In Part 1, we looked at security isolation as a technical solution for preventing infections on one site spreading to neighboring sites in multi-site hosting systems. In Part 2, we'll consider other non-technical ways to beef up multi-site protection.Site security = technical protection + organizational measures
Implementing organizational security measures alongside technical protection minimizes the risk of hacker intrusion.
However, experience tells us that for some web projects, this is difficult or even impossible. A big threat is with fast-moving web projects, where many specialists work simultaneously. For example, it is difficult to know whether:
It is difficult to check that organizational security measures are being followed, and as the difficulty increases, so does the security risk. This is a particular concern in rapid web project developments, where many specialists need system access. Such projects should use separate or temporary short-term accounts with restrictive access rights. They should remain separate from mature projects to prevent them from damage.
An alternative is to completely transfer the running of problematic sites to specialized companies, experts in applying organizational security protection measures to the management of multi-site installations.A Case Study
I have seen many cases where Internet agencies or web studios suffer significant losses because of vulnerable sites run by one of their clients. I have also seen cases of damage caused by careless freelancers engaged in contract work. The following situation is sadly typical.
What do customers do in this case? They blame the agency, of course!
The agency doesn't understand how it could it happen. How could all sites suddenly become infected? They begin an analysis of the server.
They may find a client's login credentials were stolen and used by an attacker. The attack first compromised the client's site, then moved onto other sites. Or, a site had not updated its CMS for a long time. As a result, it suffered a malicious campaign (i.e. a no-purpose attack), which later infected neighbors on the same account.
Even experienced webmasters often have problems. To reduce hosting costs, and to make site administration easier, they may decide to transfer all their sites to a single, multi-hosting account, one without security isolation. Unfortunately, such behavior brings little profit. Any financial gain is eclipsed by the costs of site restoration and repair after a hacking event.
The star of our last sad story is a webmaster who had for many years been successfully supporting dozens of client sites running the WordPress CMS. Everything was going well until a new client came along with a site running on Joomla. It's a sad story because this webmaster had no protection installed for Joomla. As expected, the site fell victim to hacking and all neighboring sites were infected.Summary
About the author: Gregory Zemskov is a cybersecurity samurai and founder of Revisium.com, now part of Imunify360, where Greg is Project Manager.
Imunify360 is a complete security solution for web hosters. To learn more, visit Imunify360.com.