Re: Hosted Solutions -- Hackers Haven

[Roman Medina-Heigl Hernandez <roman () rs-labs com>]

Shared hosting will always be far more insecure than a dedicated one, as
you are suggesting (tons of websites in the same server multiply the risk
of security compromise).

But you're mixing concepts: "hosted" usually means "outsourced" but not
necessarily "shared" (for instance, you could also hire a dedicated server,
managed or not, and "host" your application there). You're refering to
shared environments, I guess.

Outsourcing has other risks/problems.

Cheers,
-Román


Adriel T. Desautels escribió:
> Hi List.  This is a subject that seems to come up a lot when we deliver
> penetration testing services to our customers.  I decided that a quick
> blog entry on the subject of hosting might be a good idea.  I'm not
> adverse to hosting, but I'd like people to think twice before deciding
> to outsource their technology to a third party.  Specifically, I'd like
> to see people consider the real risks that they might be introducing to
> their business.
>
> As usual, if there are any comments I'd love to hear them.
>
> http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html
> Human beings are lazy by nature.  If there is a choice to be made
> between a complicated technology solution and an easy technology
> solution, then nine times out of ten people will choose the easy
> solution.  The problem is that the easy solutions are often riddled with
> hidden risks and those risks can end up costing the consumer more money
> in damages then what might be saved by using the easy solution.
>
> The advantages of using a managed hosting provider to host your email,
> website, telephone systems, etc, are clear.  When you outsource critical
> infrastructure components you save money.  The savings are quickly
> realized because you no longer need to spend money running a full scale
> IT operation.   In many cases, you don’t even need to worry about
> purchasing hardware, software, or even hiring IT staff to support the
> infrastructure.
>
> What isn’t clear to most people is the serious risk that outsourcing can
> introduce to their business.  In nearly all cases a business will have a
> radically lower risk and exposure profile if they keep everything
> in-house.  This is true because of the substantial attack surface that
> hosting providers have when compared to in-house IT environments.
>
> For example, a web-hosting provider might host 1,000 websites across 50
> physical servers.  If one of those websites contains a single
> vulnerability and that vulnerability is exploited by a hacker then the
> hacker will likely take control of the entire server.  At that point the
> hacker will have successfully compromised and taken control of all 50
> websites with a single attack.
>
> In non-hosted environments there might be only one Internet facing
> website as opposed to the 1000 that exist in a hosted environment.  As
> such the attack surface for this example would be 1000 times greater in
> a hosted environment than it is in a non-hosted environment.  In a
> hosted environment the risks that other customers introduce to the
> infrastructure also become your risk.  In a non-hosted environment you
> are only impacted by your own risks.
>
> To make matters worse, many people assume that such a risk isn’t
> significant because they do not use their hosted systems for any
> critical transactions.  They fail to consider the fact that the hacker
> can modify the contents of the compromised system.  These modifications
> can involve redirecting online banking portal links, credit card form
> posting links, or even to spread infectious malware.  While this is true
> for any compromised system, the chances of suffering a compromise in a
> hosted environment are much greater than in a non-hosted environment.
>
>
>
>     Adriel T. Desautels
>     ad_lists () netragard com
>         --------------------------------------
>
>     Subscribe to our blog
>         http://snosoft.blogspot.com
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require
> a full practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------