the internet, the multiplicity of other risks, mainly human (external constantly increasing and constantly evolving and internal, more than 50% of the causes …), all this indicates that today in our world of “disposable” (we change our site on average every 3 years) or with regular backups of the site and data, the best security seems to be quite simply the change / redesign of the site and / or its hosting!