In the 1980s, computer viruses passed around on floppy disks were the main security risks. How things have changed! Now, we have bot nets, advanced persistent threats, social engineering, and phishing to worry about. Kate Craig-Wood, MD of hosting provider, Memset has provided this overview on what you can do to keep your site safe.

Evidence is everywhere that the number of cybercriminals remains a serious issue. From hackers, script kiddies and DoSers, we as hosting providers are fighting them all.

The Evolving Threat

On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion.

dDOS attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests then unfortunately the only real defense against such is to have more bandwidth than an attacker. Thankfully with more companies moving to cloud providers with massive pipes like us, that means that the attacker would need a bot net of many thousands of machines to cause damage.

There has also been a marked increase in criminals attacking popular sites and advertising engines to steal information and disable websites for political reasons. The recent wave of ‘hacktivists’ presents new issues for web hosts, as many traditional organisations are now having their sites hacked.

Steps for Protection

So what can you do to protect your website & online network?

Network Design

The first stage in solving the security problem starts with the development and design stage. If developers neglect to address all security issues, a future hacker will very likely exploit the flaw to extract confidential information from the website. To fix this problem, you must ensure scripts are very well planned and tested, especially those parts that deal with private information.

Using a Digital Certificate (Digital ID) from a trusted certificate authority in conjunction with SSL encryption provides a very high grade of security for all parties involved in a transaction. Keeping Content Management Systems (CMS) up to date is also crucial and ensures other security aspects of the site are updated. It’s worth noting that WordPress is notorious for being vulnerable without updates.

Choose A Good Password

A majority of hacks are caused by bad passwords. It’s not just a simple matter of changing ‘l’s’ to 1′s either, as these are still easy to hack.

We have performed rigorous mathematical analysis on how good a password needs to be for an encrypted file system, and determined that a 10 character random string formed from a-z, A-Z and 0-9 is effectively unbreakable. A 10 character password will cost $13m to crack, and quite frankly there are easier ways for hackers to get your information.
Tight Controls on Accessing Data
We allow all staff to access from anywhere using a laptop and a browser, using HTTPS for the security. Our business administration systems included, are accessed over the public internet via HTTPS, and we trust it entirely. VPNs are unnecessary and burdensome in today’s world of cloud. However, we do not allow access from just any laptop; it must be a company one, and the browser must used must have a password-protected, encrypted password safe (for saved passwords).

We also have tight, and regularly tested, procedures for revoking user access quickly. In the event of a lost laptop or compromised user password (or SSH key) we can rapidly change that user’s access credentials.

Further, any laptop that is used to store company data (most just access it remotely) must have an encrypted hard drive.

Therefore, if one of our laptops becomes lost all that is lost is the hardware – no data can be retrieved (we require password screen locks as well). We get all staff to choose an auto-generated password created by the open source software PWgen. This approach is much better than making them choose their own (often guessable) one and changing it periodically (which means they need to write it down to remember it).

Personnel / ‘Purchase Key’ Attacks

The biggest security weak-point for any organisation is its people. A determined attacker will not bother with trying to steal servers, nor hack into them, but will attempt to gain leverage over key members of staff; the “purchase key attack”. To protect yourself and your data, you should look to take the following steps:
1. All staff with access to company data should be CRB & background checked.
2. Access to servers should be gained via personal keys, and all access is logged.
3. Logs and activity should be routinely checked by head of security.

Choose Your Hosting Provider Carefully

The only thing one can do about bot nets is to have more bandwidth than the attacker (ie. an army of hijacked home computers), which is yet another reason why companies should be giving up owning and managing their own data centres and moving to the cloud where providers like us have gigabits of connectivity so can withstand such attacks, which happen frequently.

We also have firewall technology to dynamically detect and block attacking IPs in real time. This sort of cyber warfare is not new though, but has only recently made the news. We have been fighting off such attacks for as long as I have been in the hosting industry (12 years). All that has changed is the scale of the weaponry.

Memset is very upfront about their security procedures which you can see here.

Make sure your web host is upfront about security and also holds ISO 27001 certification as a minimum.

Tags:

Breaking news: you can save 50% on any HostGator hosting plan until the end of today.

You’ll find HostGator‘s Black Friday promotion right here.

That means you can get a whole years shared hosting for just $23.76.

The discount applies to first invoice, so you need to prepay (ie, pay for a year or more, not month-by-month) to get the best savings.

HostGator are one of the hosts we hear consistently great reports from our users about (especially their phone support). Our user HostGator reviews say it all.

As the hosting industry becomes more diversified it is also becoming more specialized. These days, there are hosting brands and services for nearly every single application, operating system, CMS, client type and country.

If you have a specific need for your site, there’s a company out there that can meet it.

HostBaby is a predictable extension of this specialization. HostBaby is not just a hosting company targeted at musicians, it’s an entire hosting platform.

I recently found myself in need of a quick site for a friend’s band and decided to give HostBaby a try. Although my expectations were initially low, I was surprised to find that HostBaby is actually a fairly powerful and robust system, and one that many musicians (and their developers) may want to consider. Read the rest of this entry »

The blog commenting landscape is dominated by a handful of big names. Currently, Disquis and Facebook have the lion’s share of the market, although Automattic, the owners of WordPress.com, have a large presence with their Intense Debate platform.

