Thoughts on British ICT, energy & environment, cloud computing and security from Memset's MD
In the 1980s, computer viruses passed around on floppy disks were the main security risks. How things have changed! Now, we have bot nets, adaptive computer viruses, social engineering, and phishing to worry about. From hackers / script kiddies to DoSers (Denial of Service), we as hosting providers have to fight them all. That’s just part of our job, however there are some important things people can do to protect themselves.
On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion.
dDOS (distrubited Denial of Service) attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests they can overload the infrastructure. Unfortunately the only real defense against such is to have more bandwidth than an attacker, but with more companies moving to cloud providers with massive pipes like us that means that the attacker would need a bot net of many thousands of machines to cause damage.
There has also been a marked increase in criminals attacking popular sites and advertising engines to steal information and disable websites for political reasons. The recent wave of ‘hacktivists’ presents new issues for web hosts, as many traditional organisations are now having their sites hacked.
The first stage in solving the security problem starts with the development and design stage. If developers neglect to address all security issues, a future hacker will very likely exploit the flaw to run commands which can compromise the data in your hosting account, some of which might even be confidential. To fix this problem, you must ensure scripts are very well planned and tested, especially those parts that deal with private information. Testing all inputs to the software is vital – ask your developer if they have enabled taint checking and if they look at you blankly get another developer!
Any forms that handle sensitive data should be using HTTPS (secure HTTP) of course. Be sure to enable SSL and buy a a Digital Certificate (Digital ID) from a trusted certificate authority – SSL certificates do not cost much compared to the cost of securing your site! Ensure that your developer makes any sensitive forms redirect to HTTP versions of the site too. Why is SSL encryption important? Well if you’re accessing a Web site over normal HTTP using, say, a public Wifi then I can “sniff” (read) your traffic (with a little cleverness) just by being on that same Wifi network! End-to-end encryption is always best for all online communications – don’t trust the network.
Finally, if you are using a content management system like WordPress be sure to keep it updated. The number one culprit we see after bad passwords (see below) is a WordPress site that has not been updated in ages. The same goes for all software you put online – keep it updated! With the automated tools that allow you to do so there is no excuse not to. The number two is badly-written PHP sites by the way – see above!
The majority of hacks are caused by bad passwords. It’s not just a simple matter of changing ‘l’s’ to 1′s either, as these are still easy to hack. Anything based on a dictionary word or piece of memorable information is vulnerable. It is vastly better in my experience to choose a good password and then stick with it for that site rather than changing it often also.
We have performed rigorous mathematical analysis on how good a password needs to be by working out how much money it would take to crack if you had the password file and were using cloud computing. We determined that an 8 character random string formed from a-z, A-Z and 0-9 (using open source pwgen) is adequate for the vast majority of purposes, costing about $100,000 to break. A 10 character randomly generated password will cost $13m to crack using cloud computing and quite frankly there are easier ways for hackers to get your information for that amount of money!
We get all staff to choose an auto-generated password created PWgen. This approach is much better than making them choose their own (often guessable) one and changing it periodically (which means they need to write it down to remember it).
Finally, having lots of different passwords to remember can be a pain. There are packages to help though. For most Web sites I use my browser’s password safe, which is encrypted because my entire laptop is entrypted, though many have encryption options available. For other passwords such as banking details I keep them in a password safe called KeePassX. I then use a 16-character randomly generated password (from pwgen) as my master password and I don’t have to remember any others. You should really have one password per site but personally I group a few together based on how much I trust the sites. For banking always use a unique password per site though!
If you are allowing access to your Web site’s back end, for example for order fulfilment, that will often expose a vulnerability that a hacker could exploit. Therefore it is important that you ensure that any device accessing that “soft spot” is secure.
That should not stop you operating completely over the wire / in the cloud though. We allow all staff to access all our administrative systems from anywhere using a laptop and a browser, using HTTPS for the security. However, we do not allow access from just any laptop; it must be a company one, we require that everyone follows good password practices (see above) and every person has their own unique login.
Unique logins for each member of staff is vital, so that you can react quickly in the event of a compromise. We have regularly tested and audited procedures for revoking user access quickly so that in the event of a lost laptop or compromised user password (or SSH key for command-line access to systems) we can rapidly change that user’s access credentials.
As an additional precaution, any laptop that is used to store company data (most of it is in the cloud, but sometimes information is stored locally) must have an encrypted hard drive.
In conjunction with requiring that everyone uses a screen saver password lock our company laptops are effectively impervious even if stolen while running and decrypted in RAM. No data can be retrieved since the thief would have to power down the machine in order to access the drive.
The biggest security weak-point for any organisation is its people. A determined attacker will not bother with trying to steal servers nor hack into them, but will attempt to gain leverage over key members of staff; the “purchase key attack”. To protect yourself and your data, you should look to take steps to mitigate the risks. These are some of the things we do at Memset:
The only thing one can really do about bot nets is to have more bandwidth than the attacker (ie. an army of hijacked home computers), which is yet another reason why companies should be giving up owning and managing their own data centres and moving to the cloud where providers like us have gigabits of connectivity so can withstand such attacks, which happen frequently.
We also have firewall technology to dynamically detect and block attacking IPs in real time. This sort of cyber warfare is not new though, but has only recently made the news. We have been fighting off such attacks for as long as I have been in the hosting industry (12 years). All that has changed is the scale of the weaponry.
Finally, at Memset we are very upfront about our approach to secure hosting. I would be strongly suspiscious of a provider that was unwilling to share with you how they protect your data. Be sure to ask them and look for externally-audited credentials like the well-recognised ISO 27001 Information Security Management System.