John Pescatore - SANS Director of Emerging Security Trends
Rogue IT has seen the benefit of using the cloud, too!
This week’s Drilldown will focus on an item (included below) from NewsBites Issue 12, reporting that three small web hosting companies were compromised and one (No Support Linux Hosting, whose name alone should have been a warning...) immediately ceased business operations.
Now you might look at this news story and think, "Anyone using a company with 'No Support' in the business name who only charges $1/month and who in 2011 was hacked and deleted all customers' data, well, they deserved what they get." But if that thought is running through your head, this thought should quickly follow: “I better check that we weren't using it."
Rogue IT is just that: rogue. If IT is too slow to respond to a need, it isn't unusual to see business units go directly to cloud services and third-party integrators/developers to quickly test something out or even bring it to market. It is bad enough when they go to trustable services like AWS, Azure, Google Cloud Platform, etc., but real rogue IT often wants to evade the procurement cycle and will be able to directly pay for very low-cost services out of available funds that fly below approval levels.
It is not enough to give science fiction writer Robert Heinlein's famous "TANSTAAFL" (There Ain't No Such Thing As A Free Lunch) warning unless you can detect those people or business units that ignore the warning.
The best possible solution is to have a rapid but secure-enough option available, such as funding CIS Hardened Images on AWS with added monitoring, and work with IT to provide technical support to get any business unit going that has a quick reaction need.
If that is not possible, most URL filtering/secure web gateways, such as Zscaler, have categories for web hosting URLs that you can use to block or at least monitor for internal access. Another approach is data leak monitoring on all databases hosting sensitive information and investigation of all external URL connections.
Bottom line: Cloud services and inexpensive hosting providers are force multipliers for rogue IT. Providing and marketing secure options to those likely to go rogue is the proactive solution. Lacking that, take advantage of existing monitoring and blocking capabilities can support rapid detection before the excrement hits the ventilator.
Web Hosting Company Shuts Down After Cyberattack
(February 9, 2021)
A web hosting site has decided to shut down operations after "a hacker successfully compromised all the servers [they] use to operate [their] business." A message posted on its site urges customers to download backups of their websites and databases through cPanel. The company did not provide details about the attack. However, TorrentFreak has reported that two other hosting sites, both of which "provide IPTV services to pirate streaming sites," have recently suffered similar attacks.
[Neely] Make sure that you have a plan for recovery if your hosting provider suffers a catastrophic failure. Verify that you not only have backups enabled, but you also know how to retrieve them and restore the services backed up. Test this capability before you need it and verify your provider's DR process. The cost of the backups will be less than the cost of recovery from scratch.
[Pescatore] I really wish this item said, "All customers of a web hosting company that had been completely compromised by attackers cancelled their services, resulting in the web hosting company going out of business." I can't say I know how business decisions are made at "pirate streaming sites," but all too often cloud or other outsourced hosting services are chosen by lowest bid instead of the superior approach of security being evaluated and being a go/no-go decision rule.
Read more in:
ZDNet: Web hosting provider shuts down after cyberattack
TorrentFreak: Hacker Blackmails Pirate IPTV Services, Threatens To Send User Data To Police