3

Notes: I have very limited knowledge and experience in this field. My boss does not want to spend a penny more that what we already paid for. The website has a form that sends a message to our email address and that sparked the security conversation.

Context: My boss bought a package from a webdesign company. This package included a resigned for the site, 12 months of hosting, and an Account Manager that would help us with the site. I talked with our Account Manager about the security of the new site and he tried to sell us another package for an additional $2,000. He said that if we bought the package, they would ban any IP addresses that are suspected of performing MITM attacks, DDOS attacks, etc. He claimed there was a 100% guarantee that no attack could bypass their security. He also said that our website will get a green lock at the left side of the URL bar.

What I think: I think the package he offered is a scam. I did some reading and according to what I read, the package he described won't stop MITM attacks or Large Scale DDOS attacks. To my knowledge, there is no security measure that cannot be bypassed.

What I read: Can I detect a MITM attack?, DDoS: Why not block originating IP addresses?, How does SSL/TLS work?, https://www.tunetheweb.com/blog/what-does-the-green-padlock-really-mean/

Questions: Am I wrong in thinking that what he offered is a scam? Should we consider buying the package? Am I better off just using a free SSL such as Zero SSL?

Thanks, and sorry if I posted this in the wrong exchange or if this is not the right place to ask. I'm not sure where else to ask these questions.

Johnny
  • 1,061
  • 6
  • 20
Davidwestcoast
  • 33
  • 7
  • We can only go by what you have supplied here, but we might have a different opinion if we had the actual content of what was offered. – schroeder Nov 06 '18 at 19:40
  • The $2000 dollar package was offered over the phone; The most key things he said in the phone call is what I put in my question including the 100% guarantee. The other parts of the call were just him explaining the importance of the getting the package. This security package cannot be found on their site, nor did they even mention it until the website was nearly complete. – Davidwestcoast Nov 06 '18 at 19:53
  • Ok - then we can only go with your memory. We can't make a value judgement about it being a "scam" but we can respond to the details are you remember them – schroeder Nov 06 '18 at 20:03
  • Nothing is 100% guaranteed in IT world. – Overmind Nov 08 '18 at 07:51

3 Answers3

9

A few things worth noting (expanding on my comment, so I can elaborate a bit more).

  • He claimed there was a 100% guarantee that no attack could bypass their security.

    This claim can never be verified. Aside from the fact that this claim likely came from a sales person with limited (if any) Information Security knowledge, I would say that anybody who ever claims that a system is 100% secure is not to be trusted.

  • they would ban any IP addresses that are suspected of performing MITM attacks, DDOS attacks

    Deploy an SSL / TLS certificate to mitigate any risk of MITM attacks. LetsEncrypt will let you do this for no cost and many hosts support them natively now. Mitigating DDoS attacks is likely not something your host has the capability to do by themselves and will likely just put you on a free CloudFlare plan.

If you're concerned about the security of the application itself then you should be looking for the services of a Penetration Tester. The "security measures" this account representative has presented strictly deal with the protocol level (how traffic gets to your website), and not the security of the website itself. Testing the security, logic flow, etc of the actual application is a task best left to experienced web penetration testers.

Community
  • 1
DKNUCKLES
  • 9,247
  • 2
  • 37
  • 48
  • 3
    Just to add, U2F (phishing needs to use the same domain) + CAA (limit which CAs will issue certificates) + SSL (make passive MITM attacks a lot more difficult) would make the life of an attacker much harder, and probably provide more security than a _100% secure_ system (even a machine switched off at the bottom of the Mariana Trench could be breached with a submarine :p) – jrtapsell Nov 06 '18 at 18:55
  • 1
    Phrasing is important: `ban any IP addresses that are suspected of` - that's easy to offer if you are populating your firewall rules from an IP reputation source. It does not say that it will stop DDoS. – schroeder Nov 06 '18 at 19:41
  • @schroeder that's a fair point, to which I'd counter that banning IP's / Geo-fencing IP addresses is a largely ineffective way of providing any measure of security. In any event I see it as being misleading and disingenuous – DKNUCKLES Nov 06 '18 at 19:57
  • oh, no doubt, it's sketchy, but as stated, is easy to implement – schroeder Nov 06 '18 at 20:02
3

Rule one: Never, ever believe what the sales guy tells you

Rule two: be very suspicious of what the sales guy commits to in contract

Rule three: measure the promises made

You seem to be heeding rule 1, you haven't got to the point of addressing rule 2, but it sounds like you don't have the ability to apply rule 3.

He claimed there was a 100% guarantee that no attack could bypass their security

You seem to be of the opinion that because there is a guarantee, then it won't happen. A guarantee just spells out what remediation the vendor will put in place if the situation does arise. A "perfect" guarantee (from the customers point of view) does not exist. Some vendors will go to the extent of getting their guarantees underwritten by a third party and or implement IP escrow - but that's unlikely to be the case here.

"bought a package from a webdesign company" - that hosting and implementation were bundled in this way and purchased paints a very specific picture of both the web design company and your employers. I can't tell you if the $2000 package meets your requirements, I can't tell you what value the guarantee has, I can't tell you if the hosting company are able to deliver on what they are promising, but it all smells rather bad.

Given that they both developed and host the site, I would say that makes them accountable for any compromise of the service arising from outside your employers organization.

That the security of the service was not properly addressed at the time the design and hosting was agreed is a failure by your employer.

It seems like this service is almost completely at the mercy of the web design company and not under your employers control at all. Until someone addresses this balance of power that will continue.

Meanwhile, you might consider the plight of other small businesses who receive visitations from a private organization offering protection services in return for cash, and the nature of those private organizations. Maybe $2000 buys some piece of mind?

symcbean
  • 18,418
  • 40
  • 74
  • I couldn't agree more with you on the balance of power. If I can fix it, how can I? Is this a question I should ask on another exchange? Thanks – Davidwestcoast Nov 07 '18 at 14:36
  • Knowledge is power. Some good suggestions here (would certainly endorse using a good CDN like Cloudflare) but trying to solve big problems with posts on a free bulletin board means that the suggestions lack a lot of the context. Knowledge can be painful and slow to come by - but you might consider buying in some expertise. OTOH then you have the problem finding a good, independent IT consultant. – symcbean Nov 07 '18 at 14:49
1

Let's look at the claims one bye one.

  • Ban IP involved in MITM:
    TLS stops MITM attacks. Charging $2,000 for that is a lot, considering that you can get a certificate for free (e.g. from Lets Encrypt). It's unclear what if any value they add on top of that.
  • Ban IP involved in DDOS attacks:
    Could be valuable if it's good. But you can get effective DDOS protection from Cloudflare for free.
  • Ban IP involved in "etc":
    Ehm, I would want to know more details before I pay for this. Could be great, could be nothing.
  • 100% guarantee that no attack can bypass their security:
    There are no 100% certainty in life. This is just selling talk without content.
  • Website gets a green lock in the URL bar:
    Same as #1.

I wouldn't say it's a "scam", but it doesn't sound like you get a lot of value for your money. Most (all?) of what they are offering can probably be aquired for free if you spend some time and effort.

Anders
  • 65,052
  • 24
  • 180
  • 218