Re: Hosted Solutions -- Hackers Haven

Adriel, hi!

I agree with that point that shared environments increases the attack
surface. But in case decision for outsourcing environment is done in a
right manner, first risks/profits should be assessed and analysed if
shared hosting acceptable. It is good to have a threats check-lists
for different hosting types as a guidelines for risk assessment. There
might even operational issues (cpu/memory quotas), not only pure
security!

2009/10/13 Adriel T. Desautels <ad_lists@xxxxxxxxxxxxx>:
Hi List.  This is a subject that seems to come up a lot when we deliver
penetration testing services to our customers.  I decided that a quick blog
entry on the subject of hosting might be a good idea.  I'm not adverse to
hosting, but I'd like people to think twice before deciding to outsource
their technology to a third party.  Specifically, I'd like to see people
consider the real risks that they might be introducing to their business.

As usual, if there are any comments I'd love to hear them.

http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html
Human beings are lazy by nature.  If there is a choice to be made between a
complicated technology solution and an easy technology solution, then nine
times out of ten people will choose the easy solution.  The problem is that
the easy solutions are often riddled with hidden risks and those risks can
end up costing the consumer more money in damages then what might be saved
by using the easy solution.

The advantages of using a managed hosting provider to host your email,
website, telephone systems, etc, are clear.  When you outsource critical
infrastructure components you save money.  The savings are quickly realized
because you no longer need to spend money running a full scale IT operation.
  In many cases, you don’t even need to worry about purchasing hardware,
software, or even hiring IT staff to support the infrastructure.

What isn’t clear to most people is the serious risk that outsourcing can
introduce to their business.  In nearly all cases a business will have a
radically lower risk and exposure profile if they keep everything in-house.
 This is true because of the substantial attack surface that hosting
providers have when compared to in-house IT environments.

For example, a web-hosting provider might host 1,000 websites across 50
physical servers.  If one of those websites contains a single vulnerability
and that vulnerability is exploited by a hacker then the hacker will likely
take control of the entire server.  At that point the hacker will have
successfully compromised and taken control of all 50 websites with a single
attack.

In non-hosted environments there might be only one Internet facing website
as opposed to the 1000 that exist in a hosted environment.  As such the
attack surface for this example would be 1000 times greater in a hosted
environment than it is in a non-hosted environment.  In a hosted environment
the risks that other customers introduce to the infrastructure also become
your risk.  In a non-hosted environment you are only impacted by your own
risks.

To make matters worse, many people assume that such a risk isn’t significant
because they do not use their hosted systems for any critical transactions.
 They fail to consider the fact that the hacker can modify the contents of
the compromised system.  These modifications can involve redirecting online
banking portal links, credit card form posting links, or even to spread
infectious malware.  While this is true for any compromised system, the
chances of suffering a compromise in a hosted environment are much greater
than in a non-hosted environment.



       Adriel T. Desautels
       ad_lists@xxxxxxxxxxxxx
       --------------------------------------

       Subscribe to our blog
       http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------





--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
+380503116172

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Relevant Pages

  • Re: OK which is it Global Warming or Cooling?
    ... I do believe in local global warming caused by ... have to do if you want to rise above the level of prejudice and grumbling. ... I don't think I should be in a risk pool with people that are 5% ...
    (rec.crafts.metalworking)
  • Re: Wireless AC extension cord
    ... GMT, rico_001@xxxxxxxxxxx wrote: ... environment so filled with ultra high freq RF. ... Virtually all studies show no health risk. ...
    (alt.internet.wireless)
  • Re: Smoking Ban - MPs vote.. Jim hacker would be proud!
    ... The risk assessment of working in a smoke filled environment is ... What about if you already smoke, as I would expect many, possibly ... The jobs are low paid with anti-social hours ...
    (uk.media.tv.misc)
  • Re: Hosted Solutions -- Hackers Haven
    ... of security compromise). ... What isn’t clear to most people is the serious risk that outsourcing can ... For example, a web-hosting provider might host 1,000 websites across 50 ... website as opposed to the 1000 that exist in a hosted environment. ...
    (Pen-Test)
  • Re: Hosted Solutions -- Hackers Haven
    ... Shared hosting will always be far more insecure than a dedicated one, ... What isn’t clear to most people is the serious risk that outsourcing can ... For example, a web-hosting provider might host 1,000 websites across 50 ... website as opposed to the 1000 that exist in a hosted environment. ...
    (Pen-Test)