Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

A Decade of Dramatic Change in Security

Since so many Akamai customers and the wider public run on Microsoft infrastructure, I frequently write about the software giant here. Most of the time, it's to give people the head's up on upcoming patches, or to explain how Akamai security protects customers from weaknesses on the Microsoft side.

Because of all the flaws and attacks Microsoft users have suffered from, picking on the company became a popular activity in the previous decade. But 10 years after the era of big worm attacks like Blaster and Sasser, Microsoft deserves a lot of credit for turning things around.

A blog post from F-Secure Chief Research Officer Mikko Hyppönen has me reviewing recent history. In his post, Mikko starts with what life was like a decade ago. He writes:

If you were running Windows on your computer 10 years ago, you were running Windows XP. In fact, you were most likely running Windows XP SP1 (Service Pack 1). This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates.

So, if you were running Windows, you weren't running a firewall and you had to patch your system manually - by downloading the patches with Internet Explorer 6, which itself was ridden with security vulnerabilities. No wonder then, that worms and viruses were rampant in 2003. In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig and so on.

He goes on to describe Microsoft's turnaround: Launching the Trustworthy Computing Initiative, halting all new development for a time so it could find and fix old vulnerabilities and, of course, developing much more secure versions of Windows and Internet Explorer. Windows 7 and 8 have been a huge leap forward over Windows XP. And every version of Internet Explorer since IE 6 have brought steady security improvements.

When Blaster hit I was editing for a daily newspaper and had no idea what patch management, software vulnerabilities and malware were. But Blaster was a big enough deal to make the front page of my paper. 

Within 10 months I'd get a crash course. In fact, my first day as a security journalist happened to be the third day of attack from another worm called Sasser. An analysis of Sasser was the first article I ever wrote about anything having to do with InfoSec. 

Interestingly, one of the companies I often quoted during worm outbreaks was Akamai. Back then almost nobody thought of Akamai as a security player, but if a serious worm outbreak was clogging up Internet traffic, the company had a ring-side seat -- a vantage point like no other.

Here we are a decade on. I'm part of Akamai's security team, my home machines have Windows 8 (my work machine is a Macbook Pro) and worm attacks don't happen the way they used to.

The bad news, as Mikko correctly points out, is that we are fighting a different enemy who is financially motivated and far more sophisticated. That has made Akamai's security operation more important than ever. As attacks against commercial entities have become a 24-7 affair, Akamai has become the main line of defense between customers and the bad guys.

But Microsoft has made a huge difference and conducted a spectacular turnaround, and they deserve a tip of the hat.


December Patch Tuesday Preview

Patch Tuesday is an important calendar item for Akamai customers, given how dominant Windows machines are in many companies. This month is shaping up to be a big one.

What follows is a preview of Microsoft's December 2013 Security Update.

Bulletin IDMaximum Severity Rating and Vulnerability ImpactRestart RequirementAffected Software
Bulletin 1Critical 
Remote Code Execution
Requires restartMicrosoft Windows, 
Microsoft Office,
Microsoft Lync
Bulletin 2Critical 
Remote Code Execution
Requires restartMicrosoft Windows,
Internet Explorer
Bulletin 3Critical 
Remote Code Execution
Requires restartMicrosoft Windows
Bulletin 4Critical 
Remote Code Execution
May require restartMicrosoft Windows
Bulletin 5Critical 
Remote Code Execution
Does not require restartMicrosoft Exchange
Bulletin 6Important 
Remote Code Execution
May require restartMicrosoft Office, 
Microsoft Server Software
Bulletin 7Important 
Elevation of Privilege
Requires restartMicrosoft Windows
Bulletin 8Important 
Elevation of Privilege
Requires restartMicrosoft Windows
Bulletin 9Important 
Elevation of Privilege
Does not require restartMicrosoft Developer Tools
Bulletin 10Important 
Information Disclosure
May require restartMicrosoft Office
Bulletin 11Important 
Security Feature Bypass
May require restartMicrosoft Office

Akamai InfoSec's Brick of Enlightenment

This is a sequel to yesterday's post -- the Akamai Security Podcast interview with Dave Lewis

Dave, one of our security advocates, is doing a lot of blogging over at CSOonline.com. He did so much blogging in November alone that I found it necessary to compile everything here. I wouldn't want you to miss anything, after all.

