Understanding Web Security
At Schools ICT we understand the importance of security. Schools ICT use industry standard server and web software to provide our services as well as protect your data. Web application security is a branch of Information security that deals specifically with security of websites, web applications and web services.
If your website is hacked, it means someone gained access to your website account (typically via File Transfer Protocol, a.k.a. FTP or CMS login). By gaining access, hackers can do the following
- Put malicious code in it, what the code does depends on the hacker's objectives.
- Install malware and viruses on visitor's computers
- Redirect visitors to other sites
- Use your website to attack other websites, bringing them offline
- Replace your site content with other content, the subject of which varies depending on the hacker's objectives.
Intrusion and Brute Force
Intrusion is a security breach on the server. This is normally done from outside of the server via network or software vulnarabilities. A brute force attack is one such approach. Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords, through exhaustive effort (using brute force) rather than employing intellectual strategies.
DDoS - Denial of Service Attacks
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a server. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted server with traffic.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications such as WordPress and Joomla. XSS enables attackers to inject client-side scripts into web pages viewed by other users. The end user’s browser has no way of knowing that the script should not be trusted, and will run the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
What do we operate?
Schools ICT’s Cirrus servers are currently physically hosted within the UK and the EAA (European Economic Area), specifically in London. We use 1 and 1 datacentres and thanks to multiple redundant connections between data centres, 1&1 can guarantee nearly 100% uptime. This also allows the fastest possible connection with more than 300 GBit/s. The 1&1 data centres are ranked as some of the safest and most efficient data centres in Europe. We have the flexibility to request the sites be physically hosted in various locations across the globe (multiple European locations including the UK)
At Schools ICT we understand the importance of security. Schools ICT use industry standard server software and web software. We apply our security at four levels.
1. Physical Level
- 24 surveillance by highly qualified specialists
- Interruption-free power supply due to emergency diesel generators and plumb gel batteries
- Steel-reinforced walls and fully air-conditioned rooms which provide safety from gas, water, and fire
- Multiple redundant 65 GBit/s connectivity. To prohibit data transfer delays, the 1&1 data centers are configured with multiple redundant connections to the most important Internet hubs. With impressive connectivity, you’ll experience faster loading times and higher multi-user capacity for your website. Additionally, problems from single providers can be counterbalanced by redundant partnerships to ensure that your website stays online
2. Server Level - Linux Operating System (OS) Level
Firewall and Intrusion Detection
- Plesk 12.5 Firewall - We offer a robust firewall solution blocking all access apart from web traffic and sending mail.
- Fail2Ban - Advanced real time intrusion detection and automatic blocking software. This allows us to actively monitor our firewall and block all brute force and malicious activity.
Watchdog and RKHunter
- Inspecting machines for malicious changes, scripts and Malware Detection
Datagrid VCTR 1.8
- Operating System Reliability and Vulnerability Evaluation. If there are any critical exploits released in the interim period between scheduled upgrades, a ticket is raised in our system and our team reacts immediately to formulate a mitigation plan, communicate with affected customers and implement any necessary emergency patching.
Real Time Scalable Hardware
- Allows us to freely adjust the amount of CPUs, RAM and SSD storage at any time.
- Plesk Health Monitor
- Real Time monitoring and notification
- Threshold management
- All services including CPU, MYSQL, RAM, Network and Disk
- We use 1 and 1 datacentre external server monitor - http, ftp, ping etc. providing external monitoring of our Cirrus Cloud servers
- We perform daily server software checks and weekly upgrades. All patches, bug fixes and security updates are tested on a Friday in our test bed environment (this does not affect our live environment). The server is then run for 2 days and tested for further bugs. The updates are then rolled out Monday morning. Critical exploits are patched immediately.
- We are subscribed to security mailing lists for all the critical elements of our software stack.
3. Hosting Level - Plesk Hosting Environment Level
ServerShield by CloudFlare (On request)
CloudFlare is a global CDN (Content Delivery Network) , DNS, DDoS protection & web security system. By routing traffic through CloudFlare we can block threats and limit abusive bots and crawlers from overwhelming and wasting bandwidth and server resources.
- Provides real time notification of urgent issues and a course of action to neutralise the threat.
- Globally load balanced content delivery network (CDN)
- Always Online
- Traffic Analytics
- Participatory member of the CloudFlare community.
Robust Security Policy (Plesk Enhanced Security Mode)
- We only use strong security passwords. All passwords stored in the Plesk database are encrypted using the Plesk secret key. This way, even if a third party obtains a dump of the Plesk database, your customers are not compromised.
- We only allow Secure FTP connections to our servers
- Plesk Security Advisor identifies weakness in our security policy
- Sensitive data (for example, user passwords) cannot be retrieved using the Plesk API.
- We perform daily backups containing all customer and full server data.
- Tier 1 - Backed up to local server storage (London datacentre server) - Fast response and recovery in the case of a severe attack or user error.
- Tier 2 - Backed up to geographically separate location. (Northallerton County Hall - datacentre) - Standard response and recovery in the case of a severe attack.
- Tier 3 - Backed up to 2nd geographically separate location. (Northallerton County Hall - South Block - SICT) - Standard response and recovery in the case of a severe attack.
4. Web Application Level (CMS / Customer Web Environment)
- Automated Plugin Update management
- Automated Security Update management
- Automated Core Update management
- Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
- Web Application Firewall. A toolkit for real-time web application monitoring, logging, and access control.
- Allows identification of potential threats in 3rd party websites hosted on our server
- Real time Website Malware & Vulnerabilities monitoring
- We are subscribed to security mailing lists for all the critical elements of our CMS
- Automated notification via CMS software
- Participatory member of the Open Source community.
Daily and Weekly Checks
- We perform weekly CMS checks and upgrades. All plugins and extensions are monitored. Patches, bug fixes and security updates are tested immediately in our test bed environment (this does not affect our live environment). The website core functionality is then tested to confirm it still works as expected. The updates are then rolled out to the live websites.