Security is an integral part of Web Hosting Business. But what is important to define the sphere of responsibilities of Security between the Web Hosting Company and the Client. So let me proceed by mentioning a list of few typical security issues which we encounter on daily basis. This list mentions the symptoms, not the causes
- Web Pages with Malware Infection leading to various secondary attacks
- Web Pages which are a part of Phishing Network
- Abuse of comment system especially on Wordpress
The most common reasons for above mentioned issues are
- Compromised FTP passwords - Most typically the passwords are compromised because of some virus/malware infection on the client system. Interestingly some of these viruses/malwares are 0 Day programs i.e. even in the anti-virus community, no one knows about them
- Weak set of file-system permissions - If file-system has 777 permission on a folder, thenb using a known vulenrability, an attacker can upload a malicious script.
- Vulnerabilities in Application/Website - If your application or website accepts user content via forms without checks, it can lead to various exploits like SQL injection and even allow compromise of the whole website also.
- No Captcha on Comment System - In case the comment system is being abused by the spammers, most probable reason for the same is that no captcha is applied to the comment system.
So now the million dollar question is whose responsibility it is in a blame game between the client and the hosting company. If we go by strict sense, all the responsibility of data and the security lies with the client. Same is emphasized in our Service Level Agreement (SLA)
. One may question why is this responsibility so one sided. Primary reason is that the inherent natures of the Internet does not allow us any guarantees/commitments. Also most of the issues highlighted above are as a result from client problems at their local PC's etc.. But then its not that we are not concerned with your data and its security. Of-course we are concerned at a goodwill and business level. But never it is going to be at any legal level.
Some Important links in furtherance to this article :
PH-777 - Manage permissions from within cPanel
Security: ModSecurity - Security vs Usability
Basic but Important Steps to Avoid / Prevent Malware
File Uploading - The Safer Way (PHP Module)