Here it is, a compilation of November posts from his blog, Brick of Enlightenment:

So sad to say that the impression that I get is that remote access solutions have become the backstage passes that they were really never intended to be.

Buffer Adds Two-Factor Authentication
Buffer has rolled out two factor authentication for all of their customers.

BIPS Suffers Bitcoin Heist
The world is drawn ever closer to the flame of Bitcoin and the inescapable lure of easy fortune. With that brings the criminal element that instinctually follows the scent of possible easy money.

Password Managers and Post-It Notes
Thursday night at 11:30 pm and you need to access a site to complete a large project you're working on. You should be asleep but that is something that a sane person would be doing. Instead you're playing beat the clock to get your work done for Friday at 9 am and you find that you can't remember your password.

Got Two-Factor Authentication?
Two factor authentication is not the be all end all of authentication measures but, it sure beats using just a simple password. Security practitioners have long lamented the issues that passwords bring with them. Yet here we are.

Surveillance Is About Control Not Security
When did it become accepted behaviour that we could be monitored all the time? I'm searching my memory for that moment in time where I signed the paperwork where I agreed to be a cast member of the Truman Show.

Don't Be An Ostrich, Remediate Issues
When you have a security assessment conducted on your enterprise there is always an opportunity for improvement. No enterprise is perfect. By which I mean, show me a perfect environment and I will give birth to a unicorn.

Canada's Bill C-13 Is a Trojan Horse
Canada's Harper government unveiled a proposed piece of legislation on November 20th 2013 that was trumpeted in the media as being the answer to the very real problem of cyber bullying in this country.

Who Is Practicing Best Security Practices?
There is a term in the Information Security field that tries my patience in no uncertain terms. That term is, "best practice". People love to bandy this about in discussions about their security program, widget or what have you. But, who is actually practicing?

Health Canada Exposes Medical Marijuana Users
No idea how this happened but, Health Canada has some explaining to do over a recent privacy related failure regarding, medical marijuana.

Dear John, Thoughts on the Cupid Media Breach
There has been a veritable orgy of large data breaches over the last couple years. While a lot of folks have been aware of the major breaches that have come down the pipe, there is one that stands out as a "wait, what?" moment in time. That would belong to Cupid Media.

It is (ISC)2 election time. GET OUT AND VOTE!
That time of year again. Time for (ISC)2 members to get out and vote. Frequently I get questions about the board of directors in general and I often counter with "did you vote"? This tends to be met with a glazed over look.


CSO Surveys: Decoding the Online Security Landscape

Akamai recently partnered with CSOonline.com to survey information security professionals on various web security topics. The surveys provide valuable insight into web security current trends and what information security professionals are doing to address them. Here are four whitepapers that explore the different threads.

The Importance of Improving and Adapting Web Security 
With so much depending on Web site availability, CSOs are considering new ways to be cost-effectively proactive and vigilant.

Improving DDoS Protection 
Survey reveals a significant disconnect between companies' concerns and their preparedness when it comes to potential DDoS attacks.

Improving Web Application Security
With employees and customers increasingly depending on corporate Websites, reliability and security have become more critical than ever.

Improving Web Security Intelligence
The importance of contextual data is growing, for protecting data as well as analyzing threats. How can companies improve and aggregate the security information they collect?


Akamai to Acquire Prolexic

Akamai announced this morning that it will acquire cloud security company Prolexic for about $370 million. The move extends Akamai's reach into the world of DDoS protection.

In a press release, Akamai CEO Tom Leighton said:

"Any company doing business on the Internet faces an evolving threat landscape of attacks aimed at disrupting operations, defacing the brand, or attempting to steal sensitive data and information. By joining forces with Prolexic, we intend to combine Akamai's leading security and performance platform with Prolexic's highly-regarded DDoS mitigation solutions for data center and enterprise applications protection. We believe that Prolexic's solutions and team will help us achieve our goal of making the Internet fast, reliable, and secure."

The financial details:

Akamai will acquire all of the outstanding equity of Prolexic in exchange for a net cash payment of approximately $370 million, after expected purchase price adjustments, plus the assumption of outstanding unvested options to purchase Prolexic stock. The closing of the transaction, which is subject to customary closing conditions, including regulatory approvals, is expected to occur in the first half of 2014.

