Penetration Testing mailing list archives
Re: Hosted Solutions -- Hackers Haven
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Thu, 15 Oct 2009 18:54:42 -0400
Yaroslav, your argument holds no water. The risk that hosting providers introduce to businesses does not have any relation to the size of the company using the hosting service. More comments embedded below: On Oct 14, 2009, at 4:37 AM, yaroslav wrote:
allow me to disagree a bit.
Go ahead.
generally, this is true for a large organizations with dedicated IT department.
How do you propose that the size of the company using a hosting providerhas anything to do with the security of the provider? There is absolutely
no correlation there.
but in a case of small, let's say less than 100 employees, company, which want to go online, the method will be like this:"step 1: go to bookstore and buy 'linux for dummies", step 2: setup a server, step 3: profit!".
Your generalization isn't based on reality. There are many 100 person companies that have full time IT Staff. There are also many 3 person companies that use third party IT Service Providers to managetheir networks (outsourced IT staff). In all cases (unless you pull a stupid)
then the risk is less if you keep your network in-house.
'virtual suicide' in other words. generally, hosting providers knows much more about security and threats than average company.
Are you kidding me? What you just said is laughable! "Generally speaking" these providers are more vulnerable than raw meat left with a pack of hungry wolves. They market themselves as being secure, but most of the time they aren't. I can say that with absolute certainty because we test those providers on a regular basis for our customers. When our customers get the results they
tend to have a change of heart and move back to in-house hosting.Sure, there are a "few" good hosting providers, but most of them are not security pro's. Even the ones that are can't control what their customers are doing.
do not forget that owning one account from 1000 doesn't mean that you own all the system. it is very close, yes, but not completely.
Have you ever penetrated a network? When you take a system that is connected to a network then the network is in fact compromised. In simple terms, at that point you can sniff the data on the network and capture credentials, perform MITM attacks, poison sessions, etc. If you can't figure out how to take the rest of the systems at
that point then you shouldn't be hacking in the first place.So yes, you pwn one system on a network then the others are pretty much done
(with a few exceptions of course).
On Tue, Oct 13, 2009 at 3:17 AM, Adriel T. Desautels <ad_lists () netragard com> wrote:Hi List. This is a subject that seems to come up a lot when we deliver penetration testing services to our customers. I decided that a quick blog entry on the subject of hosting might be a good idea. I'm not adverse to hosting, but I'd like people to think twice before deciding to outsource their technology to a third party. Specifically, I'd like to see people consider the real risks that they might be introducing to their business.As usual, if there are any comments I'd love to hear them. http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.htmlHuman beings are lazy by nature. If there is a choice to be made between a complicated technology solution and an easy technology solution, then nine times out of ten people will choose the easy solution. The problem is that the easy solutions are often riddled with hidden risks and those risks can end up costing the consumer more money in damages then what might be savedby using the easy solution.The advantages of using a managed hosting provider to host your email, website, telephone systems, etc, are clear. When you outsource critical infrastructure components you save money. The savings are quickly realized because you no longer need to spend money running a full scale IT operation. In many cases, you don’t even need to worry about purchasing hardware,software, or even hiring IT staff to support the infrastructure.What isn’t clear to most people is the serious risk that outsourcing can introduce to their business. In nearly all cases a business will have a radically lower risk and exposure profile if they keep everything in-house.This is true because of the substantial attack surface that hosting providers have when compared to in-house IT environments.For example, a web-hosting provider might host 1,000 websites across 50 physical servers. If one of those websites contains a single vulnerability and that vulnerability is exploited by a hacker then the hacker will likely take control of the entire server. At that point the hacker will have successfully compromised and taken control of all 50 websites with a singleattack.In non-hosted environments there might be only one Internet facing website as opposed to the 1000 that exist in a hosted environment. As such the attack surface for this example would be 1000 times greater in a hosted environment than it is in a non-hosted environment. In a hosted environment the risks that other customers introduce to the infrastructure also become your risk. In a non-hosted environment you are only impacted by your ownrisks.To make matters worse, many people assume that such a risk isn’t significant because they do not use their hosted systems for any critical transactions. They fail to consider the fact that the hacker can modify the contents of the compromised system. These modifications can involve redirecting online banking portal links, credit card form posting links, or even to spread infectious malware. While this is true for any compromised system, the chances of suffering a compromise in a hosted environment are much greaterthan in a non-hosted environment. Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actuallydo a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org ------------------------------------------------------------------------
Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Hosted Solutions -- Hackers Haven Adriel T. Desautels (Oct 13)
- Re: Hosted Solutions -- Hackers Haven Roman Medina-Heigl Hernandez (Oct 15)
- Re: Hosted Solutions -- Hackers Haven Adriel T. Desautels (Oct 19)
- Re: Hosted Solutions -- Hackers Haven yaroslav (Oct 15)
- Re: Hosted Solutions -- Hackers Haven Adriel T. Desautels (Oct 19)
- Re: Hosted Solutions -- Hackers Haven Gleb Paharenko (Oct 19)
- Re: Hosted Solutions -- Hackers Haven Roman Medina-Heigl Hernandez (Oct 15)