You’ve all probably heard of the Heartbleed bug (see BBC News) and you’ve all probably been inundated with emails from website providers the past week giving you a run down, telling you what they’ve done to fix it and pointing out how secure your data is! Well, it’s our turn now! We won’t go into too much detail about the Heartbleed bug, you can find out more information here, only that it is a vulnerability in software called OpenSSL which encrypts data using SSL certificates that most websites use.
We would like to inform you we have patched all our servers where necessary so Amity web servers are not affected by the Heartbleed bug. We patched them as soon as the hype about Heartbleed started to pick up last week. Not all of our servers were affected, but those that were have all been upgraded to the latest OpenSSL software that fixes the issue.
Whilst emailing about security we thought it a good opportunity to highlight what we do at Amity to ensure the security of our websites and servers:-
1. Ensure server operating system and software are all updated to the latest versions often
2. Prevent unauthorised access to any control panel login screens, FTP or SSH uploads, only approved IP addresses are allowed – this one was is one of our favourites, highly effective and a result of a lot of research by us
3. Use firewalled servers with many preventative measures in place, such as banning users after several failed login attempts
4. Create passwords which are a long string of random characters and numbers
5. Three backups for securing data – we backup to the server hosting providers, Amazon S3 and to another server, just to be sure!
6. We do not install any unnecessary server software, but only what we need to run websites and operate the server
7. We make the most of virus scanning servers which searches for malicious code on websites, and quarantine any suspect files
8. We keep each customer’s website entirely separate from every other customer’s website so in the very remote chance that one did get affected, it would not affect any of the others.
What we can’t do is update customer website software on a regular basis at no cost (e.g content management system). We ask customers to request that we upgrade their website software often. It is vital that website content management systems are kept up to date. The biggest cause of websites being compromised is old and vulnerable website software.