Security Audit Q and A

Our company is undergoing a security audit, and we are being asked several questions about our web site, web servers, and IT security. Can you help us with any of this information please?

We have been asked to help provide answers to questions included on audits of this nature many times, and have for ease of use included below several of the more standard audit questions we have seen included on these forms in the past.


Q: Does the Client store personally identifiable or confidential information on their web servers?
A: This is a question for your website developer. We cannot comment on how things are coded on your website, and what information, if any, you are collecting.
We will be more than happy to research this for you at our standard hourly rate, if your developer cannot help you.

Q: Do the Client’s web servers have direct access to personally identifiable or confidential information?
A: This is a question for your website developer. We cannot comment on how things are coded on your website, and what information, if any, you have stored with your website, it’s databases, or text data.
We will be more than happy to research this for you at our standard hourly rate, if your developer cannot help you.

Q: Does the Client have firewalls that filter both inbound and outbound traffic?
A: All of our servers at anySiteSolutions.com employ a host-level firewall that only whitelists known service ports, and we have firewalls at the edge of our network that block some commonly abused ports.  The host-level firewall has some IPS functionality, automatically blocking IPs that port scan or fail too many FTP/SMTP logins.
This may not be what the auditor is looking for, as this is a somewhat ambiguous question, which may have more relevance if you hosted your own on-site web servers.

Q: Does the Client’s information security policy include all web-based systems?
A: This question does not apply to your hosted services at anySiteSolutions.com and again, leans more towards an onsite hosted server system.

Q: Does the Client employ web applications firewalls?
A: This is mostly a question for the website developer, as it pertains to the applications used within your specific website.
We do of course offer the ability to employ these options via tools supported on our Linux Apache, and Windows IIS hosting platforms. Though these again would be employed, and configured by the website developer, not anySiteSolutions.com as the hosted systems provider. A common option we see in WordPress sites to meet this need is a security plugin like WordFence.

Q. Are the Client’s web servers housed in a dedicated DMZ?
A: No. Again, this is an inappropriate question when hosting through a shared services provider like anySiteSolutions.com (or any other provider like GoDaddy, etc) and not using your own dedicated on site web server.
If you would like to discuss setting up your own dedicated, firewalled, hosted server, in our datacenter like several of our other clients, please contact us.

Q. Is all External access to sensitive information allowed to use secure encryption and message authentication methods (i.e. TLS 1.1+, SHA256)?
A. Absolutely. Please contact us about setting up an SSL Encryption Certificate. This can be setup and running within minutes.

Q. Does the Client have security policies governing the use of FTP, Telnet, Bash, etc.?
A. Yes – built into cPanel.  Standard settings allow normal SSH access, with permissions restricted to your own user folder.  Optionally, you can have shell access jailed to your home directory, or no shell access (this is default).

Q. When are the Client’s applications assessed for vulnerabilities such as SQL injection, cross-site scripting and buffer overflow?
-During development?
-At deployment to production?
-Regularly after deployment?
A. Again, these are all developer questions. We will be more than happy to schedule and produce these test for you if your developer is unable, at our normal hourly rate.

Q. How quickly does the Client remediate vulnerabilities after they are discovered?
A. Server side vulnerabilities are mitigated via nightly and weekly updates by cPanel, or the mitigation is planned on the day of disclosure, and mitigated manually upon release and testing of a patch (via the admin team) if they are 0-day vulnerabilities that cPanel hasn’t patched quickly enough.  Ksplice also automatically loads security fixes for the kernel.

Q. Are user names and passwords sent in plaIn text over an insecure channel?
A. This is a question for your website developer.  Ideally usernames and passwords are hashed or encrypted at rest (ie; the application never has them in plaintext form after input).  As for the channel security, that depends on if your login section forces SSL connections. Please contact us us if you would like to have an SSL encryption certificate installed.

Q. Does the Client restrict application privileges within the Client’s databases to the minimum necessary levels?
A. This is a question for your website developer.
We will be more than happy to research this for you at our standard hourly rate, if your developer cannot help you.

Q. Does the Client limit session lifetimes?
A. This is a question for your website developer. Explicit session lifetime must be configured in code. In PHP code, for example, there are settings that control session lifetime, but none that set a hard limit; just ones that influence inactive sessions greater than 1440 seconds towards getting cleaned up by the ‘garbage collector’ process.

Q. Does each application have its own set of permissions and access controls?
A. This is a question for your website developer. We cannot comment on how many applications you are running in your website.
We will be more than happy to research this for you at our standard hourly rate, if your developer cannot help you.

Q. Have all unnecessary services and applications on each client and server been disabled?
A. While this is again most likely a question specific to an on site, dedicated web server, every enabled service on your server here is either for cPanel’s internal use, or your web site’s use.  There are no deprecated services enabled.