Crucial Hosting makes available a brief outline of its Incident Response Plan (IRP) for parties interested in Crucial Hosting's internal security policies. The following information provides an overview but not completely detailed approach taken by Crucial Hosting to prepare for and address security threats. Crucial Hosting generally adopts the six phase approach recommended by the SANS Institute.
Preparation
Server administration and technical support staff are trained in identifying potential incidents in several ways. While there have been no major security incidents involving Crucial Hosting, individual customers have been exploited due to vulnerabilities in their own applications. Staff is trained to identify and gauge the severity of these incidents as well as identify the root cause of such security threats. By utilizing our months of logs which are kept, staff is able to identify the source of an attack and ensure the scope of the incident did not affect other customers. In the event of an unprecedented security breach affecting multiple customers, staff are trained to identify and escalate a security issue company-wide to relevant technical support staff.
Identification
Using the training outlined in the prior "Preparation" phase, staff are able to identify security incidents quickly. Servers are constantly monitored for signs of malicious activity, and Crucial Hosting pays 3rd party services to monitor for signs of malicious activity originating from our network. In addition to manually reviewing customer systems for signs of a security threat, Crucial Hosting deploys security software to automatically patch server kernels for the latest security threats. Systems are updated at least daily for security updates released by software vendors, and in the event of a more serious security threat servers are updated even more quickly. Crucial Hosting frequently reviews security related forums, security databases, and newsletters for relevant information about security threats. Notifications of a security threat from our automated systems are reviewed every hour of the year, and notifications are reviewed typically within 20 minutes.
Containment
Crucial Hosting staff is trained to contain any malicious activity on our network as quickly as possible. We have a "zero tolerance policy" in regards to customers hosting malicious software on our network. In the event we have identified a security threat or malicious application on a customer account, we will immediately disable or suspend access to that account, and then quickly notify the customer within less than one hour. In the event of an unprecedented security threat affecting more than just a single customer, or a threat which originated through access higher than a customer would have access to, affected systems are isolated and removed from our production network. Spare equipment is immediately prepared, and the process of restoring backups is begun immediately for affected systems.
Eradication
Once the security threat has been identified and contained, the security threat is removed from our systems and network. In the most common event of a customer's application being exploited due to a vulnerability in their software's code, the malicious code is completely removed from our systems. If the customer is unable to maintain their own application's security, we will indefinitely suspend their hosting with our company. In the unprecedented event of a security threat affecting more than just one customer or a lower level security breach, action is immediately taken to eradicate the threat. Staff are always on-hand and trained to remove malicious software in a quick, precise, and automated fashion. Due to the unfortunate reality of some customers not securing their applications, Crucial Hosting's staff has a lot of experience writing custom software to eradicate malicious code.
Recovery
Once a security threat has been eradicated, Crucial Hosting will allow a customer access to their account/server again. Crucial Hosting staff will actively monitor the previously offending account/server for signs of the malicious activity returning.
Lessons learned
Security incidents are documented in our internal support systems in full detail. Notes are taken in regards to the steps taken to identify, contain, and eradicate a security threat. Every system administrator reviews each occurrence, so they are able to more quickly identify a potentially similar incident in the future. Customers are recommended steps to better secure their applications from future vulnerabilities to their code or framework.