logo.png
GET GDPR READY

Foregenix Blog

Mike Hinton

Is My Hosting Provider Protecting My Website?

Recently, it was discovered that over 14 million Verizon customers data, including PIN’s, had been exposed on an unprotected web server.  Three million WWE fan’s personal information was left exposed when it was discovered to be on an unprotected web server.  Both of these took place in the same month.  It happens more often than you’d think and the solution can be as simple as talking to your hosting provider.

An unprotected web server potentially leaves customer card data and other sensitive information vulnerable to a breach.  Most hosting providers will supply their clients with a basic firewall, which whilst useful, will not completely protect the website.  By their nature, firewalls are built to protect a network.  For example, your firewall at home can be set up to stop any external access to your computers.  However, in order to let people visit your website, you can’t have a firewall that blocks all access.  If you did, you’d end up with a dead website and zero business.

web-application-firewall.jpg

People need to be able to get through the firewall to see the content you’re offering.  Not all of these people are going to be good, some of them will have malicious intentions.  This is where a Web Application Firewall (WAF) comes in.

A basic network firewall is usually configured to only inspect the basics of any network packet - this is known as Stateful Packet Inspection (SPI). These include: the destination IP address, port number, whether it belongs to a valid session and information located within the packet header and footer.

An SPI firewall simply controls the incoming traffic and will not prevent attacks such as innocuous web browsing, spyware, adware, Trojans or other malware, as the content of the packets are not inspected. Intelligent network firewalls are available, which provide Deep Packet Inspection (DPI), where not only is the packet header and footer inspected, but the data part of the packet is searched and compared against a set of pre-defined rules. 

These types of advanced network firewalls will protect against certain types of known malware, Trojans, and spyware (depending on the rule configuration) but will not protect against application-based attacks such as SQLinjection, Cross Site Scripting, or brute force attacks. These are regularly seen by the Foregenix forensics team as the root cause of most eCommerce website breaches.

A WAF (Web Application Firewall), however, is able to determine the exact intention of the HTTP(S) content at the application level filtering out illegitimate traffic based on rule sets. This makes the WAF considerably more versatile when protecting your web environment.

WAF’s are often used to monitor the information being input into a webform or search tool. The WAF will be able to detect whether the data being input is legitimate or malicious (assuming it is configured correctly). For example, dates, post codes and product information may all be legitimate. But if you put code into that form with the intention of manipulating the application, you can sometimes find exploits that will give you direct access to the database that’s contained behind it.

Having an additional layer of checks against the data being input will defend against things like database injections and buffer overflows. Having something at the application level validating input into the web fields becomes critically important especially when sensitive data is involved.  No single firewall solution can provide your server with complete and all-round protection as it is vulnerable from both network and application attacks. Therefore, it is vital to have protection in both network and web application firewalls to achieve the ultimate defense in depth.  

So, in answer to our headline question ‘Is my hosting provider protecting my webserver?’ the response is: Possibly, but most likely only at a network layer. Naturally websites that get breached have hosting providers, as otherwise they wouldn't be trading online. Most hosting providers will tell you that a network firewall is enough to keep you protected, but this is not the case. A Web Application Firewall offers the extra layer of protection needed to keep you secure. If you're only running a WAF or only a network firewall, you're susceptible to an attack; both are required to fully protect your website. It doesn’t take long to find out what's protecting your website and it could save you the cost of a breach. 

 

TRENDING POSTS

Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Richard Jones
14/02/18 11:14

Foregenix Partner With Ground Labs To Strengthen GDPR Services

The clock is ticking and we are swiftly moving toward the GDPR deadline, with organisations of all shapes and sizes preparing themselves for the new ...

Read More

Jake Dennys
12/02/18 15:18

5 Steps To Make Your Travel Agency PCI Compliant

PCI compliance is no easy feat, it can be a challenge to obtain, but results in lasting consumer trust and peace of mind knowing their data is ...

Read More

Kirsty Trainer
07/02/18 12:34

Foregenix expands into Brazil with new São Paulo office

After an exciting growth period in 2017, we were able to officially launch Foregenix in Australia, extending our service delivery into the land down ...

Read More

Jake Dennys
06/02/18 09:30

Foregenix aim to help travel agents meet IATA accreditation deadline

Travel agents are in a  race against time to meet IATA’s deadline for PCI DSS compliance. They've been given the deadline of March 2018 to become PCI ...

Read More

Benjamin Hosack
05/02/18 13:45

Foregenix expands APAC presence with Dan Ball, Territory Manager. 

Foregenix has further expanded their APAC presence with the addition of Dan Ball to the team as a Territory Manager in Australia, with ...

Read More