Users have to watch out for their security. No one doubts that, but it doesn’t take their service providers off the hook.
Some issues are outside the user’s control. An ISP is responsible for providing and maintaining a secure infrastructure. In other cases, support from the provider lets people reach a level of security that would otherwise take them a lot of knowledge and effort.
It reflects badly on an ISP when malware hits its users. If the service becomes a source of spam or malicious probes, its IP addresses could be blacklisted. That’s disastrous for business. Service providers have to understand their responsibility and live up to it.
Protecting the infrastructure
An ISP’s most basic responsibility is to keep its infrastructure safe. A breach at the level of the operating system or Web server affects all users. Their sites could be compromised even though there’s no malware in their Web directory, and there’s nothing they can do to fix it. In one scenario, access to customer websites is redirected to a third-party site. In another, malicious content replaces legitimate ads on customer pages. ISPs are attractive targets because many customers can be hit at once.
Preventing such situations requires in-depth system security. System and server software needs to be kept up to date with patches. Monitoring the infrastructure will help to detect breaches and DDoS attacks promptly. The service should avoid unsafe software practices, such as open SMTP relays and DNS open resolvers. And, of course, the ISP should use HTTPS for its own pages.
Spam and phishing
Every user with an email account is a target for spammers and fraud operators. Some are savvier about it than others, but anyone can mistakenly open a dangerous link or attachment. The best protection is for those messages not to reach the intended victim. Filtering at the ISP level should be available as an option. Some customers are more concerned about never losing a legitimate message while others worry more about hostile mail, so they should have a choice of strictness levels.
Customers should be encouraged, perhaps even required, to set up mail authentication with SPF, DKIM, or DMARC. These protocols make it harder to spoof addresses successfully, so there will be fewer false-alarm spam complaints. The provider can concentrate on actual spam issues.
Domain and site hosting
A Web server that hosts many sites, especially ones for e-commerce, is a tremendously attractive target. It needs strong protection.
Patching and anti-malware software is basic. The server needs monitoring for suspicious behavior, such as high levels of abnormal outgoing traffic.
Any tools which are made available to customer sites also need to be updated regularly. PHP 7 is after than the older versions of the language and should be available for all sites. If the service provider manages the CMS, it should be kept up with the latest release.
It should be easy for customers to set up HTTPS. Making certificates available as part of the hosting plan will encourage using them.
Making services secure
All services should support the applicable security features. Email users should be able to connect to their accounts with TLS or STARTTLS. Ports that often cause trouble and don’t provide a service the user can reasonably expect should generally be blocked. The best-known example is TCP port 25, which allows setting up spam email servers. Secure protocols, such as SFTP and SSH, should be used rather than their insecure equivalents wherever possible.
Keeping account management secure is especially important. The experience of Hong Kong Broadband Network, leaking information on hundreds of thousands of users, stands as a warning. Servers with sensitive user information need to be separate from hosting servers. Monitoring access to account management allows catching unusual activity, such as large numbers of login attempts. Offering two-factor authentication will help to keep customer accounts from being hacked.
Security options for users are useful only if people know about them. The ISP’s website should feature prominent information on how to keep accounts safe, with recommendations for the best practices. If spam filters are available, there should be a clear explanation of how to set them up. If using the features looks difficult and confusing, people won’t use them.
If email notices regularly go out to customers, they should include recommendations for achieving the best security. Tell customers what options are available, and advise them on practices such as viewing mail skeptically and choosing strong passwords.
Security depends on the user and the ISP both doing their job. Some parts are the user’s responsibility, others fall on the ISP, and still, others are shared responsibilities. Even when the users have to take the action, they can do it more easily and effectively when they have their service provider’s support.
The Institute for Homeland Security Solutions at Duke University has published a brief but useful paper on “The Role of Internet Service Providers in Cyber Security.” It discusses the technical and business reasons for ISPs to keep a strong security profile and the issues they may face. A service provider that does a good job at security earns confidence from customers and faces fewer support issues.