Is There Anybody Out There?

UK-based Vaserv.com, a large international Internet Service Provider (ISP), said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application. Vaserv specializes in low-cost web hosting using Virtualized Private Servers (VPS) created with LXLabs’ HyperVM.

Technicians were still scrambling to recover data on June 8th, more than 24 hours after unknown hackers were able to gain root access to the company’s system, Rus Foster, the company’s director told The Register. He said the attackers were able to penetrate his servers by exploiting a critical vulnerability in HyperVM.

Some 50 percent of Vaserv’s customers signed up for unmanaged service, which doesn’t include data backup, Foster said. It remains unclear of those website owners will ever be able to retrieve their lost data, he said. As a result, at least half the websites that were hosted on the site remain offline.

In an earlier post entitled, You Do Take Offsite Backups, Right? I mentioned how Avsim.com lost 12 years of content because they didn’t take offsite backups. In this case, Vaserv did have offsite backups, but only for customers who paid for managed service because those with unmanaged service were expected to take their own backups. I’m guessing that conversations were held about whether it was cost-effective to pay the extra charges for managed service, and perhaps the risks of saving a few dollars were not well understood.

For many individuals and companies, managed service for a simple web site is an unneeded luxury. By their very nature, HTML web pages have offsite backups in the workstation where the pages were created because HTML along with Java, Javascript, PHP, and other web languages, are not compiled but are interpreted from their source code. If my web site were destroyed, one press of a button will tell Dreamweaver to recreate it from my local copy. In fact, this is how I moved my site from one ISP provider to another. (note to self – your competition is one click away)

However, what cannot be recovered is content which is created on the web page itself. For example, all of my blog posts and the comments made by readers are stored directly in a database on the web server hosted by my ISP. Unless I take my own backups, I will not have a copy if something happens to my web server. Similarly, many ecommerce sites store their inventory levels directly on their web servers, debiting them as items are sold and crediting them as items are received. Amazon and ebay are examples of companies where most of their business resides in their web servers, and if you are using Google Docs, your business resides in Google’s servers!

Which brings me to one of my first blog posts, Cloud Computing – Who’s watching your back? If you are computing in the cloud (and even a remotely hosted web server is in the cloud) do you know what your service level agreement says about data protection? There are dozens of questions to ask your ISP or cloud provider, including:

  • Who is responsible for backup up my data?
  • How often does it get backed up (RPO)?
  • How soon can it be recovered (RTO)?
  • How do you avoid corruption or out-of-sync issues when backing  up open databases?

If you don’t know the answers to each of these questions, and the others in the original post, you better have a darn good continuity plan or have your resume ready to submit to companies in another state. Loss of key data can mean loss of your company – and it’s not that hard to determine what risks you face and how to mitigate them. You just need to ask the right questions and take action on the answers. Class dismissed.

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP
Principal
Seacliff Partners International, LLC

Get a Trackback link

1 Comment to “Is There Anybody Out There?”

  • Doug Skinner says:

    Good heavens! It’s always surprising to me that more business executives don’t take note and make the small upfront commitments. This is a perfect example you’ve outlined for us Ron. Otherwise, they’re mortgaging their future and jeopardizing their reputation. Those that control the purse strings better understand the risks associated with Virtualization and Cloud Computing; and, we as security solution providers need to offer comprehensive and tailored risk reward mitigation services. When these efforts happen, we should be able to move bravely into the future of increased virtualized environments, applications, and cloud data stores.

Post a Comment