Akamai Diversity

The Akamai Blog

Why Do Media Companies Need Web Security?

Media companies, of course, have long enjoyed the video streaming and web performance benefits that Akamai provides. In fact, we'll be showing some of our latest content preparation, delivery and measurement solutions at the 2013 NAB Show in Las Vegas. But that's not all.

Many of our media customers also trust us to help them solve their security needs. Why? Media companies need to protect their Websites from DDoS attacks and enforce Web application security. It sometimes surprises me, however, that some organizations outside of the financial services industry don't take Web security needs as a given, and have not already taken measures to protect themselves and their brand. But then, three years ago many people outside of the CIA didn't think they would ever be the victims of email hacking.

I remember sometime around the summer of 2010 finding myself at a neighborhood BBQ having burgers and beer. As I balanced my paper plate in the same hand that held my beer, I managed to shake hands with a neighbor. Out of sheer politeness, he asked what I did for a living. I told him I worked for a computer security company and expected my answer to have the usual effect: glazed eyeballs, maybe a glance around the room, and a quick, "anybody need another?" after which the victim of my hopeless attempt to engage in conversation would slink away, never to be seen or heard from again. Instead, my answer actually seemed to irritate my neighbor (let's call him Jim). Jim: "Oh, so you are one of those guys who makes me change my password, like, every three months?" My answer, "Not really," was ignored as he called his buddy, Kyle, over to the conversation. "Kyle, how often do you change your password?" 

Kyle dutifully replied, "Every three months, but only because the IT guys make me."  

Jim, angry now: "Yeah, so what's the deal. Do you really think someone is going to break into my correspondence with my wife over who is going to pick up milk on the way home?"

Kyle: "Yeah, I really don't think anyone is interested in my Gmail account."

Me: "Well, you never know, I mean..."

Kyle: "And even if I do change my password, how are the odds any different that they'll guess the new password versus the old one?"

Jim: "Right. Ha ha ha. Only thing that guarantees is that I'll forget my new password sooner and have to call the IT guys." Turning to me: "Well, I guess you just guaranteed yourself a job, ha ha ha. You have to answer the phone at the help desk when I call because you forgot your password."
I thought about trying to explain that good passwords (passwords that are not words that a hacker can find in a dictionary) actually don't need to be changed that often, but that most end-users don't use good passwords and that many who don't often share their passwords with others, and either they or their friends are relatively easily socially-engineered into giving up their passwords, so that many IT people have simply given up trying to educate their users and instead force password changes periodically. But then I'm not actually in IT and I neither have nor enforce a password policy.

Me: "Anyone need a beer?" I slunk away and found someone willing to talk about the Celtics.  

The funny thing about the conversation, though, was that within a week, I got a spam message from Jim's wife's e-mail account - someone had indeed broken her account and used it for one of those, "Help I'm stuck in Portugal and need you to wire me $120 so I can get out of customs," scams. Seems she didn't use a good password, or he used one that a bot guessed. In years since, I've probably received a half dozen such messages from friends whose Gmail/Yahoo/Hotmail accounts have been hacked. The "playborhood" list server, the elementary school list server, the little league list server, etc. All have at least one instance of a mass mail going out with either a link to a malware-infected site or a plea for a wire transfer of money.

Fast forward to 2013. I sometimes feel like I'm having déjà vu when I talk to media, software or hi-tech companies about DDoS attacks and Web Application Firewalls. Many of them reply: "Yes, but we are not a bank - why would anybody want to attack us?"

Without being a smart-alec, I try to answer by asking four questions:
1) Do you have a Website?
2) Does your Website run java?
3) Do you collect information from your Website visitors?
4) Does your Website generate revenue?

If they answer yes the first question and to any of the subsequent questions, then they are a potential target. This statement is not meant to spread fear, uncertainty, or dread - it is a simple fact of life. Not all attacks are going to put you out of business, and not all attacks are going to result in a direct loss of revenue, but if you are not taking a few relatively simple steps to protect your data and your brand, you are taking unnecessary risks with your business.

Why are Websites vulnerable? First of all, most of them run Web applications, and Web applications are fraught with vulnerabilities. Despite the good efforts of OWASP, 95% malware infections in 2011 occurred through Web applications.* The fact is that apps are being built without proper vulnerability testing. One relatively simple way to protect yourself if you have Web apps is to install a Web application firewall. 

Second of all, media companies represent a diverse set of interests, and usually the properties they own regularly editorialize on controversial topics.  Media companies are thus more likely to attract the attention of hacktivists who are looking to DDoS a target for political reasons.

Third of all, media companies rarely do not engage in commerce on their Website. Consider all of the film- and show-related merchandise available for purchase through most media sites.

Finally, most of the media sites on the Web today ask visitors to register. Some of the registration forms ask for personally identifiable data like gender, DoB, etc. The moment a site asks for and stores this type of data, they are subject to regulations that govern the protection of Personally Identifiable Information. That would mean the site would have to either undergo a yearly vulnerability assessment by a third party or use a Web Application Firewall in order to comply.  

So whether you are simply a house-husband who only uses e-mail to tell his wife he's picking up milk, or an innocent media company using your Website to guide children through your vast catalog of family-friendly entertainment - you are at risk. Not to say you should worry; just to say that you should be aware that risk existsand that there are things you can do to mitigate your risk.

Pay us a visit during NAB next week. We'll be glad to show how Akamai can help you not only protect your valuable content, but also your complete online presence and brand. 

1 Comment

Let me know if I am vulnerable, please. If I am, what do I do?