Akamai will host a conference call to discuss the acquisition of Prolexic today, December 2, 2013, at 8:45 a.m. Eastern time. The call may include forward-looking financial guidance from management. The call can be accessed through 1-800-706-7749 (or 1-617-614-3474 for international calls) using conference ID No. 19279933. 

A live Webcast of the call may be accessed at www.akamai.com in the Investor section. 

In addition, a replay of the call will be available for two weeks following the conference through the Akamai Website or by calling 1-888-286-8010 (or 1-617-801-6888 for international calls) and using conference ID No. 55460617.

Four Things to Ask Before Seeking FedRAMP Certification

Part 3 in a series.

A few months ago I told you about how Akamai achieved FedRAMP certification and how, in our opinion, it was a very big deal. To understand what FedRAMP is and what certification means for Akamai's security program, see the post, "Akamai FedRAMP Compliance is Huge for Security."

After you read that, understand this: The path to certification is hard. All compliance efforts are difficult, of course. But FedRAMP presented its own special challenges. We learned a lot along the way.

For a look at how we reached this point, I spoke with Akamai InfoSec's Kathryn Kun, the program manager who played a critical role in getting us certified. Kathryn was one of the main lines of communication between Akamai and the FedRAMP Joint Authorization Board (JAB).

For others looking to achieve FedRAMP certification, there are four questions that must be addressed up front.

  1. What are the limits you need to define? As with any compliance effort, the auditors will want as much data as they can get their hands on. That's understandable. But many requests will cut too close to the safe holding your company's secret sauce. Before embarking on this journey, define the items that sit on the other side of the line that can't be crossed. If you're up front about it, the rest of the process can go more smoothly.
  2. Are you prepared to find a middle ground? Defining the limits is all well and good. But few things ever get done between two sides without some compromise. Be prepared to articulate the middle ground you're willing to meet at. An example for us involved FedRAMP's interest in network scanning. Akamai doesn't generally allow third-party scanning software on its boxes because it can hurt performance. Therefore we compromised on what scans, when, and how often, while offering a detailed explanation of our ongoing vulnerability management procedures.
  3. Are you prepared for the length of time the certification process will take?  We started the process of getting FedRAMP certification in early 2012 and the process took a year. To expect quick results is to be easily disappointed. Besides, the quickest way isn't always the best way. 
  4. Are you prepared for the long haul? Once you are certified, there's a lot of painstaking work that is ongoing for the sake of upkeep. You have to decide what types of scans you're willing to run and how often. You have to determine how often you're willing to rotate an SSH key in front of an assessor. In other words, once certified, the process is only beginning. The good news is that you already knew that from your experiences with such other regulations and industry standards as PCI DSS, HIPAA and ISO.
At this point you might be asking if it was all worth it for us. The answer: Absolutely.

As Kathryn explained, pursuing FedRAMP certification was the broadest and deepest security commitment Akamai has ever made. FedRAMP's metrics have the breadth of what is required by the International Organization for Standardization (ISO) and the depth of what is required by the Payment Card Industry's Data Security Standard (PCI DSS).

"When you have proof of what you are doing, and you find more cobwebs and dust bunnies, that's a plus," she said. "As a result of this process, we have swept imperfections out from corners we had not checked in ages. It raised the bar." For example, the review process uncovered parts of Luna-Oracle that needed updating. "We weren't terribly worried about these things, but taking care of them made us even more secure," Kathryn said.

FedRAMP certification means we track our processes more vigorously than ever, write it down and hand it to the federal government each month. That we have that level of commitment weighs heavily on customers minds, she said.

"We were always trustworthy. Now we are trustworthy and we document it," she added.


The DNS Security Collection

Welcome to the next step in our effort to make security content more easily available by topic. Today's collection of posts focuses on DNS-related threats and defensive measures.

DNS reflection defense

Recently, DDoS attacks have spiked up well past 100 Gbps several times. A common move used by adversaries is the DNS reflection attack, a category of Distributed, Reflected Denial of Service (DRDos) attack. To understand how to defend against it, it helps to understand how it works.

How Akamai eDNS Protects Against DNS Attacks

This post continues the discussion of DNS protection by describing how Akamai's "eDNS" protects customers from both volumetric and reflective attacks on DNS infrastructure.

