Web Hosting: The Weakest Link

Tue, 18th July 2017, 22:12

In The Age of Automation, the Weakest Link is Man

Earlier this February, you could be forgiven for having the impression that the internet itself was falling apart. A number of popular websites and consumer tools seemed to crash all at once, leaving affected users- and especially administrators- scrambling for answers. The culprit? A single engineer at Amazon Web Services, the titan of web infrastructure through which up to 70% of all global traffic flows through. The error was simple enough: a botched command intended to remove a handful of sluggish servers for maintenance instead swallowed up key subsystems underpinning a huge portion of S3 server processes. The problem was quickly fixed, and Armageddon itself was postponed for another day, but the swift impact goes to show the damage that can be done by an individual mistake- and to err is human.

Human frailty may be an occasional pitfall for simple maintenance, but it’s the Achilles’ heel for security. Verizon’s latest Data Breach Digest suggests that fully 90% of all data-loss incidents involve some form of phishing or social engineering. The recent spate of ransomware attacks has mostly depended upon carelessness in the face of spear phishing campaigns, as in the case of a Canadian firm forced to pay $425,000 after tainted PDFs posing as shipping invoices infected their systems. That, combined with a handful of unpatched databases, was enough to expose the entirety of their data stores to the attackers.

That payment pales in comparison to the cool $1 million extracted from South Korean webhost Nanaya after vulnerabilities were found on their servers… running Apache 1.3 from 2006. (They were probably better off with their previous system: cuneiform based servers from 3200 BCE.)

There is an unavoidable tradeoff in webhosting when it comes to questions of uptime and security. The smart money is of course on larger firms, with smaller outfits simply lacking the capital and the latitude to possess the kind of 24/7 crisis response and automated infrastructure necessary to respond to threats and errors in real time. But the challenge introduced in these ever expanding giants is the uniform decision to outsource and underpay technicians with critical roles in server infrastructure, giving them ample opportunity to cash in on a growing trend of digital hostage taking.

A smaller team may be less limber than a larger one, but a tighter net has historically been one of the best protections against social engineering, and a small core of adequately compensated employees is much less exposed to the kind of internal attacks that large companies are so vulnerable to. There’s no perfect solution: bigger may be stronger in the grand scheme of things, but ultimately you’re only as strong as your weakest link.