I work at a major Tier 1 hosting provider and network security is always a huge concern. The largest issue the confronts my customers in terms of security is liability. I feel that the onus needs to be on the companies that owns the solution to provide adequate security. Many times I see customers say "I don't need a Firewall much less an IDS, no one would want to hack my website". Well unfortunately this makes them vulnerable for crackers to open up the box and turn it into a warez FTP site. Suddenly their bandwidth shoots out of control and we bill them for their usage. The customer in question then says that they are not liable for the bandwidth because it was not their traffic, despite the fact we spell out in their contract that they are liable for misuse of their servers. Additionally, some customer machines will be taken over for a DDOS. Say Customer X has no security and their box is compromised. Customer X's box then participates in a DDOS against Microsoft.com, and when Microsoft's attorneys go through the lists of who attacked them they sue Customer X. I'm not sure if this needs to be legislated, but I do feel companies need to be aware that they are responsible for their own security and to try and shuffle the blame on to a 16 year old script kiddies that compromised their machines is just showing their negligence in not providing adequate security. If you would like more examples of this for your research feel free to email me at adambruce09@hotmail.com
Slashdot Mirror
I work at a major Tier 1 hosting provider and network security is always a huge concern. The largest issue the confronts my customers in terms of security is liability. I feel that the onus needs to be on the companies that owns the solution to provide adequate security. Many times I see customers say "I don't need a Firewall much less an IDS, no one would want to hack my website". Well unfortunately this makes them vulnerable for crackers to open up the box and turn it into a warez FTP site. Suddenly their bandwidth shoots out of control and we bill them for their usage. The customer in question then says that they are not liable for the bandwidth because it was not their traffic, despite the fact we spell out in their contract that they are liable for misuse of their servers. Additionally, some customer machines will be taken over for a DDOS. Say Customer X has no security and their box is compromised. Customer X's box then participates in a DDOS against Microsoft.com, and when Microsoft's attorneys go through the lists of who attacked them they sue Customer X. I'm not sure if this needs to be legislated, but I do feel companies need to be aware that they are responsible for their own security and to try and shuffle the blame on to a 16 year old script kiddies that compromised their machines is just showing their negligence in not providing adequate security. If you would like more examples of this for your research feel free to email me at adambruce09@hotmail.com