How CiviHosting Ensures Web Hosting Security: Q/A with Account Manager David Feldman

Roberto Popolizio Roberto Popolizio

SafetyDetectives spoke with David Feldman, Account Manager at CiviHosting.

We looked at the security measures implemented in their web hosting solutions, the current state of security in the web hosting industry, and what site owners should do to keep their websites and data safe from hackers.

What hosting services are you currently offering?

CiviHosting offers three types of hosting:

  1. Shared
  2. VPS
  3. WebApps

At the moment we offer VPS, Web Apps, and shared hosting packages, all hosted on Linux servers. Shared hosting is great for small to medium-sized sites that don’t want to spend too much for hosting and don’t mind sharing a server with other accounts, but we provide several levels of shared hosting for various site sizes.

VPS accounts are better for individuals that want more power, resources, and flexibility. These also come with accounts in a variety of sizes.

Finally, our Web Apps accounts, which are our newest product, are provided in two sizes. These are the sort of accounts that support technologies such as Node.js and MongoDB. People asked for them, so we worked to meet their demands.

What security measures have you implemented to protect your customers’ data?

We have a set of security measures in place. One by one, here they are, insofar as information I am at liberty to share:

Virtual Security

We have three teams who actively monitor our servers and maintain the security of our systems. Security tests are also performed regularly by our QA and admin teams, and we monitor our servers and our networks 24 hours a day, 7 days a week, 365 days a year.

We monitor them to maintain them always online and healthy, by watching out for server abuse, security breaches and we consistently catch spammers who try to use your site as a spam relay. Monitoring systems include automated ones (Linux daemons) and human ones. So far we have maintained 99.9% server uptime since 2007.

Our virtual security includes:

  • 24/7 server monitoring team
  • No SSH access by default
  • No remote access to MySQL (by default)

Employee access is logged and passwords are strictly regulated. We limit access to customer data to only a few selected employees with the highest clearance who need access in order to provide support and troubleshooting on our customers’ behalf. Besides that, accessing data center information as well as customer data is done on an as-needed only basis, and only when approved by the customer (i.e. as part of a support incident), or by senior security management to provide support and maintenance.

At the time of writing this, we are still not aware of one case of a data security breach.

Physical Security

CiviHosting’s data centers are protected by some of the most powerful physical security systems available, including:

  • Advanced smoke detection and fire suppression systems
  • 24/7 secured access with motion sensors, video surveillance and security breach alarms

Spare Servers

We keep a spare/standby server in each server rack. If a production server fails, it will be immediately replaced by a spare server, and the latest backup will be restored.

Refusal of service

CiviHosting reserves the right to refuse hosting for insecure applications that could be, for instance, utilized by an attacker to gain unauthorized access to the server and/or execute applications with the privileges of the customer that has uploaded the insecure application in question.

Customers are responsible for keeping their applications up-to-date, checking for security issues with the application vendor, and updating to the latest secure version that is available. In the event that an insecure application is installed on the hosting account of the customer, CiviHosting reserves the right to disable access to it, or, if deemed necessary, to the hosting account in its entirety. This will be with the exclusive purpose of preventing damage to the customer and to the other customers hosted on the same server, and may be done with or (in case of emergency) without prior notice.

CiviHosting also reserves the right to impose restrictions or fully suspend any of the services provided to customers, in case the operation of these services threatens the overall security and stability of the hosting system, and/or the proper operation of other customers’ accounts/services.

Violation of any of CiviHosting’s Terms could result in a warning, suspension, or account termination. Submitting fake personal information can also be grounds for suspension or termination.

What strategies do you employ to ensure the resilience and recoverability of your web hosting infrastructure in case of potential breaches or downtime?

Here are the strategies we implement to safeguard our services and maintain uninterrupted operations:

