Securing your site or service has become ever more important as the number of attacks is rapidly on the rise. As I have written before on Continuations I am not a fan of overreaching security legislation as a response. If we don’t want to keep these efforts at bay it will help if we do a better job with security. Increasingly that means you are only as secure as some of your key vendors.
In particular hosted email and DNS have proven to be big holes. If you use hosted email make sure that it has two factor auth which cannot be overridden through social engineering. A lot of damage can be done with access to email as Cloudflare discovered a while back. This should really also be a requirement for your DNS provider. If your DNS can be repointed that opens up all sorts of crazy security holes including the potential for a massive man-in-the-middle attack. Or, as BitInstant found out recently, DNS control can be used to lock you out of your own systems if you don’t have IP based access.
So what should you do? Start by making a list of all the external systems that are security relevant and put hosted email and DNS at the top of the list. Make sure all of these external systems ideally use two factor auth. If not, make password resets and security questions for these systems as difficult as possible (and certainly never use factual answers such as your mother’s real maiden name).
