Why Security Matters to us All

Most people take the Internet for granted. When it comes to the Internet as we know it – Social Networks, Media Sites, Email, File Repositories, etc. – usability is as far as our concern extends. If it works, that is all we care about. But the truth of the matter is that understanding the complexity of the Internet also helps you to understand why security is so overwhelmingly important, yet often overlooked. 

To understand the nature of the beast is to be aware that your personal websites, reseller accounts, VPS servers, Cloud Servers, Dedicated Servers, Clusters, and server farms all reside in facilities known as datacenters. A datacenter is nothing more than a purpose-built facility with special infrastructure – large amounts of power, cooling, fiber connections and any number of physical devices such as routers, switches, firewalls, load balancers and server hardware (powerful computers with public and private Internet connectivity to which people or other computers connect). What most people fail to realize is how and where their slice of that infrastructure is located and the typical events that are ongoing every second of every day attempting to penetrate and gain access to them. 

Your individual slice of this datacenter infrastructure is typically located in what’s known as a rack, nothing more than a storage unit capable of holding anywhere from a single large device to about 30 individual dedicated servers. That may not sound like much, but a typical datacenter can house anywhere from 2000 servers up to hundreds of thousands of servers in one building. Many of those devices are then typically sliced up into shared, reseller, VPS and cloud computing environments. This means, on average anywhere from 200 – 300 end-users can reside on a single server. So now we can see that a small to medium size datacenter can easily host in the neighborhood of 750,000 – 1 million domains facility. Now you may start to understand the magnitude of operations at a typical datacenter and how easy it is for your single little domain (which is of course very important to you) may not be getting the attention to security you believe it is...

We generally only hear of large security breaches in the online community. For example, the brazen thieves who smashed through a concrete wall to steal millions of dollars worth of server equipment from a Chicago datacenter recently. The fact is, these types of large breaches are rare. However, the smaller, single domain breaches happen thousands of times per day and they are the ones you can protect yourself from as a server owner/admin. These small single-domain or single-server breaches are usually due to one simple and preventable cause. The device your website resides on was not patched with the latest security updates and a hacker gained entry to it.

Most typical server break-ins are for one of a few reasons. Someone has a grudge to settle, a “script kiddie” wants to break in just to see if he can (or to cause some mischief), or more commonly, to anonymously utilize the resources of your server for nefarious purposes such as spam or malicious botnets. The problem is, when these matters occur, it is typically left to the device owners themselves to repair and resolve the issue. Any hosting or security professional will tell you, the only valid way to be sure your server is once again secure is with a full device reinstall, security patches applied, and restoration of data (you do have current backups, right? Right?!?!)

The issue you, as the end user or site owner, now face is that suddenly when this does all occur, you are more than likely unprepared to deal with the fallout. A typical re-install of a device may take anywhere from 30 minutes to 4 hours depending on the complexity of the initial setup, and that reinstall is generally started anywhere from 1 hour to 24 hours after a security breach is noticed. Once the re-install has been completed, then the data restoration portion must begin and this process can take anywhere from 30 minutes, to hours or days depending where the restore data is and how fast the transfer occurs. If the data you held so valuable is lost and backups have been wiped or corrupt, just think about how long it would take you to recreate everything from scratch again. Sometimes everything runs smoothly and you’re back and online within a few hours, other times people simply never recover. The fact of the matter remains, almost always this has nothing to do with you, your website or anything else you may think, it’s simply a matter of finding a exploit and taking advantage of it. How confident are you that there are absolutely no vulnerabilities in your site. What about all the other sites hosted on the server your site resides on? It only takes one site to compromise an entire server...

Datacenters are given large amounts of “IP address space”. A large allocation of IP address space can be thousands or hundreds of thousands of IP’s, all of which can be automatically scanned quickly and efficiently by various hackers. Once a hacker finds an IP with a known exploit, scripts are used to gain entry and all of this can occur in under a matter of minutes. Since the automation exists and the intent often is simply to use resources of the exploited device, the hacker cares not for who you are, simply what you have and how they can use it. Illegal, malicious botnets and sending spam are common factors behind these attempts. Sometimes a hacker just wants to use your server for attacking other servers or networks without leaving a trail. Afterward, your server (holding the evidence of the attack) is wiped clean along with all your data. The point is, you are not unique in the Internet world, simply a number (as far as IP address space is concerned) and without taking the right precautions eventually you will become a statistic.

As a device owner who is compromised, you must lose both the time and resources to restore your data and security back to the level that it should have been in the first place. As if this is not bad enough, you are also responsible for the subsequent damages that occurred for resource utilization. Most devices come with a preset amount of resource known as bandwidth, often measured in Megabits per second (Mbps or “Megs” for short). Bandwidth is nothing more than an allotment that you are penalized for exceeding, much like miles in a car lease or cell phone minutes. If you go over your allowed resources you pay a hefty fee. Device owners rarely realize they are a hacking victim until their monthly invoice for previous months usage comes out and suddenly they are stuck with a big bill. The bills in these cases generally range from a few hundred to a few thousand dollars, recently within a 2 month span, we saw 5 customers become victims of this type of resource abuse, and all of them were stuck with bills over $5,000 USD each. None of them knew of the issue until it was too late, and all of them were responsible for making restitution for their usage.

Datacenters do not monitor what data your server is sending (would you want them to?) but only monitor the amount of traffic sent. The datacenter will not be able to tell you much about the hacker, where they are or what you can do about the breach after the fact other than reinstalling your server.

The vast majority of hacking cases would be avoided if customers simply kept up with the security patches that are available as new exploits are found. The problem is most people do not have the time, resources or know-how to check every running daemon on their server for all known exploits (thousands) on an ongoing basis. Even if you know your server is secure today, there may be a new exploit discovered for some random daemon on your machine next week. Will you know when a patch is available?

Security scanning services are available that can be automatically setup and run for any such devices on the Internet. Prepared documents in easy to understand language are presented to the account recipient and they can quickly and precisely resolve known exploits without having to decipher through thousands of individual exploits to check if each and every service, port, and available entry point is locked down to the point it should be. These services are generally available for $25 a month for daily scans, and lower for lesser scan frequencies. The problem with only running security checks less than once a day is keeping up with exploit releases and patches isn’t something that can be done only once a month, or once a quarter. Hackers do not wait for these intervals to occur and neither should you. If you are not routinely aware of the security levels of your devices on the Internet, rest assured, other people are and they are simply waiting to take advantage of it. They are highly (financially) motivated to keep exploiting servers and expanding their spamming/attacking botnets. If you are not staying one step ahead, every day, you will be a victim. It is only a matter of time.