  • Redundancy and Failover Systems: We deploy redundant systems and failover mechanisms to ensure that if one component fails, traffic can be seamlessly redirected to backup systems, minimizing downtime.
  • Regular Backups: We perform regular data backups, storing copies in physically separate locations. This allows us to restore services quickly in case of data loss due to breaches or other incidents.
  • Disaster Recovery Plans: We have comprehensive disaster recovery plans that outline step-by-step procedures for restoring services in the event of a breach or catastrophic event. These plans are regularly updated and tested.
  • Intrusion Detection and Prevention: We employ advanced intrusion detection and prevention systems that continuously monitor network traffic for suspicious activities. This enables us to identify and mitigate threats promptly.
  • Security Information and Event Management (SIEM): We utilize SIEM tools to centralize and analyze security logs, providing real-time insights into potential security incidents.
  • Penetration Testing and Vulnerability Assessment: We conduct penetration testing and vulnerability assessments to identify weaknesses in our systems. This proactive approach allows us to address vulnerabilities before attackers exploit them.
  • Regular Security Updates: We promptly apply security patches and updates to our systems and software. This helps close potential entry points for attackers leveraging known vulnerabilities.
  • Incident Response Team: We maintain a incident response team that is well-prepared to handle security incidents. This team follows a well-defined process to contain, analyze, and mitigate potential threats.
  • Communication Protocols: In the event of a breach or downtime, we have clear communication protocols to keep stakeholders, including customers, informed about the situation, steps taken, and estimated recovery time.
  • Training and Skill Enhancement: Our security teams undergo regular training and skill enhancement programs to stay updated with the latest threat landscapes and best practices.
  • Continuous Improvement: We continuously review and enhance our security measures based on lessons learned from incidents, emerging threats, and industry developments.

By implementing these strategies, we ensure that our web hosting infrastructure remains resilient and capable of withstanding cyber threats. Our goal is to minimize the impact of breaches and downtime while providing a secure and reliable hosting environment for our customers.

What tools and practices do you suggest to individuals and businesses in order to prevent and mitigate cyber attacks?

Here are some of our recommendations for a combination of tools and best practices that enhance internet security and mitigate cyber attacks for both individuals and businesses:

1. Strong Passwords and Multi-Factor Authentication (MFA): Encourage the use of complex passwords that combine letters, numbers, and symbols. Implement MFA wherever possible to add an extra layer of security.

2. Regular Software Updates: Frequently update operating systems, applications, and plugins to patch vulnerabilities that attackers may exploit. This is vital for popular web software, such as WordPress.

3. Firewall and Intrusion Detection Systems (IDS): Install firewalls to monitor and filter incoming and outgoing network traffic. Combine them with intrusion detection systems to identify suspicious activities.

4. Secure Wi-Fi Networks: Use strong encryption (WPA3) and change default router passwords. Regularly review connected devices and remove unauthorized ones.

5. Employee Training and Awareness: Educate employees about cyber threats, phishing, and social engineering tactics. Regular training can help prevent human error-related breaches.

6. Data Encryption: Encrypt sensitive data both during storage and transmission. This reduces the risk of data leaks if unauthorized parties gain access.

7. Backup and Recovery Plans: Implement robust data backup solutions and disaster recovery plans. Regularly test these backups to ensure data can be restored if attacked.

8. Network Segmentation: Segment networks to limit the impact of breaches. Critical systems should be isolated from less sensitive ones.

9. Web Filtering and Content Security: Use web filtering tools to block access to malicious or inappropriate websites. Employ content security measures to prevent data loss.

10. Vulnerability Assessment and Penetration Testing (VAPT): Regularly perform vulnerability assessments and penetration tests to identify weaknesses and fix them before attackers exploit them.

11. Incident Response Plan: Develop an incident response plan that outlines steps to take in case of a cyber attack. This helps minimize damage and ensure a coordinated response.

12. Third-Party Risk Management: Evaluate the security practices of third-party vendors and partners. Weak links in the supply chain can lead to vulnerabilities.

13. Compliance with Regulations: Stay informed about relevant industry regulations and standards. Complying with these helps maintain a baseline of security.

14. Security Audits and Monitoring: Conduct routine security audits and implement continuous monitoring to detect and respond to threats in real time.

By implementing these tools and practices, you can significantly reduce the risk of cyber attacks and enhance overall internet security.

How do you stay updated with the latest security threats and vulnerabilities in the web hosting industry?

Staying informed about the latest security threats and vulnerabilities in the web hosting industry is crucial to maintaining a robust security posture. Here’s how to stay updated and some recommended resources.

1. Security News Websites: we regularly visit websites dedicated to cybersecurity news, such as:

  • KrebsOnSecurity
  • Dark Reading
  • Threatpost

2. Vendor Security Advisories: we subscribed to security advisories from web hosting providers, software vendors, and technology companies you rely on. They often release updates about vulnerabilities and patches.

