Re: Hosted Solutions -- Hackers Haven



Shared hosting will always be far more insecure than a dedicated one, as
you are suggesting (tons of websites in the same server multiply the risk
of security compromise).

But you're mixing concepts: "hosted" usually means "outsourced" but not
necessarily "shared" (for instance, you could also hire a dedicated server,
managed or not, and "host" your application there). You're refering to
shared environments, I guess.

Outsourcing has other risks/problems.

Cheers,
-Román


Adriel T. Desautels escribió:
Hi List. This is a subject that seems to come up a lot when we deliver
penetration testing services to our customers. I decided that a quick
blog entry on the subject of hosting might be a good idea. I'm not
adverse to hosting, but I'd like people to think twice before deciding
to outsource their technology to a third party. Specifically, I'd like
to see people consider the real risks that they might be introducing to
their business.

As usual, if there are any comments I'd love to hear them.

http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html
Human beings are lazy by nature. If there is a choice to be made
between a complicated technology solution and an easy technology
solution, then nine times out of ten people will choose the easy
solution. The problem is that the easy solutions are often riddled with
hidden risks and those risks can end up costing the consumer more money
in damages then what might be saved by using the easy solution.

The advantages of using a managed hosting provider to host your email,
website, telephone systems, etc, are clear. When you outsource critical
infrastructure components you save money. The savings are quickly
realized because you no longer need to spend money running a full scale
IT operation. In many cases, you don’t even need to worry about
purchasing hardware, software, or even hiring IT staff to support the
infrastructure.

What isn’t clear to most people is the serious risk that outsourcing can
introduce to their business. In nearly all cases a business will have a
radically lower risk and exposure profile if they keep everything
in-house. This is true because of the substantial attack surface that
hosting providers have when compared to in-house IT environments.

For example, a web-hosting provider might host 1,000 websites across 50
physical servers. If one of those websites contains a single
vulnerability and that vulnerability is exploited by a hacker then the
hacker will likely take control of the entire server. At that point the
hacker will have successfully compromised and taken control of all 50
websites with a single attack.

In non-hosted environments there might be only one Internet facing
website as opposed to the 1000 that exist in a hosted environment. As
such the attack surface for this example would be 1000 times greater in
a hosted environment than it is in a non-hosted environment. In a
hosted environment the risks that other customers introduce to the
infrastructure also become your risk. In a non-hosted environment you
are only impacted by your own risks.

To make matters worse, many people assume that such a risk isn’t
significant because they do not use their hosted systems for any
critical transactions. They fail to consider the fact that the hacker
can modify the contents of the compromised system. These modifications
can involve redirecting online banking portal links, credit card form
posting links, or even to spread infectious malware. While this is true
for any compromised system, the chances of suffering a compromise in a
hosted environment are much greater than in a non-hosted environment.



Adriel T. Desautels
ad_lists@xxxxxxxxxxxxx
--------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Hosted Solutions -- Hackers Haven
    ... The risk that hosting providers introduce to businesses does not have ... as opposed to the 1000 that exist in a hosted environment. ...
    (Pen-Test)
  • Re: Hosted Solutions -- Hackers Haven
    ... of security compromise). ... What isn’t clear to most people is the serious risk that outsourcing can ... For example, a web-hosting provider might host 1,000 websites across 50 ... website as opposed to the 1000 that exist in a hosted environment. ...
    (Pen-Test)
  • Re: OK which is it Global Warming or Cooling?
    ... I do believe in local global warming caused by ... have to do if you want to rise above the level of prejudice and grumbling. ... I don't think I should be in a risk pool with people that are 5% ...
    (rec.crafts.metalworking)
  • Re: Wireless AC extension cord
    ... GMT, rico_001@xxxxxxxxxxx wrote: ... environment so filled with ultra high freq RF. ... Virtually all studies show no health risk. ...
    (alt.internet.wireless)
  • Re: Smoking Ban - MPs vote.. Jim hacker would be proud!
    ... The risk assessment of working in a smoke filled environment is ... What about if you already smoke, as I would expect many, possibly ... The jobs are low paid with anti-social hours ...
    (uk.media.tv.misc)