IT Security

The EUS IT Committee recommends the following best practices regarding internal security.

Google Passwords

All EUS e-mails go through the G Suite, which has the advantage of being secure by default. It is recommended to enable two-factor authentication for the highest level of security, depending on how sensitive the e-mails your EUS account receives are.

As a general guideline, all EUS e-mails get their passwords automatically reset every year over the summer, to ensure that retired EUS members lose access to their accounts.

Account Recovery

To gain access to your account, simply e-mail it.director@mcgilleus.ca using a personal e-mail account. Ensure that your personal e-mail accounts is listed in the EUS Directory. If you are part of a club or design team, it's possible that not all members appear in the EUS Directory; in this case, please ask the president of your club or design team to request the reset.

Web Services Connection Strings

Our web services may require a number of connection strings. These usually include usernames & passwords to databases, passwords or secret keys to external API's, etc. Given that multiple web services tend to be shared by the same server and that our web services are starting to be placed on Github, it is ideal to have these connection strings passed as environment variables. You may keep a file, with "reading" rights restricted only to your user, storing the actual values of these environment variables for future reference.

Backups

It is ideal to have regular backups of web servers to ensure that, should a security breach occur through malware, we can safely wipe the affected server and create a clean new one.

Folder Permissions

Folder permissions should be as restrictive as possible. For example, giving 777 or a+rwx or Read, Write, Execute permissions to all users for a given file is to be avoided. The general rule for a folder on our servers are:

• Folders and files should be owned by the official owner. This means that webmaster shouldn't be the owner of the folder containing the ledger's website;
• Folders and files should be under the group eusit;
• Folders and files should at least be given all permissions for the owner;
• Depending on the nature of the folder of file, the group eusit may also have read, write or execute permissions;
• All users should at most be given Read, Execute permissions, but not Write.

Wordpress

Wordpress plugins tend to be susceptible to malware. For this reason, the EUS has moved towards our own EUS Templates, in an effort to build our own content management system. The issues that can arise with Wordpress are due to its complexity: although it provides a nice interface for users to log-in and edit their web pages, it also exposes a server or a web service to more vulnerabilities than a simple static web page.

There is not much to do in this regard other than being careful with what Wordpress plugins are downloaded for pages which absolutely must use Wordpress. It seems like Wordpress is making efforts to remain as secure as possible, therefore updating the Wordpress distributions to the latest possible is ideal.

For pages which are very simple (i.e.: typical club/design team/event information pages), it is recommended to opt for a simple static web page rather than Wordpress or other content management services.

Security Certificates

The EUS has access to security certificates ensuring our pages can be accessed through HTTPS. These must be kept valid and up-to-date.