Intermix with Integris #119

Website Security Issues

With Jed Fearon
Solution Advisor at Integris
January 6, 2022

We’re back for the new year with a new name. That’s right: Discussions by Domain is now The Helpdesk. If you missed us during our break, we’re getting right back in the swing of things with new episodes! Kickstarting the relaunched podcast is Jed Fearon, a Solution Advisor in Integris’ Atlanta office. Jed and Anthony talk about how your website may be a weak point in your security procedures.

Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or your favorite podcast app.




Anthony DeGraw: Welcome everybody to Integris’ podcast.

This is the first episode as full Integris. After our cybersecurity webinar, we did as a group of companies together back in October for Cybersecurity Awareness Month. Today, I have Jed Fearon on. Jed’s from our Atlanta office and produces a significant amount of written content for us, and now audio/video podcast content with us.

So Jed has a couple topics that we’re going to do almost a weekly series on Jed, just coming to the table with, on a weekly basis and recording some stuff that’s top of mind from the research Jed’s done, or any of the things that have come up in the news. And he’s going to ask me about it, and him and I are going to go back and forth in this type of conversation.

And hopefully that, with what’s coming up, the events, the different things we’re doing. Hopefully we’re answering some of the questions that are top of mind for all of you folks out there. So Jed, welcome to Integris’ podcast. Thanks for coming on and doing this with me. I’m gonna let you take it away from here.

Jed Fearon: Thank you very much, Anthony. And thank you for everybody who’s tuning in. Today’s topic is website hosting security issues and what you can do to fix them. And we think this is important because a lot of our MSP clients have third-party web hosting services. So we think we need to set the stage for what could potentially go wrong.

Between what’s happening at your web hosting company and how an infiltration of their assets could potentially lead to an infiltration of your IT systems. And Anthony is going to troubleshoot with me, do a little brainstorming to see if we can come up with a few takeaways to be safer with those two different worlds, if you will.

Website host renewal and breach

Anthony DeGraw: Absolutely. Yeah. there’s a couple of things we see out there. Jed, there’s a few. One, a company is hosting their own web servers or, they’re doing it themselves, or they purchased a subscription with a third-party just doing that, and you’ll see credit cards go offline.

So the account doesn’t get renewed. You’ll see those credentials be breached, which is a cybersecurity incident. The other angle you’ll see is, an organization is engaged with a third-party marketing company. That hosts their websites or controls their websites, maybe controls a couple other things.

And they’re paid on a monthly retainer, on a one-off project basis to create a website and continue to edit and make changes and either/or, when we get brought into the table, a lot of the times on these different issues, is, is always the same thing. “Hey, I don’t have my email. My email’s not up and running right now.”

And the, especially for our current MSP clients, as Jed mentioned, the first call is to us as the IT provider because email’s not working. And then as you do some digging into the, as our techs do digging into the actual, like what’s causing this issue, we find out it’s exactly the things I mentioned. Either the third-party marketing company is having some issue or has been breached.

Or the credit card on file, or the credentials on file for that web hosting service that the organization does that we don’t control has gone down. so that’s really the start of it. And then there’s a whole world in which we can talk about, and Jed’s going to ask me questions on, about what can you do to prevent that?

How can you better secure your website, your domain name, which is therefore connected to your email address? And obviously the biggest pain this is causing is business interruption, right? And what’s Business interruption is my team of 30, 40, 50 people can’t work via email today, or maybe for multiple days.

because I’ve been breached via my web hosting service or my domains gone. and that causes a lot of pain, right? You have a lot of salary. racking up day after day you have clients that start to get frustrated and it’s all the root of this one issue.

Jed Fearon: Hey, Anthony, that was a great introduction.

Website being hosted on-site

Jed Fearon: You brought up something that I haven’t thought of in a while, because it’s such a no-no you talked about the website being hosted on-site. On a server. And I really frankly, had not even thought of that, because as I’ve mentioned, it’s a no-no and you don’t hear about it as much these days, but it’s still out there.