What can be done about spoofing and DNS amplification?

How following a Best Common Practices document (BCP-38) will help your company fight back against spoofing and DNS amplification.

How big is 300 Gbps, really?

The 300 Gbps attack against SpamHaus earlier this year certainly seemed epic.  But how big was it, really? An analysis through the Akamai lens.

Was This Really One of the Internet's Biggest Attacks?

In early October there was an interesting story in eWeek about "one of the largest attacks in the history of the Internet." It described a 9-hour barrage against an unnamed entity that swelled to 100 Gigabits of traffic at its peak. Did it truly qualify as one of the biggest? It depends on how you choose to measure it.


Making Compliance Docs Public

Part 2 in a series.

In my post about compliance and customer service, I briefly touched on one of the goals of Akamai InfoSec -- making as much of our compliance documentation public as possible. I want to spend a little more time talking about that, as it's something I'm increasingly involved with.

Also, customer feedback is going to be crucial in determining which documents to tackle first.

As I mentioned in the last post, the goal is to give customers the tools for more self service. Right now our sales staff asks questions on the customer's behalf and they deliver the answers we provide. By making documentation publicly available, we hope to reduce the need for doing it that way. If the customer has a question and all they have to do is access documentation addressing their questions via our site, they get to act more quickly to address their issues. To me, it's an extension of the Akamai motto "Faster Forward."

The soon-to-be launched security microsite on Akamai.com will include a whole section for this purpose. We have a lot of work to do. So far, only a few of the documents are ready for prime time.

We're about to move a lot more quickly to get the job done. The task begins with us reviewing each document and removing details that must remain private for the protection of customers. Then, every document must be reviewed by our legal department to ensure we've dotted every i and crossed every t.

Here's where you come in.

I'd like your feedback on the compliance issues that cause you the most difficulty; those that compel you to get answers through the sales staff. 

That will help us prioritize which documents to tackle first. 

Our compliance team already has a pretty good idea of which documents belong atop the stack, based on the kinds of questions they get most of the time. But to do something like this right, there can never me too much feedback.

Please send your feedback to wbrenner@akamai.com, and I'll take your comments back to the team.

Thank you.

Privacy Was in Danger Before 9-11

This week I participated in an online panel put on by the Information Security Buzz website. I got the following question:

What 2 things are most likely to change the security industry in the next 2 years? And why?

The question immediately made me think of the state of privacy. My full answer is here. As to the privacy issue, I answered:

After 9-11, privacy got shafted in the rush to build tougher security, but we've seen how that has led to governments abusing authority. The NSA case is a prime example, though outrage over TSA tactics in the airports had already started the ball rolling. In the next two years watch for today's outraged reactions to translate into new policies governing privacy.

Privacy is a subject I've tackled a lot over the years. When I was at CSOonline.com, I wrote a story called "6 ways we gave up our privacy." In it, I focused on how people have almost willingly given up privacy in the rush to be seen and heard on the likes of Facebook and Twitter. I've also argued several times that Americans willingly gave up a lot of privacy out of fear in the aftermath of 9-11

I do believe the outrage over the NSA's PRISM program is swinging the pendulum back in the other direction, and that may ultimately lead to new privacy safeguards. 

All that said, it's worth noting that privacy was under threat before 9-11. The issue was framed succinctly in a 1999 episode of The West Wing called "The Short List." In it, the West Wing staff are focusing on nominating a judge for the Supreme Court. They discover a writing from the judge in which he essentially endorses the idea of invading individual privacy in certain cases. The fictional presidential aide Sam Seaborn says:

Twenties and thirties, it was the role of government. Fifties and sixties, it was civil rights. The next two decades, it's gonna be privacy. I'm talking about the Internet. I'm talking about cellphones. I'm talking about health records, and who's gay and who's not. And moreover, in a country born on a will to be free, what could be more fundamental than this?

Prophetic words. From a TV show.

Food for thought.


Security Presentations from Akamai Edge 2013

More than a month has passed since Akamai Edge 2013. Security was a major theme this year, and in this post I want to direct you toward the presentations now available on the Akamai Edge page. For the video presentations, click here. Below are some of the slide decks from those presentations.

I know there were additional security presentations, and I'll update this post as more of them surface.