However, a different company is hoping to challenge these stalwarts of the industry. Livefyre, although it’s been around almost a year and a half, is still widely thought to be the scrappy upstart of the field.

But Livefyre isn’t just billing itself as a “me too” operation. The platform is working to add compelling new features to separate it from the pack. I decided to give it a go.

I haven’t been using Livefyre long enough to comment on how it affects my community, but I have formed a quick first impression. It’s a service with a lot to love, but there are a few rough corners that might give webmasters reason to pause before signing up.

The details, as usual, are below the fold. Read the rest of this entry »

Uploading anything more complicated than basic HTML (for example, a PHP script), usually requires some fiddling with permissions settings to make things work properly. Whether you’re battling an error or just following the instructions to install a new script on your server, you at least need to know how to set permissions.

However, many webmasters successfully set their permissions without realizing that’s what they’re doing OR why it’s so important. This can lead to serious mistakes that can, in turn, lead to security and reliability issues.

Here’s the good news: permissions are easy to understand and virtually anyone can grasp them in a few minutes; all it takes is an understanding of the underlying concepts. Even the mysterious numbers we see when we use the CHMOD command will become much clearer. Read the rest of this entry »

When it comes to hosting and setting up a website, many people focus almost entirely on the technical skills one needs to keep things running smoothly. At the very least, a webmaster needs to know how to use a computer and how the Internet works, right? Only sort of.

Thanks to CPanel, WordPress and a slew of other tools, very little technical skill is actually required to get a site setup. In fact, if you’re willing to use a free hosting service, you’ll only need the necessary to skills to fill out on online form to get a site up and running in minutes.

Instead, these days, a webmaster needs just as many personal skills as technical ones.

Rather than heavy duty tech skills, your site‘s success could well come from your ability to reach out to people, both to seek help and to spread your message.

Here are some of the key personal skills you’ll need to set up and run a successful site. Without these, it is almost impossible to build a successful Web presence, much less keep one going any length of time. Read the rest of this entry »

WordPress users (and that includes us!) will be happy to know that version 3.2 had a beta release last week, bringing a slew of new features that are designed to improve the performance, usability and appearance of the blogging platform.

However, this upgrade is rather different from the others. The most touted changes are not new features or tools, but rather speed and design elements that should make WordPress cleaner, lighter and faster.

The idea is for WordPress to drop many of its old technologies and start looking forward, streamlining its code and appearance to focus on what really matters.

Sounds like a tall order eh? I think WordPress might well be able to deliver on it, although it’s tough to say at this early stage. Read the rest of this entry »

Since TwitPic’s recent controversy over its terms of service, which saw the company backtrack from an aggressive TOS that prevented its users from reselling photos they had uploaded to the service, a great deal of new attention has been focused on the contracts and agreements we sign every time we register with a new service.

It’s a fact of life that most of us don’t read our terms of service when we sign up for a new hosting account – a decision that can cost us dearly in the long run.

I can confidently say there is probably a great deal in your current terms of service that you don’t realize is there. If there is ever a legal dispute between you and your host, these could come back to haunt you; you might well have signed away more rights than you intended.

So what are some of the things buried in your TOS? Here are five things you’ll find in virtually any and all TOS’ and what they mean for you in the event of a legal dispute. Read the rest of this entry »

When it comes to third-party site statistics, Google Analytics (GA) is pretty much the gold standard. It provides a tremendous amount of practical information, integration with other Google products, including Adsense and Adwords, and clear charts all for free.

However, Google recently announced that it was taking things one step further and adding something almost no other analytics system has – a site speed feature.

The idea is fairly simple: as users load your site and the Analytics code, Google can track how long your page takes to load for them. Just like with any other statistic that GA collects, you can break down this information by page accessed, browser type and other variables to help you get a better understanding of how fast your site is moving and what variables might be causing it to slow down.

This feature is not automatically enabled on all GA accounts and will take a few steps to set up. However, once you do, you should be able to get a much more robust understanding of how your site and your host are performing with actual visitors. Read the rest of this entry »

RSS, or Really Simple Syndication, is one of the technologies that helped blogging grow hugely. By offering a simple method for others to subscribe to or otherwise access the content of a dynamic site, it made blogs, with their rapid pace of updates, more accessible and approachable.

For a time, an RSS feed literally determined, to many, whether a site was a blog or not. RSS was even touted as the future of content reading on the Web and was widely adopted by various mainstream media outlets in a variety of ways. Soon enough, RSS was everywhere: forums, social networks and more were all using the format and, since it was an open standard, developers were building a wide variety of products on it.

However, RSS came with its own set of problems. For content creators, it enabled scraping and other forms of content theft, kept visitors off the site and discouraged discussion on posts. For readers, though it enabled them to read more blogs and sites than would have otherwise been possible, there was still a serious problem with information overload and most people found that their RSS readers were filled with garbage.

For years, bloggers and others have been encouraging readers and friends to skip on using an RSS reader, instead using tools like Twitter and Facebook to keep on top of the news that’s relevant to them.

However, RSS may be in worse shape than previously thought. Recently both Facebook and Twitter disabled RSS functionality in their services, favoring a complete “walled garden” approach.

The future of RSS is starting to look pretty bleak and, though it likely won’t “die” anytime soon, it’s already lost much of its relevance.

That, in turn, could have a drastic impact on the future of the Web, perhaps bigger than anyone realizes right now. Read the rest of this entry »