Have you encountered something recently where clients had an on-site web hosting server and anything of note escalate put up the, helpdesk.

Anthony DeGraw: Absolutely. Yeah, it’s, I gotta be honest, it’s been a little while, right. It’s been a little while. There’s still some, companies out there, if you get into the software development game, for companies that are doing that, a lot of them are hosting their own stuff.

The cloud is not heaven – security on the cloud is not a given

Anthony DeGraw: Maybe not in-house anymore, but on an, as Azure server or on an AWS server or in the Google cloud. so. The thing, the reason I’m comparing the two is because they’re still, even though it’s Google, or it’s Amazon, or Microsoft, is really just giving you the space. They’re giving you the infrastructure.

They’re not controlling any of the security settings or anything. There that’s free game for you to set up whatever you want. So it’s similar in the case that it’s not in your actual office anymore. But you still have the full keys to the kingdom and it’s, it’s up to you to determine, hopefully along with your cybersecurity company, on the minimum standards that you should have in place to make sure you’re protecting whether it’s a web server or a database server, anything, all the same concepts apply, but yeah, mostly companies are going through third parties.

That focus specifically on hosting websites or hosting application servers now. but you gotta, you gotta be very careful of the subscription that you’re buying. Usually if you’re going for the lowest cost subscription, the reason it’s low cost is it’s because it’s not going to include a lot of the, features and benefits that those higher cost subscriptions will do for you.

And we’ll cover some of those things that you should be checking out. but yet overall, not too many on physical infrastructure and offices anymore, but same concern just moving into the cloud. And that kind of gets into a root of a lot of things we talk about, which is we have a saying that the cloud is not heaven.

And a lot of people just assume that if I move this to one of the public clouds, I’m good. They’re protecting me. And the result is they’re not. What they’re promising you is resources and uptime. They’re not protecting you. They’re not promising you security. They’re not promising you backup. They’re not promising you any of those things. All they’re promising you is you’re going to pay for it. You’re getting the resources that you’re paying for, and we’re going to make sure you’re up and running all those other things, go out the window. And you’ve got to be very careful with.

Jed Fearon: I think a lot of the clients who work with MSPs sometimes assume their MSP has that as your expertise and they know how to operate the proverbial dials that a pilot might see in a commercial aircraft.

So have you seen in your neck of the woods, MSPs who were in a little bit over their heads and they, in addition to the client, assumed more was being taken care of than was being taken care of.

Anthony DeGraw: Yeah, absolutely. Absolutely. So I’m going to attack this in two different angles or the same angle, just two different ways.

The “Microsoft365 unselected options” example

Anthony DeGraw: So whether it’s a third-party MSP or it’s internal IT, Both of those, we see the same common themes happening. So we’ll, just stay within the Azure platform for right now. So everybody’s pretty familiar with Office 365, Microsoft 365, and Azure. if we just narrow down to Microsoft 365. So your email, your Excel, your Outlook, those basic systems, right?

That almost everyone is signed up for. What we tell clients when we go in and assess these environments or these cloud environments and local infrastructure. But even when we log into their Microsoft 365 accounts to assess it, we tell them there’s over a thousand checkboxes right now within 365. 1000 security check boxes that you can click or not click.

And what happens is a lot of times internal IT, or, current, MSPs don’t spend the time going in there and setting up from the admin panel, those thousand check boxes. Because if if you think about it, if you go in there and you just hit select all, it’s gonna, it’s gonna, it’s going to lock down a lot of things and you may not be able to

Jed Fearon: That’s what what I would do, which is why you don’t want me anywhere near your Azure resources.

Anthony DeGraw: Exactly right. And that’s the easiest, but it’s going to cause some frustrations within the environment. so somebody has to actually take the time and know what they’re doing as they go in there and evaluate that. so that’s the number one thing. The other thing is the number one thing being there so much, there’s so many check boxes that you need to consider and know how one check box affects another thing, blah, blah, blah, blah, blah.

