Want to discuss this document? Email us!

Choosing a web host.

Research shows that 90% of sites and blogs with malicious content are actually documents that have been compromised by cyber criminals. Any site can be a target for cyber attacks, from a large corporation to a personal website. Don't neglect the security of your website if your income, your reputation and the safety of your visitors matters to you. One of the most important choices when creating a website is choosing a hosting company. There are many factors to be considered such as security, price, traffic and speed but for this whitepaper we will discuss security only.

Below are questions you should ask your web host about features that will keep your website secure. This is not a list of required features. It simply are key security measures when you set up a website. Whether you do it yourself or rely on the hosting provider is a matter of your own preference. Many hosting providers offer some of these features for free while others offer them at additional cost. Questions you should ask are:

How secure are your website hosting services?

The host's security policy can tell you about how a host thinks about the security of your website. There are many hosting options available, from hosting providers who give you only webserver space and a connection and leave the rest up to you, to those who offer traffic monitoring, daily malware scans, daily backups and protection such as denial-of-service mitigation. Unfortunately there are some companies whose security make it clear that they simply don't understand the issues of securing sites against attackers. Another security question to consider is how the website host secures its own internal network. A compromise of a network can lead to a disaster for website owners. With web hosting, understanding how a provider protects your website is a key step in keeping it secure.

How are security breaches handled?

The company should always have a plan for handling situations that arise when the security measures you have taken fail. In the event of a security breach that affects your site it is possible that the web host will know this before you do. If this happens the safety of your visitors depends on the procedures that are in place. Important information is whether and how the company will attempt to verify the report, how long their work takes before you are notified and how they will notify their clients. When a breach is discovered it is important to ensure that the method used to contact you is closely monitored. The notification is only useful if it is timely received and understood. Parallel to this is, of course, to find out what happens when you and not the host is the one who reports a security issue. Does the firm have a procedure in place that takes your website offline while it poses a risk to visitors and does your provider assist with cleanup and restoration of the site and how do they do that?

What is the platform under my application?

Concurrent to the question above, it’s important to know what server platform your CMS application will be installed on and how it is secured. A critical part of securing any underlying platform, whether it is the server software such as Apache or IIS, or the operating system itself is applying updates and security patches. Some of these patches will require a restart of the service or the server itself. Knowing how often this required maintenance occurs and what the effect on your site will be is necessary to assess the correct balance between operation and security. Obviously you want everything to be properly secured, but with minimal downtime.

Do you offer SSL (HTTPS)?

This is often offered as part of a premium hosting service, rather than by default. Many times, this cost isn’t factored in when the topic of website hosting comes up, and when it does, the costs associated can be surprising. So the question from you as the consumer might be "Why is this important?" If your site plans to require usernames and passwords, such as for e-commerce or for blogs, then it is vital that those communications are secured from eavesdroppers. Without SSL, your customers will be sending that information in plain text. Using HTTPS ensures that all user names, passwords and other sensitive data are encrypted before they are sent across the internet. Using an SSL certificate with HTTPS also gives your customers some assurance that you are thinking of security and can authenticate your site to visitors. There are different levels of SSL certificates. You may be able to either choose from the providers offerings or you might be able to supply your own from a third-party certificate authority.

Do you backup?

Backups are a necessary part of any security and continuity plan. There are two main situations in which backups could play a key role: firstly in the case of an equipment failure at the hosting provider and secondly in the case of a malicious compromise of your site. Knowing whether your data is backed up and how long it will take to restore allows you to understand the impact of an incident. Understanding how your data is backed up is also important. Some providers offer a daily snapshot while others keep a set of rolling backups over the course of a few days or more. A daily snapshot would be enough to restore from an equipment failure but a site compromise exist for a while before anyone notices, leaving yesterday’s site just as damaged as today’s. As important as “How often …?” is the answer to “What is backed up?”. A commonly used technique to compromise a website is SQL injection. This can leave malicious code spread throughout a database. Backups should therefore cover database recovery as well as restoring the files in your web folders. Another backup consideration is the location of the backup data. Just as with in-house data security, if the backup data is not held off-site then it is subject to some of the same risks as the live site. Power failures may take down the site and the backup ability. There is also the question of multi-site hosting and resilience but that is beyond the scope of security.

Who is responsible for installing applications and CMS platforms (e.g. WordPress)?

