A business while hosting website expects that the host would protect from hacking and DDoS attacks and would provide maximum security. And that expectation is very much legitimate, as it is a work of hosting company to identify vulnerabilities in server or network which hacker could exploit to gain access.
The responsibility of keeping the website secured is shared by both customer and hosting company. The host always advises using un-crackable passwords, which any of the password cracking algorithms cannot find, keep files and programs updated – thus leaving the activities done on the website as customer responsibility. Hence, the customer needs to keep its website files and data updated. Furthermore, keep monitoring and checking that no fraudulent activity like fraud, privacy breach, business theft, illegal transfer of funds, internet harassment not done through its website.
Hosting Company View
Now, what if the website found involved in illegal activities and get penalized. The customer for sure is going to blame the server vulnerabilities using which hacker gain access and loaded mischievious files. The hosting company may claim that the system is updated and has no identified or known vulnerabilities. The customer might not have updated its, or its code contains loopholes, and its customer responsibility to identify weakness.
Hosting Company Claims
Hackers often gain much of the information through social media such as personal information, email address, phone numbers and often bank account information. The hosting company claims to have dedicated employees to monitor and recognize server vulnerabilities. The hosting company responsibility lies at an overall system, but at the website level, the customer is responsible. The hosting company says that they keep all the necessary security software and their team monitors 24×7 to control the server security. The data centers, where servers kept have all the essential physical security controls. The data-center building has automatic fire detector and non-water fire extinguishers. Voltage regulators control electric fluctuation, and AC's adjust humidity in a server room. Proper cabinets used, which keep servers in height to protect them in case of flooding. The server rooms have suitable locks and allow limited access. The servers contain antivirus software to protect against worms, trojans, viruses. The firewall prevents unauthorized use of resources and provide intrusion detection and prevention system to avoid DDoS attacks. The hosting company employees use proper authentication methods like user ID and password, biometric or smart cards.
Responsibilities and guidelines are defined, but still, websites get hacked, whois responsible?