The Security Dance – Part 1
If you have your business on the Internet, you are a part of a line dance.
You can chose to be a wallflower, and face the consequences of doing nothing.
Or you can get to know your fellow dance partners (maybe picking replacements for ones that no longer fit), and be an active member of the security dance.
I have the privilege of communicating with small business stewards on an almost daily basis.
Some of the common things I read and hear concerning security are as follows:
- Don’t hackers just go after big companies?
- There’s nothing special about my web site that hackers would want.
- My hosting provider handles all of the security.
Unfortunately, all of the above statements have the business steward and their team being wallflowers rather than active participants in a perpetual dance that only ends when they stop having their business on the Internet.
Now, you might be ok being a wallflower at a social dance. Maybe you just go to sit and watch the other people dance. Maybe you just go for the music and the food. For a social dance, there’s little impact.
The impact for being a wallflower with a business on the Internet can lead to poor reputation, lost customers, lost income, and having to spend a lot of time to fix one or more situations that could have been prevented.
What does that mean?
While targeted hacking exists, the majority of hacking deals with vulnerabilities. Think of it like a gang going through the parking lot to see who was apathetic enough to leave their vehicle unlocked or that plus the keys still in the car.
This makes every single resource — web site, email, DNS, servers, routers, etc. — a target for hackers.
Now, let’s get back to dancing. I’m talking about old fashion slow dancing where you and your dance partner are close, hold hands, and watch out for one another on the dance floor.
Let’s relate that to a security dance, except rather than just two people dancing together, you have several in the form of a line dance.
Each dance partner needs to take as much responsibility in an active manner as they can to help and protect one another.
In this security dance, you have the following partners when you are looking specifically in the area of web hosting (including email, database and DNS):
- The business steward and their team.
- The web site designer and their team (if applicable — some small businesses do this in-house).
- The vendors of the applications installed by the above parties.
- The payment gateway(s) used by the above parties.
- The hosting provider.
- The data center(s) used by the hosting provider (if they don’t own their own; most do not).
Each dance partner plays a specific part in the dance; and, if the dance partner is not watching what they are doing, it will hurt more than having your foot stepped on, or falling off the ledge into a pool (like in It’s a Wonderful Life).
Now, let’s go over the responsibilities of each party in the security dance.
The data center should maintain SSAE 16 certification showing the data center management cares about quality assurance, processes, and procedures for maintaining quality.
The hosting provider should themselves have and maintain PCI Compliance. The hosting provider should also have each server secured (hardened against hackers) along with plans, policies, and procedures that keep the security up to date. The hosting provider should have plans, policies, and procedures in place to review server log files and reports throughout the day; and take appropriate action as necessary based on the daily review of those reports.
The payment gateway provider should have and maintain PCI Compliance, and have a history of taking security seriously including full disclosure of any past security breaches; and if there were any breaches, a written statement of what was done to prevent breaches of a similar nature from occurring in the future.
The application (content management systems like WordPress, Drupal, Joomla along with shopping carts etc) vendor is responsible for providing the business management team and their designer (in-house or external) with access to up to date software. They are responsible for writing secure code, and taking reports of vulnerable code seriously. Any vulnerability reports should be promptly handled by the application vendor development team providing patches and updates to their application in a timely manner.
The web site designer and their team (in-house or external) are responsible for applying application vendor provided updates and patches in a timely manner. This team should also be reviewing the site logs to see who is visiting the site, and how the site is being used.
The business steward — the buck stops here! — has the responsibility to check that each dance partner is doing their job.
In my next article, I plan to cover steps you can take as a business steward to make your life easier in being a part of this security dance; and in making sure your dance partners are dancing to the same tune for your benefit.
Please contact us if you have any questions.