When you first look at hosting providers, many have pre-installed and partially configured content management software all ready for customers to use. All the customer has to do is plug in user credentials, answer a few questions, pick a template, and they have a site. These providers will have CMS platforms such as WordPress, Joomla, or Movable Type, (to name just a few) for the customer to pick from to build their website. However, it is important to know whether the installed version is the latest stable build and whether security patches are applied in a timely manner. The same concerns apply to the security of the underlying core software packages such as SQL and PHP. Some hosting providers allow more knowledgeable users to upload their own CMS platform and peripheral apps and configure it on their own. Obviously in this case the onus is on the customer to keep the software up to date. This requires more time investment on the part of the customer to ensure everything is patched and updated. Choosing to install your own platform comes with additional support concerns. Although hosting providers may allow it they may offer it as an unsupported option, leaving you to deal with any problems on your own. If you are doing the install of the CMS/blogging software yourself, you may have more security options available than if you choose the easier “just a few clicks and you’re done” option.

Can I disable applications and services I’m not using?

This may not sound like a big thing, but it’s actually quite important. What if you want a blog, but not forums? Applications you do not use are probably not going to receive the attention of those that you do. Additional services may still be visible to attackers as a way into the server, increasing its attack surface. In some cases, the initial server configuration process allows you to select the applications you want to use with the option to add others later. This is one way to limit your attack surface, as you can put just what you need on the site. However, many providers offer one size fits all packages with a range of standard tools installed. In those cases you have to be sure that even the tools you aren’t using are kept secure. There are other strategies you might be able to employ to improve security such as locking down the software configurations, disabling unused features. For example: changing default settings such as user accounts and passwords, and applying security settings in software configurations such as wp_config for WordPress or .htaccess for Apache.

Who is responsible for updating applications and software?

Unpatched applications are an open door to attackers trying to break into your site. WordPress2 has had several Severe to Critical vulnerabilities in 2012 alone. Joomla3 and Movable Type also have had vulnerabilities. Leaving these vulnerabilities unpatched is the opening that attackers use to compromise websites and swell the numbers of malicious sites. Remember 90% of malicious sites are innocent victims of a compromise. But more than just the CMS, who is responsible for updating the other software, such as MySQL, or updating PHP, Perl or Java? If you decide to do a manual update, will you still receive support? Hosting providers may only support the versions of applications that they provide, even if those versions are old and vulnerable.

Do you do any security monitoring

Many of the questions here deal with what to do when your site is compromised by a malicious attacker but before any of those procedures start you need to know that the attack has happened. This is where security monitoring plays a role. In many cases the compromise will be discovered by visitors to your site who are alerted by their security software. It would be a lot more convenient and less embarrassing if you found out first and fixed the problems. There are several technologies that can be used for this including: Anti-malware scanning to check for malicious files hosted on your site Web application firewalls (WAF) to filter out malicious attacks against your applications and databases Blacklist monitoring to alert you when a third party detects a compromise. Most service providers will provide some of the above technologies for free, but often the more robust security monitoring is offered in premium packages. This is another cost to consider when looking at hosting providers. However, if these technologies are not in place it is useful to find out whether the hosting provider supports or allows installation of third party security such as the open source mod_security4 web application firewall. Another important consideration is how often these security tools are used. A WAF may be in place at all times but an anti-malware scan may happen daily, weekly or even less frequently.

How are uploads secured?

The most important part of your site is of course the content. This brings us to our final question. How do you ensure that your content gets to the host securely and that no-one else can access it? One factor that’s often forgotten in the discussion of attackers breaking into websites is that the easiest way to get content onto a site is the same way that the site owner does. The File Transfer Protocol (FTP) is a nice easy way to upload content but unfortunately it is not secure. User credentials are passed in plain text for any eavesdropper to find and for many years malware around the world has been monitoring, logging and stealing FTP credentials. In the same way that disabling unwanted services reduces your risk so disabling unwanted or risky updating mechanisms can keep your site safer. FTP is insecure and should not be used; ideally it would be disabled in favour of a safer method such as SecureFTP (sFTP). Access often also depends on passwords. Data breaches often result in the loss of password files and databases and although password security can be a long discussion on its own the key considerations are the use of secure passwords and ensuring that those passwords are stored securely. Common or simple passwords fall easily to attack. Databases that store password in plain text or as unsalted hashes can also be relatively easy target. Ideally password hashes should be calculated using an algorithm designed specifically for the purpose of password hashing. Additional access control may require a system that enables changes and uploads only for a short period while it is in use or using a 2-factor authentication method. Knowing who is uploading content is also useful when securing your site. An access log showing who has changed the site and where they logged in from can help reveal any security breaches, provided you actually look at the logs of course.

Summary

Using a hosting provider is about taking advantage of a professional service to make your life easier or less expensive. Security breaches in your website cost both in terms of reputation, time and money to repair so when choosing a hosting provider don’t forget about the security aspects. Your website is the window through which the world looks at you, your business or your organisation. If the site poses a danger to the rest of the world that will reflect poorly on you. Keeping a website secure is not a trivial task so getting help as part of the hosting service can ease the burden.

Want to discuss this document? Email us!

Author: Dick Detering.

Dick Detering's profile on Google+.

Visit his Google+ Page