Actually, I do believe that NAI should be held accountable and not ISP just
because they outsource their hosting. It is NAI systems and they should be
held accountable. This is a trap many people seem to be falling into with
outsourcing hosting. When you host a system at their site remember it is
still YOUR system and you are responsible for it.
When I had my first dealing with an ASP hosting company are a couple of the
questions I asked:
How is network was setup? Of course the sales person didn't know and I
insist on talking to their technical staff.
What type of firewall they used?
What OS on the system?
How often to they apply patches or hotfixes? I then had them put in the
contract they would notify us of patches being applied. I would double check
on patches myself and send them a email to apply one I thought should be on
the system if they didn't notify me.
What type of logging on the system? They didn't even enable it normally, but
I made them put that in the contract too that they would enable it.
I asked them to make available the system logs for us to review each day so
we could double check their work.
What type of IDS they had instead, which was none, but they were working on
it.
What are the scheduled down times and how is notification of it to happen?
They stated that we would have a service agreement guaranteeing that our
uptime would be 99.99% or better, yet after talking to them more I found
they did not log any outage less then 1 hour. This meant the system could be
down every half hour every hour of the day and they would record no downtime
on the system. This is why I asked for the logs and had the contract amended
to include all downtime.
There are more then this, but this is just a start to give you an idea of
questions you should be asking any company that wants to host your systems,
especially critical systems like the companies web server or other critical
applications.
Jeff Deitz
Systems Architect
Vision Service Plan
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 05, 2000 7:55 AM
To: [EMAIL PROTECTED]
Subject: RE: NAI & McAfee website hacked.
To be fair, it was an external hosting company that was hacked, and not an
NAI network or host. A lot of companies seem to be falling into this trap -
external hosting means you don't have to maintain hosts and web server staff
on your site, but it also means that your name is out there on servers that
you can't be sure are properly secured. Given the potential for damage to
reputations, I'm not convinced that the financial savings are worth the
risk.
(I don't know exactly which bug it was that was exploited, but according to
the NAI spokesperson, it was something for which a patch was issued on Nov
7th, which was a rather long time ago in security terms.)
http://www.wired.com/news/business/0,1367,40445,00.html
Mike
----
Michael Owen
IT Security Engineer
NET-TEL Computer Systems Ltd
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