The other end. Exactly the other items.

Are you actually getting what you think you purchase from Microsoft/Google?

Anthony DeGraw: The number two that I would bring up here is they, the, people purchasing these things. So the MSPs or internal IT team members that don’t have this expertise, may think that certain things are being done. That Microsoft or Google or whoever are not actually promising.

And it goes back to that cloud is not heaven conversation, meaning they think “I went to Microsoft’s cloud or I went to Office 365. They’ve gotta be doing these things.” And I’ll bring up one example to keep this short. But the one example is backup and disaster recovery of your emails and files in OneDrive and SharePoint.

A lot of times people are under the assumption that by signing up with these services, they’re being backed up and the answer is that’s it’s so, it’s so far from the truth. So what they’re promising you when you go to these cloud subscriptions is that you will be up and running. Meaning if my server goes down, that you’re hosted on, I’m going to quickly flip you over to another server and I’m going to get you back up and running on that server.

If there was any type of data loss, in that downtime, I’m not guaranteeing you, that I’m going to be able to recover your data.

Jed Fearon: that’s in, that’s in the fine print.

Anthony DeGraw: That’s in the fine print.

Jed Fearon: Nobody reads these days. We just scroll down and say, I agree, let’s get this done. I’m ready for a coffee break.

Rogue employee

Jed Fearon: Exactly. So the other example that I’ll typically bring up and these can happen in different variations is you have, what’s called a rogue employee. So you have an employee that is upset with the organization. And they know they’re going to be leaving and let’s call it six months from now or three months from now, whatever the timeframe is.

And they go in and they delete everything that they have access to. And back to point number one, when those check boxes aren’t set up correctly, usually they can pretty much find access to everything because nothing’s been segmented into the proper, areas of not allowing certain controls and access to certain people.

So what you have is a rogue employee who can go in and delete as much as they want. And then all of a sudden, 30 days later, 60 days later, that’s noticed. You go look to find the data and it’s not there because you haven’t engaged another third-party to back up that environment.

You could say, it’s a house of cards ready to be toppled.

Anthony DeGraw: Absolutely. Absolutely. So those are the common misconceptions about, the cloud and what’s going on there.

IT Assessments

Jed Fearon: Hey, so what are your recommendations? For companies who are working with MSPs and they have a cloud Azure type environment. Do you have any recommendations where they could do an assessment and get some, checks and balances?

So they know that they’re asking their MSP the right questions to make sure they have the right folks in the driver’s seat to protect them and keep them efficient and all the great things that manage IT does?

Anthony DeGraw: Absolutely. So I’m smiling because Jed is leading a horse to water right now. so yes, the answer is Integris is a SOC 2 Type II organization certified organizations by the AICPAs.

And what does what does that mean? that’s one of the highest standards that you can apply for, or you have a third-party auditor come in. And not only make sure you have the policies and the procedures and everything being done correctly, but then they’re also getting their hands dirty and confirming that those things are actually being done.

So it’s a checks and balances thing. Now not every organization should go and get a SOC 2 Type II. It’s tens of thousands of dollars to do that, and you have to do it every single year. As a Managed Service Provider, we should be doing it. And actually fun fact, I think it’s less than 5% of Managed Service Providers in the country are actually SOC 2 Type II certified.

that’s just a quick fun fact, that being said. If you don’t need to get to that high of a level, or you’re not in a regulated industry, it doesn’t mean you shouldn’t take some of those best practices that others are doing and just scaled them down to your own needs. So in our case at Integris, we do a lot of, and significant amount of technology assessments and gap analysis for businesses with five employees.

Or a 500 employees. there, there are varying scales. They can be on-site, they can be done completely remotely, but at the root of it, you want somebody else to come in from an unbiased perspective, from the outside, that you’re paying to get a deliverable. That is telling you the gaps that exist, and then hopefully the solutions to fix those gaps.

