How safe is your web host? Israel’s cybersecurity watchdog plans rating system

After a cyberattack last year took down thousands of sites by targeting a single service, new program will hand out silver, gold or platinum ranks, each suited to different needs

Shoshanna Solomon is The Times of Israel's Startups and Business reporter

Illustrative image of hacking, hackers, ransomware and a cybersecurity attack (solarseven; iStock by Getty Images)
Illustrative image of hacking, hackers, ransomware and a cybersecurity attack (solarseven; iStock by Getty Images)

The National Cyber Directorate is proposing setting up a safety standard for providers of website hosting services, to let businesses that use their servers know how secure their data will be and choose accordingly.

Web hosting service providers allocate space on their servers for websites to store their files, so they can be available for online viewing. All websites are hosted on a server.

The idea to rank the providers stems from an incident last May in which thousands of Israeli websites were defaced at the same time, showing anti-Israel messages. When the directorate investigated the matter, it found that the hackers managed to inflict their damage by penetrating just one website hosting provider.

The new program aims to standardize three levels of security — silver, gold or platinum. The service providers will undergo scrutiny and security tests by the directorate on a voluntary basis.

The purpose of the program is to boost the protection of websites in Israel as well as to allow website owners to make informed choices regarding where to host their website, according to the new cyber protection standards.

The scope of the web hosting services industry is constantly growing. The service is easily accessible and saves money, which is why many organizations use it. There are currently dozens of companies in Israel that offer web hosting services, the directorate said in a statement. These services are a choice target for cyberattacks, however, due to the fact that hackers can target multiple organizations simultaneously through a single attack on a host. Targeting hosts also gives the attackers access to the vast amount of information held in these servers.

Attacks on websites through host services could include denial of services attacks (DDOS), information theft, or defacement attacks.

The silver standard will be the minimum standard of security recommended by the directorate, suitable for promotional websites or a business page on a social media site; an attack on the host could cause damage to reputation, the directorate said, but not much more.

The gold standard is be suitable for websites that require user registration and data. A hack on these kinds of websites could lead to reputation damage for the website owner along with loss of data privacy and eventual suits from consumers.

The highest standard, platinum, should be requested by businesses whose websites perform financial transactions, which if attacked could lead to financial losses, consumer lawsuits, plus a reputation blow.

Meital Arik, head of cyber guidance and regulation at the directorate, said that the new program provides a solution to the growing need to provide cybersecurity to web hosting services, along with creating an economic incentive for the suppliers of such services.

Anat Goldian, head of cyber regulation at the directorate, added that the new program will produce a pool of vendors approved by the directorate, and will help organizations make an informed decision regarding whom they contract with.

Hosting providers that implement the program can also benefit from the stamp of approval they get from the directorate, she added, as they will become more attractive for businesses.

To get the standard mark, the provider will have to prove compliance with a series of controls established by the directorate. These include access control, endpoint and server protection, peripheral protection, monitoring and control systems and a secure cloud environment to make sure the customer’s data is protected. After fully complying with these controls, the supplier will be inspected by a certified inspector sent by the directorate, who will certify the information and the standard of security via The Standards Institution of Israel Authority or the Institute for Quality & Control.

The directorate will then issue the web hosting provider a certificate confirming that its level of cyber protection meets the thresholds set by the program. The certificate will be valid for one year with the possibility of extension for a second, the statement said.

A spokeswoman for the directorate said that the program will be voluntary, and free for silver and gold standards. For platinum, host providers will have to pay for an inspector’s services at a cost of a few thousand shekels.

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed