The Tech Bench: The Single Best Security Tip
Your server is only as secure as what you choose to serve.
Harsh words, but it needs to be said. At ServInt, we work very hard to deliver servers to our customers that are as secure as they can be. But every customization of and installation on a server creates holes in that security. It is simply the nature of the Internet and networking. If you have data to share, you must find ways for users to access that data.
Security is a balance. The most secure server is one that is powered down and not connected to the Internet. But obviously, this server is little more than an expensive brick. To be useful, clients need to customize their servers, installing various programs that serve data out to and receive data from users on the Internet. Read more
The Tech Bench: TLS/SSL Encryption for Your Website.
We’ve all logged onto websites with an https://… url. That little “s” in https designates that the connection is using TLS/SSL encryption, an added level of security when interacting with a website. The most common places to see this are on sites that collect personal information or payments, basically anything private that users wouldn’t want to escape into the world.
Secure Sockets Layer (SSL) and its cousin, Transport Layer Security (TLS), are open standards for providing secure www service (plus mail, FTP and telnet). Originally proposed by Netscape, SSL uses RSA public-key encryption for specific TCP/IP ports. SSL competes with Secure-HTTP (S-HTTP). Read more
Help Us Help You
As Director of Network Compliance, one of my less enjoyable jobs is to explain to a customer whose server has just been hacked exactly what damage has been done and what data can and cannot be saved.
All competent webhosts should provide customers with hosting solutions that are secure out of the box. Managed hosting providers work hard to make sure that what we provided customers remains secure on an ongoing basis. But most people can’t make much use of a hosting solution without taking it and making it their own–adding what they need to make their business work. Unfortunately, start adding anything to the solution you’ve been provided and it changes the security profile of the box.
It is not always obvious when a server is hacked. A malicious piece of code may lie buried in a random directory for weeks or even months before it activates and begins doing harm to the server or to other machines.
Unfortunately, this means it is usually not possible to simply restore a customer server from backups. Though we keep a daily, weekly and monthly backup of every VPS customer server, there is no way of knowing if the corruption occurred before the earliest backup was made. All too often, this means a customer is left rebuilding his or her server from scratch. Thankfully, this is a rare occurrence. ServInt, as well as most reputable software providers take active steps to deter and prevent malicious attacks.
In the 1990s websites were largely static html pages. The bulk of the work was in designing the pages. Once they went live, they changed little and needed updating only as often as the owner wished to update the content. But two things have occurred over the last 15 years that have dramatically changed the way webmasters interact with their sites.
The first change has been the development and implementation of server-side software such as PHP, ASP, and even WordPress and Magento. Most websites are no longer simply pages of static text, they are highly interactive and highly customizable. These new software developments open up a world of new things you can do, but they also open up all kinds of security pitfalls that need to be carefully avoided.
The second change is that the hardware that hosts these sites has become far more powerful. Advances in technology have not only increased the processing power and memory of host machines, but they have brought the price of this technology down so far that these machines are available for even entry-level hosting packages.
The keys to the Ferrari.
What this all means in terms of customer experience is that where at one time signing up for a web hosting account meant getting to borrow a bicycle to ride down the block, now it means getting the keys to the Ferrari.
Over the past five years especially, this combination of increasingly complex software and more powerful hardware has led to a dramatic increase in hacked servers on the web. Good managed web hosts routinely monitor their clients’ servers looking for any suspicious spikes in usage that might indicate unauthorized access. Companies should—and many do—try to work with customers to ensure that their server is ‘hardened’ (a pretty loaded term) and when circumstances dictate, that they have firewalls in place. But even with these steps and many others—forgive me if I must be intentionally vague here—at some point there is little even the most proactive host can do to anticipate a hack.
This is where customers come in.
One of the single best ways to prevent hacked servers is to keep all server-side software up to date. Vendors are constantly learning about and correcting weaknesses in their software code, releasing free updates to their users.
It would be great if a hosting company could magically update all of the third-party software customers have installed on their servers, but with literally thousands of different pieces of software for web designers to choose from, this is impossible on a practical level. A managed host does its part by upgrading operating systems and kernels as needed, but without consulting each customer personally and maintaining extensive lists, there isn’t even a way to determine all the software that is running on a customer’s server, let alone individually updating each customer’s products.
So what can customers do to protect themselves? Here are a few steps:
First, only install the software you need. Each application installed on a server opens that server up to any security risks the software has. The fewer pieces of software running on your system, the lower the chance of our server security being compromised.
Second, keep track of your installed software so you know what you’ve set up. I can’t tell you how many times I have traced the source of a security compromise for a customer only to have them say, “I didn’t even know that was still on my server.”
Third, keep the software you are running on your server up to date. There are options you can enable in cPanel and some other control panels to inform you when any software you downloaded directly from your control panel has been updated. Also, many places such as The Symantec Security Focus Bugtraq list allow you to sign up for emails that will send you information on software updates.
For all other software, there should be a page on the designer’s site which lists current versions and where to download updates. Keeping a folder of bookmarks of these sites can be a real life saver. Simply surf to the pages you have marked a couple times a month and check for software updates.
Fourth, ensure that the computer you are accessing your website from is properly protected. Keeping your server locked down against attacks and completely up to date is only so helpful if a piece of malware on your desktop tracks your keystrokes and finds out your server’s password when you log in. Having your server’s root access compromised (getting “rooted”) makes for a very bad day.
Finally, it sounds simple, but it is very important. Change your password, and change it often.
A few simple steps can put the power of security in your hands and go a long way to ensuring your server doesn’t fall victim to attack. A good managed host will work tirelessly to make sure that your business always stays up. But if you keep a close eye on what you put on your server and keep it updated, it’ll go a long way in helping us help you.
Photo by jonworth-eu
Why America isn’t the bad guy on the Internet
The grass isn't always greener on the other side.
If you use the internet for leisure, do business on the internet for profit, or count on the internet to spread your message, you are at a disadvantage if you are not doing so in America.
There, I said it.
That wasn’t meant as a slight to our friends and colleagues abroad. I don’t mean this as an attack on any one country or continent. Rather, I’m simply challenging the assertion that the United States is somehow the bad guy when it comes to freedom of speech on the web. I read countless stories that argue that sites that are critical of the government, large corporations, industries, political figures, etc., should host offshore in Canada or Europe because their sites are simply unsafe in the U.S.
This is little more than classic FUD.
Among bloggers, particularly in the tech world, the Digital Millenium Copyright Act (DMCA) is loathed for its supposed coziness with the recording industry and the MPAA, among other content organizations. As a consumer, and as a geek, I personally share a lot of the same concerns and frustrations other users do when it comes to the principles of fair use. Believe me when I say I find DRM as annoying and intrusive as everybody else does. I also can see plainly that the “anti-circumvention” aspects of the DMCA are genuinely bad for consumers.
But the bigger picture here is that significant portions of this law, particularly Article II as it pertains to our industry, are actually well written. The DMCA isn’t perfect, it does a lot of annoying things but it also does a lot to protect the rights of ISP’s, online services, publishers, and users alike.
More after the jump.
Follow Us!
