One of the most striking statistics to emerge from research in SophosLabs is that 80% of dangerous websites are actually legitimate sites that have been compromised by criminal hackers.
Defending a website against these attacks is a necessary part of any security strategy.
A key choice when creating an online presence for your organization is choosing a hosting provider. There are many factors to consider including cost, bandwidth, resilience and additional services.
However, you can’t afford to ignore security. If you host your site with an external web hosting provider then it is critical to understand their security stance.
Do they have defenses in place? How would they respond to an attack, or worse a breach?
“Security should be designed in, not an afterthought.” This is a sentiment echoed by many security experts.
To help you build security into your web hosting decisions SophosLabs have put together a list of 10 questions to consider and the reasons why they are important.
The questions cover security aspects of:
- Choosing a provider
- Configuration and installation
- Ongoing maintenance and updating
I encourage anyone who uses web hosting services to read the paper and use it to help make the web safer for everyone.
Read now: Choosing a hosting provider (no registration required).
Server farm image courtesy of Shutterstock.
3 comments on “Whitepaper: Security questions for your web hosting provider”
Back in the 90s, for my first personal site, I signed up with a large Texas Based company because they were recommended to me as the cheapest at that time (1 site, $250 a year) and one day, I went back too far in my FTP directory and found myself in the root(?) with full access to the contents of the server. I reported it and……..still could access anyone else's folder weeks later. I finally moved to the hosting company I'm at now. Now I know what I need to ask them about security.
A few years ago, my old job's company site was somehow compromised at the server level and malware was sent to every visitor. The hosting provider took forever to deal with it.
Yes, a client of mine recently had a hacking incident at the server level, but that didn't prevent them from a lot of hand waving that makes the client think they did something wrong. Would it be a lot easier if, when client did what they are expected, their hosting provider didn't let them down. It leads to a lack of discipline because the client does not think that what they are doing is really worth the effort. Keeping track of logins and monitoring your own website takes time and some expense. I am tired of monitoring sites just so I can have the ammunition to take up issues with the hosting company.
We need more "ombudsmen" who can talk the talk with Hosting Companies on behalf of clients who do not have the vocabulary to address these issues. Trying to get the other guy (hosting company) to admit the problem lies on their end is nearly impossible if you cannot talk the talk.
Today most of the server and hosting providers are very careful about the security aspect as they know how painful it is to recover the server from hacked state. I personally have many sites on our own server and i always keep a check on the logs that are being sent by sophisticated tools like LFD which helps to evaluate whats exactly running on your server. Use of mod-security is utmost important to prevent URL injections, site defacing etc Still is advisable to keep daily maintenance of log check and system updates. Just my 2 cents : )