It is one of those things that happens to other people, that you read about in the paper. One of those things that couldn’t possibly happen to you. Right up until the point that it does.
And so, a couple of weeks ago, that is what happened to me. All of our web sites were taken down by a hacker, no doubt for no greater purpose than the “lulz” (a term I have come to loathe).
I is only once you are hacked, however, that you come to appreciate how truly alone you are. Our web servers are hosted by a professional hosting company. It is the third hosting company we have been with in the last five years, as I have endeavoured to get (what I consider) reasonable support. We are in the process of moving to a fourth.
Part of the problem is determining that you have been hacked in the first place. Some months ago. I got an email from my hosting provider indicating that our servers were sending spam. How this was happening was baffling to me; mail services were locked down and password protected (and then turned off), passwords were changed and spam was still going out. It was only after a ridiculous amount of investigation that I discovered that someone (a hacker in France) had, through an SQL vulnerability, created a page on our server that allowed someone to write in the text of an email and have it be sent out.
Once you know the problem, however, the next problem was dealing with it. I deleted the rogue page readily enough, but that doesn’t mean that it won’t come back. A vulnerability is a vulnerability; if it exists and has been exploited, it will be exploited again. Not only does it exist, but now there is knowledge out there of where the vulnerability exists and how to find it. It’s only a matter of time.
Our hosting provider was absolutely no help in this regard. Their position is that they make the server available to us for a fee, and after that it’s ‘our server’. In their eyes, they have no further obligations. If there are security patches available, they are not being applied. If there are internet attacks, they are not being monitored and reported. Many providers do not provide backup services. In other words, you are your own server administrator. It’s up to you to know what to do and to do it. The company you pay monthly fees to is not doing it for you.
This is the heart of my frustration with many hosting providers, to be perfectly honest. If I wanted to be a web server administrator, I would do it myself. I’d go out and by a server, set it up and administer it. It is actually the cheaper way to go. The point of outsourcing your servers, theoretically, is that you have knowledgeable professionals doing it for you. In all likelihood, however, you don’t. Not that my current hosting provider doesn’t have knowledgeable people, mind you. It’s just that once they have initially provisioned my server, they won’t touch it again.
If you think this isn’t you, check again. Call your hosting provider (preferably before you sign up with them) and ask them what happens when you get hacked. What do they do to detect attacks? What do they do to back up and protect your data? What will happen if your server is hacked? Who will be responsible for recovery and repair? In all likelihood, the answers to this questions are, “Nothing, nothing, nothing, and you are.” And, to add insult to injury, if your server is hacked they reserve the right to take it offline with no recompense to you.
For the last two weeks, my web sites (plural) have been offline. Not only are we moving to a new hosting provider, but they are moving to a new web platform as well. In between other work and other projects, we have not only needed to migrate our sites but also to rebuild them from the ground up. I’m pleased with the results. They are easier to navigate, more flexible and I like the new look. At the same time, I’m not pleased with the process. Once again, this is work that got dumped in my lap. And the dumping happened on someone else’ schedule, not mine. The plan was to move them, but not on the timeline that I have had to work with.
The sad and bitter truth is that, if you think this can’t happen to you, think again. There are no policemen on the internet. It is genuinely a wild frontier, where hackers operate with impunity and it’s up to you to defend yourself. And regardless of what you do, there are more of them trying to get in than there are of you trying to keep them out. They will find cracks. They will exploit them. At some point in time, they will take you down. And you just get to stand up, dust yourself off, and start over again.
Welcome to life in the new digital reality. It’s a dirty job, but someone has to do it. And that someone is you.