When walking customers and prospects through their attack surface, as discovered by the Censys Attack Surface Management (ASM) Platform, one of the biggest surprises tends to be the number of web hosting providers that are affiliated with their organization.
Censys can help highlight both the knowns and unknowns of your web hosting footprint. Our research with over 70 organizations across 7 different industries shows that on average companies use 16 different shared web hosting providers. Having an understanding of the true size of your attack surface means you can take steps to meaningfully reduce the number of hosts and risks. Some of the questions outlined below can further illuminate which web host providers are the most reliable.
Shared web hosting services generally provide an inexpensive and easy path to deploying web content and web applications and can offer interfaces that automate the various processes associated with running a server. This can include deploying websites, managing mail servers and email accounts, deploying certificates, setting up subdomains, leveraging and managing databases, and managing performance metrics.
However, shared web hosting means shared tenancy and often, these easy deployments do not always mean easy to manage infrastructure. We frequently hear that it is the “easy to deploy” infrastructure that is the most difficult for security teams to inventory, monitor, and secure. For example, the self-service nature makes it painless to set up a website and payment processing information for a charity event without having to involve IT or Security. Keeping track of these ephemeral accounts, and who manages (or previously managed) them, and what kind of external exposures they present, can be a blind a spot for security teams. But, it doesn’t have to be that way.
If you are unaware of your shared web hosting footprint, let’s talk! Our Censys ASM Platform’s discovery process enumerates your web hosting providers and makes filtering to find those providers, and what content they are serving, easy for your security team.
To put the problem in context, we looked at 70 companies across 7 industries in the Fortune 500. On average, we saw companies using 16 different shared web hosting providers, with some organizations having as many as 50. The added complexity with shared web hosting
Once you have a good understanding of how your organization is leveraging shared web hosting, you may want to start to simplify your attack surface by vetting those different providers and seeing if there are opportunities to consolidate that footprint. This can help ensure security compliance, reduce complexity in terms of vendor management, and also may provide cost-savings.
Generally, when you’re assessing shared web hosting providers, we recommend asking the following questions to help guide your next steps.
1. Understand the services running.
- Is the service still in use? If not, does DNS need to be cleaned up?
- If the service is still in use, what kind of content is my organization serving on these shared web servers?
- Does the IP serving my web content have other services, like FTP Servers, Databases and SSH Servers externally exposed?
2. Understand the risk of data loss.
- Is there risk of customer data loss?
- Is there risk of company data loss?
3. Configuration and asset management.
- Who within the organization is managing the configuration of these servers? Was this deployed by a consultant(s) on behalf of the organization?
- Were any domains or certificates acquired for this web content?
- Do these providers meet my security and/or compliance requirements?
- Are you using dedicated IPs or are you leveraging name-based virtual hosting?
- Is there risk of poor IP Reputation?
4. Vendor management and consolidation.
- How does billing work for these vendors?
- What are the tradeoffs between this provider and a vendor who is already hosting a different site of mine? Can you consolidate or simplify your infrastructure?
- Are there cost savings if you have one vendor manage multiple sites?
- Is this something an internal team could host and manage?
5. Identify any connections to core infrastructure.
- What, if any, connectivity does this host have back to my core infrastructure?
As always, at Censys we want to bring visibility to the forefront of your security program. If you’re struggling to understand how your organization leverages shared web hosting services and what kind of risks they can pose, reach out to our team!