Over the last few years, the internet has seen an explosion in the number of automatic hacking/cracking/attacking tools. This has lowered the capability threshold for an attacker. Today, even a script kiddie(a computer system attacker with low skills just able to use tools) can attack and bring down a server! Craig Scroggie, MD, Symantec Pacific region, January 2011: “Attack toolkits are becoming more accessible and easier to use, allowing criminals with little technical expertise to turn to cybercrime”. I feel, therefore, that the infrastructure and hosting industry is lagging a bit behind on server security solutions – the problem overshot them in a very short time. Even the best of hosts/cloud infrastructure companies do not have security solutions on their servers or cloud instances.A few months back, I was mildly surprised when the founder of a small yet successful online b2b exchange called up to seek help for a denial of service attack on their servers. The attacker apparently had also sent him an email asking for a ransom! Time and again, I have seen the same scenario repeat itself. Servers and machines get attacked not just for financial information on those servers. Hackers are attacking for all kind of other reasons as well – hacktivism, vendetta, acquiring ‘assets’ to attack other servers, spamming, etc. For some, it is just a spectator sport! – and server managers need to deal with it.
A vast majority of tech start-ups build their application stacks on linux. A long time back – almost in another lifetime – linux was considered to be a ‘safer’ operating system. With exploding linux usage over the past few years has come increased familiarity with the system, probably contributing to more and more newer threats. Today, linux can no longer be called safe.
So, the answer to the question – Do start-ups need good server security? – is an obvious ‘Yes!’. Most start-up online businesses realize that and pay attention to it.
Here is another interesting anecdote from last year. I was working with a multi-million-page-views site. I did a quick vulnerability assessment and found out dozens of holes in their system. When I shared it with them, the response was – “Do we have backup? In case we are hacked, can we restore from the backup?”!
This brings us to an interesting point – what kind of damage can a hack attack do, especially if you are a lean start-up, with ‘little to lose’. Is it just data that the hacker will delete? Can backup restoration help?
Here are some of the possible outcomes of attacks, provided a corresponding vulnerability is exploited by an attacker:
Defacing of the site
A defaced site can crash your reputation with your customers. In the past, we have seen a lot of examples of this, especially with respect to government sites.
Theft of your source code or customer information or your customers’ sensitive data from your servers can have serious consequences. This is a matter of concern for SaaS businesses, especially. In fact, one needs to evaluate the threat to hosting source code on third party hubs as well. Early in March 2012, a smart user demonstrated the vulnerability that existed in GitHub, which could lead to source code compromise. Egor Homakov, the hacker, discovered a public key form update vulnerability that allowed any one to access any GitHub repository with full administrator privileges!
Denial of service
A denial of service attack can be very devastating – it can bring your site/server down and make it unavailable to your users for hours or days… or more. Denied access to legitimate users can leave them unable to use the service they have become dependent on and/or have paid for. All three of the most prominent web servers on the web – apache, nginx and IIS – are vulnerable to denial of service attacks that can be launched from a laptop and can take effect within seconds.Videos and demonstrations of the same are freely available on the net for anyone to ace.
Therefore, a simple restore is certainly not a good risk mitigation strategy against hack attacks.
For start-ups, a set back like this, from a hack attack, can be devastating. The risk can multiply and translate into investor risk for start-ups which have raised money.
One popular way to raise the security bar on the servers is the DIY (Do It Yourself) approach – open source tools & scripts married to some home made stuff can do the job, most of the time. If you have a smart security savvy guy in your midst then I am sure s/he has it figured out. Just two questions to ponder on:
1) Have you hardened it enough v/s your threat perception?
2) How do you update your security system with regard to new emerging threats?
I would not count, just installing firewalls and patching operating systems as adequate for any one, though.
Information security is a lot like insurance. We all need good cover, especially the ones who cannot take a ‘hit’. Just like paying insurance premiums can be a pain, some times, taking security actions can seem to ‘drag you down’. But this investment will come in handy when there is an incident. If not employed adequately, before hand, it may be too late.
About Rudhir Sharan