The hidden risks of budget hosting: A guide for business owners

The web provides a world of possibilities, whether that you are setting out to be the next silicon valley superstar or want a place in the digital world to call your own. The uncomfortable truth is however that the same opportunities for growth and creativity can be abused for more destructive purposes.

Computing power and bandwidth are readily available which allows sophisticated and autonomous scripts to crawl the web, much like a search engine, to probe for weaknesses or worse, to take down your site. In this harsh landscape you have to put your trust that each component of your digital platform is locked down tightly, giving nothing away that could assist in a successful attack.

We are all too aware of the issues out there, we see it daily with our own clients and often have to respond proactively to keep one step ahead of the malicious actors out there. Based on that, here are our top tips for keeping safe.

Use reputable and proven services

Poor hosting can cost you more than a little downtime, and while it can be tempting to sign up to £1.99 budget providers you may find that the reduced rates are due to cost cutting in important areas.

Quite often these providers are over subscribed, running hundreds of websites on a single server instance. Another customer’s poor decisions can slow down everyone. They likely do not have protection against Denial of Service (DoS) attacks and would therefore be taken down quickly and easily. Even some established providers can be caught off guard with the scale of attacks that are now possible, the largest recorded so far was an incredible 5.6 terabits per second (Tbps). For comparison, the average home broadband has around 70 megabits (Mbps) per second of bandwidth.

If you store personal data covered under privacy laws, poor hosting can result in legal troubles too. Reputable hosting providers will be compliant with information security frameworks such as ISO 27001, SOC2, or PCI. They will have strict access to their server infrastructure, audit trails and most of all robust processes for keeping customer data safe on all fronts.

Integrations that process data should follow the same assessment - where are they themselves hosted? Do they have sufficient privacy and security protocols in place within their terms and conditions? 

Monitor and track changes

Many of us have home alarms, smart doorbells or cameras to keep us aware of what is happening to our homes and businesses when we are not present. The same applies to the digital world.

The simplest form of monitoring is uptime monitoring, this pings a website multiple times to check that it is returning a successful response. If there is an issue or it responds too slowly you can be alerted by email, SMS or an application such as Slack or Teams and engage with a technical contact to resolve the issue. Services such as Oh Dear, Uptime Robot or Pingdom are effective and for small businesses or individuals they offer free plans to get you started.

Binary on/off checks do have their limitations though, were you to find your credentials had been compromised this would not necessarily mean that your website is taken offline. Just like a Cuckoo, an attacker may use your site’s good reputation and audience to further their own goals. This could be through redirection to their own sites, or more subtle activity such as installing crypto-mining scripts on the server or running on your visitor’s machines. This has been seen even on Government websites.

To mitigate these kinds of attacks you can use more advanced monitoring tools, these can check for keywords on a page or that a specific status code is returned (servers can send back different numerical codes depending on the desired behaviour, redirects are often 301 or 302). Further still, screenshot analysis can detect even the most subtle of changes that have not been authorised.

At Brew Digital we use Ghost Inspector against all of our hosted clients, twice daily it will take a suite of screenshots and mimic user activity (such as clicking through a series of pages). Any deviations from the steps or if there are differences in the appearance of the page we are immediately alerted to approve or investigate.

Finally, monitoring needs to extend beyond the application to other areas of infrastructure. Ensure that your domain renewal reminders are active and going to a watched inbox, ensure that security certificates are not expiring and sign up to security bulletins for the software you are using.

Awareness is half the battle.

Practice good digital hygiene

These may sound familiar but they are the bread and butter of keeping safe.

• Keep software up to date
  Most attacks are successful because a well known exploit has been left open. Software updates, while at times can feel annoying, serve a critical purpose in keeping users safe. These range from minor patches to plugins in your Content Management System such as WordPress to browser and operating system updates. Large scale exploits often get names such as HeartBleed or ShellShock and can affect millions of devices.

• Principle of least Privilege
  Provide as little access as possible to achieve a task. If you run a blog, keep the root account safe and login with a personal account with only editorial permissions as an example. If you have to onboard other users make a note of why they have an account, what they are expected to do and regularly audit if they still require the same levels in future. For businesses, ensure there is a comprehensive off-boarding process. I have seen first-hand that long after leaving a company I still had full access to critical systems. Employees that do leave on bad terms can easily disrupt operations and cost thousands in downtime.

• Give nothing away
  Software often likes to advertise its presence, broadcasting version numbers and other information that can tell attackers what you are running and whether it is up to date. Automated scripts compile this information and check for known exploits for what they find (reminder again for keeping things up to date!).
  
  Not only this but personal information and staff information should be minimised online. Social engineering is the practice of getting crucial information to further exploit, for example detailing the place you were born or publicly stating the names of pets can be used to guess secret answers and spoof your identity. An agent who is given all the right answers would be able to transfer accounts or grant access and the process of getting these back can be difficult.

Work with expert partners

There are a lot of components to achieving a secure presence online, and you do not have to do it alone. Find a trusted technical partner to work with to ensure you are minimising risk. We follow all of the above for our clients, with comprehensive monitoring, ISO 27001 accreditation and robust processes on top of a team of highly qualified and experienced developers.

If you would like to know more or have any concerns please feel free to get in touch for a no obligation consultation