Re: Hosted Solutions -- Hackers Haven

[Gleb Paharenko <gpaharenko () gmail com>]

Adriel, hi!

I agree with that point that shared environments increases the attack
surface. But in case decision for outsourcing environment is done in a
right manner, first risks/profits should be assessed and analysed if
shared hosting acceptable. It is good to have a threats check-lists
for different hosting types as a guidelines for risk assessment. There
might even operational issues (cpu/memory quotas), not only pure
security!

2009/10/13 Adriel T. Desautels <ad_lists () netragard com>:
> Hi List.  This is a subject that seems to come up a lot when we deliver
> penetration testing services to our customers.  I decided that a quick blog
> entry on the subject of hosting might be a good idea.  I'm not adverse to
> hosting, but I'd like people to think twice before deciding to outsource
> their technology to a third party.  Specifically, I'd like to see people
> consider the real risks that they might be introducing to their business.
>
> As usual, if there are any comments I'd love to hear them.
>
> http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html
> Human beings are lazy by nature.  If there is a choice to be made between a
> complicated technology solution and an easy technology solution, then nine
> times out of ten people will choose the easy solution.  The problem is that
> the easy solutions are often riddled with hidden risks and those risks can
> end up costing the consumer more money in damages then what might be saved
> by using the easy solution.
>
> The advantages of using a managed hosting provider to host your email,
> website, telephone systems, etc, are clear.  When you outsource critical
> infrastructure components you save money.  The savings are quickly realized
> because you no longer need to spend money running a full scale IT operation.
>   In many cases, you don’t even need to worry about purchasing hardware,
> software, or even hiring IT staff to support the infrastructure.
>
> What isn’t clear to most people is the serious risk that outsourcing can
> introduce to their business.  In nearly all cases a business will have a
> radically lower risk and exposure profile if they keep everything in-house.
>  This is true because of the substantial attack surface that hosting
> providers have when compared to in-house IT environments.
>
> For example, a web-hosting provider might host 1,000 websites across 50
> physical servers.  If one of those websites contains a single vulnerability
> and that vulnerability is exploited by a hacker then the hacker will likely
> take control of the entire server.  At that point the hacker will have
> successfully compromised and taken control of all 50 websites with a single
> attack.
>
> In non-hosted environments there might be only one Internet facing website
> as opposed to the 1000 that exist in a hosted environment.  As such the
> attack surface for this example would be 1000 times greater in a hosted
> environment than it is in a non-hosted environment.  In a hosted environment
> the risks that other customers introduce to the infrastructure also become
> your risk.  In a non-hosted environment you are only impacted by your own
> risks.
>
> To make matters worse, many people assume that such a risk isn’t significant
> because they do not use their hosted systems for any critical transactions.
>  They fail to consider the fact that the hacker can modify the contents of
> the compromised system.  These modifications can involve redirecting online
> banking portal links, credit card form posting links, or even to spread
> infectious malware.  While this is true for any compromised system, the
> chances of suffering a compromise in a hosted environment are much greater
> than in a non-hosted environment.
>
>
>
>        Adriel T. Desautels
>        ad_lists () netragard com
>        --------------------------------------
>
>        Subscribe to our blog
>        http://snosoft.blogspot.com
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------



-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
+380503116172

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------