I've been researching web defacement trends lately and realized that most (higher percentage) defacements appear to be performed on servers in a hosted facility (such as Interland, Iquest, OLM, Digex etc) furthermore as most of the sites appear to be related to small business I assume they are on shared hosted boxes.
Is there anyone on the list in the ISP/Hosting provider world that can answer who is responsible for security in this configuration? I realize that some hosting providers offer additional managed security services, but for those that don't and offer shared (multiple sites on 1 box) hosting do they just secure the box and let their clients control their environment? Therefore leaving their customer in charge of their own security for their site? If indeed this is a bit of a gray area, is there any documented legal proceedings that have held the ISP liable for the lack of security on a hosted site? Thanks in advance for your assistance.
