Introduction
Keeping systems secure is not only a challenge from a technical perspective, but also one from a user perspective. As a web and email hosting provider, this can be a difficult balancing act. If we put too many security limits in then it will cause extreme inconvenience to users. If we place user convenience and experience over security, we leave systems vulnerable to security breaches.
Finding that middle ground where we keep both sides of the equation happy isn’t easy. Some security restrictions do and will cause issues for customers and something we hate having to do.
With COVID and a rapid shift to Work From Home (WFH), we paused some of the changes to our platform to err on the side of convenience over security (where risks management allowed). With the level of disruption already occurring, we didn’t want to add to this pile unless absolutely necessary.
Large breaches for companies like Optus and Medibank Private recently however have meant we need to change our priority for security issues. While it may mean some disruption for you, this is ultimately to ensure we protect your data and your reputation.
Upcoming Changes at Conetix
Most of the security changes we’re implementing currently won’t affect the overwhelming majority of our customers. Platform level changes are tested and run through specific user scenarios to measure impact (where possible) and to ensure we have our support team trained and ready to handle this.
Where there’s a change which requires customers to take some sort of action (eg, reconfigure a setting in their email), users will be notified about upcoming changes and provided instructions on what’s required to change. Like always, our support team is on-hand to assist with these changes.
Unencrypted authentication or weak passwords
Key changes include removal of any unencrypted authentication and transfer of information to services such as email and FTP. There are only a low percentage of users accessing the services in this fashion, so the impact here will be minimal.
We’ve also produced our own internal tool in order to analyse password strength and let us know which accounts have insecure passwords. This is based on both industry best practice as well as our own analysis data based on 20 years of hosting.
Policy changes
Some of the changes also reflect policy changes. If we detect malicious activity on a site or a critical vulnerability left unpatched, we may immediately suspend the account to either prevent damage or to prevent further security issues. This also helps limit any reputational damage to your brand and website.
Access to your services via email or call simply isn’t granted to everyone (or even others within your business!) and must be explicitly provided. While this may seem inconvenient at times, we place the emphasis on security first. We have a number of changes to make this process easier for you coming over the next few months as well.
Multi-factor Authentication
Where possible, we try to offer all services with an option for Multi-Factor Authentication (MFA). This ensures that there’s an additional method beyond just your password to ensure access is granted to the right person. Many systems are starting to mandate the use of MFA, such as Microsoft 365 to reduce the high levels of accounts being compromised due to password reuse and similar.
Security issues in 2023 and beyond
We’d love for web and email hosting to simply be all about helping users, publishing websites and working on positive things. Unfortunately, the world is unpredictable and volatile. Web hosting and email hosting is difficult again because our systems are connected to the world 24/7, 365 days a year. There’s no hiding these systems so they must be protected to a high standard.
Email Misuse
While this has always been a problem, we’re seeing two distinct areas where there’s rising numbers of cases. The first is using legitimate domains where there’s insufficient protection to send out phishing emails from other email systems. Protection measures such as Sender Policy Framework (SPF) in 2022 needs to be set to “hard” fail to ensure remote mail systems drop these illegitimate emails cold rather than continuing to evaluate them or simply deliver them. We have a guide on this available: https://conetix.com.au/support/preventing-email-domain-misuse-and-phishing/
As always, weak passwords remain a critical issue and we’ve started testing password strengths to determine any which are too easy to guess. While our systems have protection against brute force attacks (where someone will just keep guessing a password), these attacks can occur from thousands of IP addresses and run over months to avoid all detection. Passwords sent without encryption is also a potential point of exploit and while this is blocked for the majority of our systems, we left some legacy ones enabled until such time we could minimise disruption to enable.
Website Exploits
This is an issue which won’t ever go away. It’s critical to keep systems such as WordPress secure. This means regular updates, regular backups, auditing users and ensuring you use unique passwords. The most common cause is still out-of-date plugins or known exploits left open for your website in which case it’s just a matter of when, not if it will be exploited.
Password Reuse
If you haven’t yet, make sure you go to haveibeenpwned.com and put in any email accounts you use. Chances are, your email address is probably on 5+ different lists where remote accounts or logins have been exploited. For any of these systems where they’ve been able to recover the password, it now means everyone can get a copy and use it.
Any login where you share the same password is now vulnerable. Instead of having to guess now, they can simply log directly into your website, email and any other system where the same passwords are in place. I highly recommend reading our article on the importance of secure passwords for more information and guidance.
Behind the Scenes
Certification
The team are working towards ISO 27001 certification for aspects of our hosting, so that our internal processes and systems can be verified and audited to an international standard. Most of the work here isn’t changing our processes, but ensuring we have auditable verification of our process and systems. We want to provide you (and your customers) with the proof that our security is more than just talk.
Increased alerting and logging
Our systems already have combined logging and analysis to help us to prevent limit security issues as much as possible, however as the complexity of attacks increase we must also keep increasing our systems to match. It’s no longer possible for a hosting provider to have simple, standalone systems and remain protected.
Increased resiliency
Our systems already have high levels of redundancy and fault tolerance, so that we ensure our platform remains available at all times. This is due to having the right combinations of software and hardware to not only replicate data and systems but detect faults and mitigate wherever possible. As the systems continue to grow in complexity, we’re ensuring we evaluate what we provide and increase or replace systems to continue our rock solid stability.
Conclusion
While we’re doing everything we can to minimise any impact to your services, security must take precedence over convenience. Our record on security remains very strong due to the continuous enhancement approach we take.
It may not be immediately obvious as to the changes we’re making, because the overwhelming majority of them are behind the scenes and don’t cause disruption. We hope that any disruption is offset by the fact that your data remains safe and systems remain operational.
