PCI Compliant Web Hosting and Managed Service Provider
Hosting Solutions since 1995

The Security Dance – Part 2

Author: ; Published: Jul 30, 2012; Category: Managed Hosting, Managed Services, PCI Compliance, Reseller Hosting, Security, Small Business; Tags: ; 2 Comments

line dancing

Welcome back!  Last week’s article, There are no wallflowers at the security dance! Get to know your dance partners covered getting to know your security dance partners:

If you are the business steward or a part of the management team, you already know the burden of responsibility for having a secure web site where your reputation, customers, sales, and business can be won or lost due to a defacement or other forms of security breaches.

While it is easy to say, “my web person handles that for me” or “I outsource it to so and so,” that does not mitigate the risk or otherwise make your life any easier if what you believe was going on, was not taking place.

Below is a check list you can use to help you take charge, and be the boss in the area of site security:

 

Dance Partner  
Area of Responsibility
Doing their job?
Data Center Has and maintains SSAE 16 certification?  
  Has an abuse department with strict policies on resolving abuse complaints promptly?  
Hosting Provider Is their own site PCI Complaint?  
  Is willing to walk you through the PCI Compliance process?  
  Has an abuse department with strict policies on resolving abuse complaints promptly?  
  Secures their servers, and maintains the security?  
  Has and maintains an intrusion detection system?  
  Does Review server logs daily and security reports throughout the day frequently?  
  Performs daily, off site, backup?  
  Can clearly describe how they would deal with a customer whose site has been hacked from start to finish?  
Payment gateway provider Has and maintains PCI Compliance?  
  Has not had a data breach involving customer data in the past two years?  
Web designer / developer Does review site error logs and statistics weekly passing on any abnormal activity to the hosting provider for investigation?  
  Performs regular backups of the site and database(s) used by the site?  
  Only installs applications which are being maintained from vendors who take security seriously?  
  Does regularly review the site and database for removal of unnecessary applications and items?  
  Makes sure all applications, plugins, and themes are up to date?  

Verify that each dance partner is on the same page with you; and that they are doing their job.

You are the boss, and there will be times the partners need to be educated to pickup the pace, do their job, or be replaced.

In case you are wondering where we find in, here’s how the check list above looks for Dynamic Net, Inc.:

 

Dance Partner Area of Responsibility Doing their job?
SoftLayer Has and maintains SSAE 16 certification? Yes
  Has an abuse department with strict policies on resolving abuse complaints promptly? Yes
Dynamic Net Is their own site PCI Complaint? Yes
  Is willing to walk you through the PCI Compliance process? Yes
  Has an abuse department with strict policies on resolving abuse complaints promptly? Yes
  Secures their servers, and maintains the security? Yes
  Has and maintains an intrusion detection system? Yes
  Does Review server logs daily and security reports throughout the day frequently? Yes
  Performs daily, off site, backup? Yes
  Can clearly describe how they would deal with a customer whose site has been hacked from start to finish? Contact us to find out

The overwhelming majority of our customers are small businesses who want peace of mind in knowing their hosting provider and the data centers used by their hosting provider are doing their job.

If you are not 100% happy that your hosting provider and their data center is doing their job in keeping your web site secure and safe, then contact us.  We will be happy to talk with you or have an email conversation with you.

Peter Abraham
Former CEO of Dynamic Net, Inc. Will be transitioning to a new career in the near future.
Peter Abraham

@

Peter Abraham

2 Responses to “The Security Dance – Part 2”

  1. Mark Vang says:

    Peter,

    How would you suggest dealing with a web host that refuses to go into detail on their security measures?

    Let’s say I’m asking specific questions (like the ones you list above) and the only answer I get is a boilerplate “Don’t worry, we take security measures to protect your account, but but we don’t discuss them for security reasons.”

    Are there things my web host is required to disclose? While my legal knowledge is very limited I believe there are regulations requiring certain types of corporations disclose security breaches (hacked accounts). What, if any disclosure regulations apply to Internet hosts?

    I think that on a practical level most hosts will just answer “yes” to any question in your list, but when it comes time to explain “how” they will decline to go into details.

    Thanks again for another informative post.

  2. Good day, Mark:

    While I do believe any party needs to protect themselves against social engineering, service providers should be able to at least give
    generalities.

    For example in our case I can share with potential clients, all of our servers — managed shared, managed vps, managed dedicated — are covered by what’s listed on Managed Server Security in addition to having all domain names in our system checked daily against the Google Safe Browsing database.

    Let’s state they don’t have such documentation on their web site; they should be able to at least name some of the items listed on Server hardening details.

    A follow up question should be “what makes your security measures unique compared to your competitors?”

    While the service provider may refuse to provide any details, then you as the consumer have to make a determination as to whether to trust them.

    There are some free tools you can use to determine the level of protection they have in place:

    A. Do a free Sucuri Security site scan.

    In addition to seeing if their site is listed as being hacked or containing malware, check the Website details tab. Versions should not be listed for Apache or PHP for example.

    B. Run a free intodns.com report of their DNS. In addition to seeing if there are any serious DNS errors, if the report shows recursion is allowed, their DNS servers are insecure.

    C. Run a free Multi-RBL Check report against their mail server machine name or IP to see if they are black listed by any major RBL. While being listed does necessarily indicate weak security, it can reveal if there are weak processes in place; especially if the service provider does not know about it.

    D. Run the free What’s the site running report as a cross verify against versions reported by Sucuri Security; as well as see how long they’ve been running under the service provider’s primary domain name.

    In so far as I know there are no legal requirements for web sites to disclose security practices.

    Thank you.

Leave a Comment