To Host or Not to Host: How Vulnerable Is My Blog to a Security Breach?

To-Host-or-Not-to-Host-How-Vulnerable-Is-My-Blog-to-a-Security-Breach-V2 copy

For this month’s column on Social Media and Online Security we’re taking a look at what is arguably the first and still most important form of social media: the blog.

As a social media communications professional, I’ve always said that a blog forms a central anchor for your social media strategy. While other social media channels enable you to engage and interact with your customers directly, it serves as your true “channel”: your blog is where you can speak most directly and at length with your customers. From this point of view, it’s also a critical part of your public relations strategy.

While they have been around for a while and they lack a lot of the shiny new capabilities that we as social media professionals love. These days, blogs tend to be out of people’s minds. It’s just “there”. It’s always been there, it will always be there.

This applies to online security as well. With a host of new technologies to evaluate, assess and deploy, the blog easily gets relegated to the back burner. In the security world, there’s a real “squeaky wheel” problem: with limited resources, we sometimes focus on the squeaky wheel (the shiny new social media channels) at the expense of other things (your blog). It’s not uncommon for folks to say “Well, it’s not been a problem so far, so we don’t have to worry about it”. And so the security of your blog may coast on autopilot with little or no attention for years.

Unfortunately, this can be a dangerous approach. As I’ve said before, the world of online security is facing unprecedented threats and attacks. And while it may have been up and running without incident for years, that’s no guarantee that the security on it is adequate for the threats that are out there today. It may simply mean you’ve been lucky and escaped notice so far.

And these days, they are a particular target for attack for two reasons.

First, while we may think of the blog as “just there”, in reality a mature blog provides a number of different capabilities: video, discussions, photos, audio and, of course, text. Each of these capabilities is supported by different software components and each of these components can and do have vulnerabilities that can be attacked. If you think of it as a house, each of these capabilities represents another door that someone can try to break into. A house with one door is easier to protect than a house with 30 doors. So they represent what we in security would call a “target rich environment” that gives attackers many ways to try and levy attacks.

Second, many attacks these days are focused on getting malware (viruses, Trojan Horses, keystroke loggers) on people’s systems. One of the chief means for doing this is by taking over legitimate, established websites and using them to distribute this malware. Blogs are an ideal platform for hosting malware this way. It’s not unheard of to hear of mass blog compromises to this end. In November 2011, thousands of WordPress blogs were attacked through vulnerabilities in the platform to spread malware (primarily through a plug-in that provides support for pictures).

And this is just speaking to anonymous, broad attacks. There’s a whole other  category of threats to your blog: targeted vandalism and so-called “hacktivism”. Going back to the point that it is your “channel”, it’s also an ideal target for anyone who has an axe to grind against your organization. Taking over your blog to post inflammatory or damaging material is a quick and easy way to cause you embarrassment and repetitional harm. For example, a quick lookup shows that Reuters, the news giant, just recently had their blog hacked in a targeted attack and fake, damaging stories posted.

Combined, this means that your blog is a very attractive target with many avenues of possible attack. Indeed, it is likely the biggest target that you have in your social media arsenal.

Clearly, if you’ve not focused on blog security lately, now is an important time to do so. But what should you do about this? Really, you should ask yourself one simple question: Should I move my blog to a professional, managed hosting service or should I host it myself in some manner?

I’ve said that security is about identifying risks and making decisions about that risk. I’ve outlined the threat environment that your blog is facing. A good professional managed hosting service is the best way to meet those threats.

A good professional managed service will meet this threat environment by keeping up on the latest vulnerabilities and keeping the platform as up-to-date as possible. These days, keeping a blogging platform secure is a full-time job that requires specialized expertise. Unless you or your staff want to be blog security engineers, you can’t match their ability to protect your blogging platform.

Additionally, a good professional managed service will only provide capabilities on your blog that they feel they can reasonably protect. This does mean that you may have to sacrifice some functionality (especially around shiny new capabilities), but as we’ve said before: in security, new can equal dangerous.

Also, a good professional managed service will have additional layers of security and active monitoring that provides the necessary defense-in-depth today’s online security requires.

Finally, a good professional managed service will have good backup strategies and a good incident response process. So, should there be a successful compromise, they will have the means and expertise to restore it to normal operations more quickly.

My own professional opinion is that, these days, a professional service is the only way to go for blog hosting. And, I’m not the only one. If you look at some of the biggest blog properties out there, they’ve “outsourced” their platform like this. For example, CNN’s blogs all run on WordPress’s hosted service and they have rich capabilities and (to date) haven’t suffered attacks like others have.

A hosting service may cost more than self-hosting, but I promise you that your costs will skyrocket after a successful compromise. In some cases, when self-hosted blogs don’t have adequate backups, the blogs are simply gone for good. I’ve known more than a few blogs to disappear because of a successful attack after the owner failed to keep the blog software up-to-date and adequate backups.

If you’re already on a good professional managed service, then you’ve already addressed these risks smartly. But if you’re not, now is the time to reevaluate this question and decide if you want to continue to assume these risks that you might not have been aware you’ve been assuming.

To be clear, professional hosting is not a panacea for all possible security issues your blog faces. But it goes a long way to addressing the biggest threats that are currently out there. The world has become more dangerous and what worked fine a few years ago is just not adequate. It is your most important social media asset: it should get the best protection possible. So if you’re self-hosting, you should ask yourself the question today: to host or not to host.

About the Author:

Christopher Budd

This monthly Social Media & Online Security column is contributed by Christopher Budd. Christopher works for Trend Micro, an Internet security company, and is an expert on communications, online security, and privacy. Christopher combines a former career as an Internet security engineer with his current career in communications to help people bridge the gap between the technical and communications realms and “make awful news just bad.” Before Trend Micro, he worked as an independent communications consultant and, prior to that, as a ten-year veteran of the security response group at the Microsoft Corporation. +Christopher Budd

Christopher Budd
This monthly Social Media & Online Security column is contributed by Christopher Budd. Christopher works for Trend Micro, an Internet security company, and is an expert on communications, online security, and privacy. Christopher combines a former career as an Internet security engineer with his current career in communications to help people bridge the gap between the technical and communications realms and “make awful news just bad.” Before Trend Micro, he worked as an independent communications consultant and, prior to that, as a ten-year veteran of the security response group at the Microsoft Corporation. +Christopher Budd
Christopher Budd
Experts Connection - Pinterest

Trackbacks

Please Leave a Comment!