Website Security Audit

You may ask why you need to be PCI compliant if you don’t collect card details. At Storm we use PCI as the benchmark in tough-as-nails security for all our customers. The GDPR came into force in 2018 making significant changes to data privacy regulation. Companies are required by law to protect customers’ personal information to the highest standards, or face serious consequences including crippling fines. So by complying with PCI DSS companies are also complying with the GDPR and protecting themselves from fines due to data breaches, even if they don’t hold cardholder data.

Storm will fully manage your security requirements via the Storm Security Centre. The team will take care of implementing all the required changes to your business, as well as proactively keeping on top of it as any threats evolve. This is the Storm Security guarantee.

Storm’s Security Audit incorporates various features provided through Cloudflare’s Essential Website Protection. It’s important to note that the Storm Portal no longer supports the Cloudflare legacy platform. To manage your Cloudflare settings, please refer to the Storm Internet Security Centre.

Cloudflare Security Features

DDoS Protection

• Network and Transport Layers (Layers 3 and 4): Cloudflare shields your servers from DDoS attacks at both these layers.
• Application Layer (Layer 7): Cloudflare also has mechanisms to detect and neutralize attacks that imitate genuine web traffic.

Web Application Firewall (WAF)

Cloudflare’s WAF is designed to identify and block known web security vulnerabilities, such as SQL injections and Cross-Site Scripting (XSS).

Content Caching

Although not explicitly a security feature, Cloudflare’s content caching can lessen the strain on your original servers, making them more resilient against DDoS attacks.

Always Online

Cloudflare maintains a cached version of your website, ensuring it stays accessible even if your main server faces downtime—useful during DDoS attacks or other outages.

DNS Security

Cloudflare manages a robust DNS network and offers DNSSEC to secure DNS communication.

Firewall Rules

The platform enables custom firewall rules, allowing you to manage traffic based on parameters like IP addresses, geographical location, HTTP headers, and more.

Origin SSL Certificate

Unlike regular SSL certificates that secure the user-to-CDN connection, an origin SSL certificate specifically secures the CDN-to-origin server link. This provides complete encryption from end to end. Storm recommends using Alpha SSL Certificates.

Host Server Security Measures

NCSC Cyber Essentials Standards

Your host server is compliant with the National Cyber Security Centre (NCSC) Cyber Essentials, a certification scheme aimed at safeguarding organizations from prevalent cyber threats.

Anti-Virus Protection

All servers provided by Storm Internet feature premium antivirus software, equipped with:

• Real-time Scanning: Continuously monitors files being accessed, modified, or created on the server.
• Scheduled Scans: Regular full-system or partial scans to look for known malware signatures.
• Heuristic Analysis: Detects previously unknown malware based on behavior rather than known signatures.
• Log Analysis: Helps identify suspicious activity by scanning server logs.
• Email Scanning: Scans incoming and outgoing emails for malicious attachments or links.
• Web Filtering: Blocks access to websites known to host malware.
• Firewall Integration: Sometimes combined with a firewall for a comprehensive security solution.
• Alerting and Reporting: Sends alerts and generates reports to keep administrators informed about the security status.

Data Centre Accreditation

Your host server is located in a data centre accredited by ISO/IEC 27001, which is an international standard outlining best practices for information security management systems (ISMS).

Security audits and features like ISO 27001 certification contribute significantly to enhancing the security posture of a website or cloud server, but they are not absolute guarantees against all types of attacks. A security audit can:

• Identify weaknesses: It can reveal server or website vulnerabilities you may not be aware of.
• Regulatory compliance: Security audits are a requirement for some industries
• Improves Security Over Time: Regular audits mean you can continually assess and improve your security posture.
• Informed Decision-Making: Knowing the state of your security can help you allocate resources more effectively.

However, it should always be kept in mind that a security audit is essentially a snapshot of the state of your website or server’s security at a single point in time. New vulnerabilities can appear after the audit is complete. A security audit is also not an active defence against attacks.

While Storm’s Security Centre assesses the operating environment of your website or server, an external PCI vulnerability scan can provide a more in-depth picture of your site or server’s security features.

The Payment Card Industry Data Security Standard (PCI DSS) is one of the most recognized security standards globally, primarily focused on securing credit card information. Designed for vendors that process, store, or transmit credit card data, PCI compliance is not optional but mandatory. However, even websites that don’t handle card information can benefit from the robust security framework that PCI DSS provides.

Storm Internet offers external vulnerability scans for both servers and websites, making it a versatile security solution. These scans are designed to identify various security issues, including improperly configured firewalls, potential malware threats, and vulnerabilities related to remote access. Importantly, this service is platform-agnostic; it can be applied to different website platforms, whether you’re using WordPress, Joomla, Umbraco, or a custom-built site.

Fully-managed quarterly External PCI Vulnerability Scans are included in all Storm Internet’s server packages. Should your managed server fail a PCI compliance scan, we’ll proactively address any security issues to ensure PCI compliance.

External PCI Vulnerability Scans are available for websites from £10 per month per site.