And then whether it’s you and us, or you and that other third-party, or you by yourself, if you’re internal IT. You go and work on that, go work on that plan and make sure it’s actionable. We, break ours down into business impact, so high, medium, and low. That way people can focus because the question we always get out of those assessments is like, where do I start?”

And it’s well, we’ll start on business impact high. And what we always re it was relate that back to business outcomes. what does business impact high actually mean? in our world, it means that if, one of these items and one of these vulnerabilities is found, there’s the potential for you to be down, I would say five to seven business days or seven plus business days, which is going to have a, what we believe a significant impact on your business. Medium. You’re probably looking at three to five business days. And low, you’re probably looking at three or less business dates. but yes, that’s, I would always recommend, especially in today’s day and age, nobody knows everything, especially if you’re just in a one track mind or you’ve lived in one environment for so long and it’s your baby and you’ve designed it from scratch.

That’s usually the number one reason why you should do this is to go out and get some other expert.

Jed Fearon: So I love what you said about the assessment, but if we could back up a little bit, I think I have a general idea of the rigor and the timeline involved in a SOC two audit, but that’s our way as an MSP of having an objective third-party and an accounting firm, take a look under the hood.

Anthony DeGraw: Yeah.

Jed Fearon: It’s is it up to a three to six month period that takes place? Every,

Anthony DeGraw: absolutely. Yeah. I would even, probably depending on the size of your organization, probably six to nine months on most cases, sometimes it feels like as soon as you get done with it, you’re starting it up again.

Jed Fearon: Yeah. That’s what I recall from a lot of my research. Any final words on what listeners can do to. get in touch with us or engage in some additional dialogues to assess where they might be, maybe a 15 minute discovery call.

Anthony DeGraw: Yeah, absolutely. I would even take it a step back. So if you’re not ready for that, or you thought this was engaging, Jed and I have, I have an agreement that we’re going to do this on a weekly basis. So we’d more than happy to take your questions and answer them, probably live on this recording, going forward and, you can submit that to [email protected].

That’d be the easiest way to get in touch with them. Or you can direct message Jed or myself directly on LinkedIn. We’re happy to connect and, take those questions that way. Whatever’s easier for you. if you’re at the point where some of this stuff that we’ve talked about today resonated, we have some very simple, like the minimum, we call the minimum standards to do business in 2021 and what you should have in place.

And we’d also be happy to get those over to you. It’s about five to seven items that every business should be considering things like multi-factor authentication, content filtering. And antivirus, there’s just some very simple layers that you can do some cost money. And there’s actually a few that cost absolutely nothing.

You just need to know how to do them. and then if it’s past that and you’re like, “Hey, this is all really good stuff. And, and we need to act on that.” once again, you can go directly to our website, and complete the contact form there. And if you do that, it’ll get routed directly to the office closest to you.

Whether that’s Atlanta or Austin or Philadelphia, we’ll direct you directly there and we’ll help take you from there. But Jed, this is a great first episode. Thank you, man.

Jed Fearon: Thank you, Anthony. I’ll talk to you soon

Anthony DeGraw: Bye.

Keep reading

AI (ChatGPT) and the Cybersecurity Implications for Your Business

AI (ChatGPT) and the Cybersecurity Implications for Your Business

With AI set to revolutionize how we work in the coming years, two of our Virtual Chief Information Security Officers, Darrin Maggy and Nick McCourt, and our CIO, Tony Miller decided to weigh in on the subject. The drumbeat to adopt AI in your workplace is loud right...

“Knowledge, You Can Teach”

“Knowledge, You Can Teach”

Scott sits down (in person!) with George Hall. George is the President of LINQ, a managed mobility services provider, and There Goes My Hero, a nonprofit dedicated to those impacted by blood cancer, both headquartered in Baltimore. George talks about his very eventful...

Multifactor Authentication Breakdown

Multifactor Authentication Breakdown

Nick and Susan's monthly episode is joined by Lexie Nelson, a vCISO at Integris. Today's topic is multifactor authentication. We're going through a full breakdown into MFA: how much it really protects you and your organization, the things to look out for when...