3. Blogs and Articles: Follow security experts and researchers who publish blogs and articles related to web hosting security. Examples include:

  • Troy Hunt’s Blog
  • Graham Cluley’s Blog

4. Security Podcasts: we listen to podcasts that discuss the latest cybersecurity news, threats, and best practices. Some notable options are:

  • Security Now
  • Risky Business

5. Security Conferences and Webinars: Attend webinars and conferences focused on cybersecurity and web hosting. They often cover the latest threats and provide insights from experts.

6. Online Communities: Join online forums and communities dedicated to cybersecurity discussions. Reddit’s /r/netsec is a good example.

7. CERT and Security Organizations: Follow Computer Emergency Response Teams (CERTs) and security organizations that provide alerts and updates on vulnerabilities:

  • US-CERT
  • CERT/CC

8. Industry Newsletters: Subscribe to newsletters that curate cybersecurity news and insights. Examples include:

  • SANS NewsBites
  • The Hacker News

9. Social Media and Twitter: Follow cybersecurity experts, organizations, and industry influencers on platforms like Twitter for real-time updates.

10. Security Research Reports: Keep an eye on research reports published by security companies and organizations, such as those by Verizon Data Breach Investigations Report (DBIR), and vpnMentor.

Note: Staying updated requires a proactive approach, as threats and vulnerabilities evolve rapidly. Combining a mix of these resources will provide you with a comprehensive understanding of the latest security landscape in the web hosting industry. Remember to verify information from multiple trusted sources before taking action based on it.

What security challenges and exciting developments do you see in the future of web hosting, and how do you plan to cope?

In the future of web hosting, there are both security challenges and exciting developments that will shape the industry. Here’s some ideas of some of these trends and how to cope with them:

Security Challenges:

  1. IoT and Edge Computing Security: As the Internet of Things (IoT) and edge computing grow, securing the vast network of interconnected devices becomes critical. Ensuring these devices are adequately protected from cyber threats presents a significant challenge.
  2. Sophisticated Cyber Threats: Threat actors are continually evolving their tactics, leading to more advanced and targeted attacks. The future will likely see an increase in sophisticated threats that can bypass traditional security measures.
  3. Cloud Security and Shared Responsibility: With the adoption of cloud hosting, understanding the shared responsibility model for security becomes crucial. Businesses need to ensure their applications and data are secure within cloud environments.
  4. Regulatory Compliance and Privacy: Web hosting providers must navigate evolving data protection regulations and privacy laws to ensure compliance with varying global standards.

Exciting Developments:

  1. Zero Trust Architecture: The adoption of zero trust architecture, which emphasizes strict identity verification and continuous monitoring, promises to enhance security by assuming no user or device is inherently trusted.
  2. AI and Machine Learning in Security: The integration of artificial intelligence and machine learning can provide real-time threat detection and response, helping identify patterns and anomalies that humans might miss.
  3. Blockchain for Security: Blockchain technology has the potential to improve data integrity and authentication, reducing the risk of data tampering and enhancing trust.
  4. Enhanced Data Encryption: Advances in encryption techniques will lead to better protection of sensitive data, both at rest and in transit.

Coping Strategies:

  1. Continuous Learning: Stay updated on the latest security trends, vulnerabilities, and technologies through continuous learning. Invest in professional development and training.
  2. Collaboration and Information Sharing: Engage with the cybersecurity community, attend conferences, and participate in forums to share insights and strategies for coping with emerging threats.
  3. Adopt Emerging Technologies: Embrace AI, machine learning, and other emerging technologies to enhance threat detection and response capabilities.
  4. Multi-Layered Defense: Implement a multi-layered security approach that combines various tools and practices to safeguard against diverse threats.
  5. Compliance and Regulations: Stay informed about changing regulatory requirements and ensure your hosting services adhere to data protection laws and compliance standards.
  6. Agile Security Frameworks: Develop agile security frameworks that allow you to adapt quickly to new threats and technologies.
  7. Vendor and Third-Party Risk Management: Vet third-party vendors and partners to ensure their security practices align with your own.
  8. User Education: Educate users about security best practices, such as strong password management and recognizing phishing attempts.

By staying informed, collaborating with peers, and embracing innovative solutions, you can navigate the evolving landscape and protect your infrastructure, data, and users effectively.

About the Author

About the Author

With over 13 years of experience in managing digital publications, Roberto has coordinated over 5000 interviews with the biggest names in cybersecurity, AI, cloud technology, and SaaS. Using his knack for communications and a growing network of cybersecurity leaders, he provides newbies and experts alike with beyond-the-fluff online privacy tips, and insider perspectives on the ever-evolving tech world.

Leave a Comment