Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

How Akamai InfoSec Answers Customer Compliance Questions

Part 1 in a series. For more information, see "Everything You Want To Know About Akamai Security & Compliance."

The process to address customer security and compliance questions used to be somewhat chaotic. Questions would float around in random emails and elsewhere, and which ones got answered was a luck of the draw. We found this unacceptable, and did something about it.

In an interview last week, Akamai InfoSec Program Manager Meg Grady Troia -- who has had a big role in the customer service and compliance arena -- gave me an overview of the improvements made. 

It's been a three-pronged strategy:

  • Create an internal document of 100 basic security questions to give our sales staff clearer guidance on what to expect from customers and how best to answer them.
  • Create a structured process where sales people can pass customer questions along to us and we can supply them with answers in rapid-fire fashion.
  • Gather up documentation that deals with the most-commonly-asked-about issues and make them public.
The internal document deals with the first issue by laying out 100 common questions in detail and offering a variety of answers to take back to customers. The goal is to make it easier for sales staff to find answers on their own. When that can't happen, the second piece of the strategy comes into play.

An overhauled email list and ticketing system went online in late spring 2013. Senior Program Manager Lead Daniel Abraham and Security Researcher Kevin Riggle designed the improvements for easier communication between sales and our team. Sales staff asks us a question on the customer's behalf. We supply them with answers -- including documentation -- they can take back to the customer.

The third prong is about providing sales staff and customers with the tools for self service. As documents are made public, they will be housed on a compliance page that will be part of our soon-to-be-released Akamai Security microsite on Akamai.com.

Meg says the most sought-after documentation is the material dealing with PCI compliance and, as part of that, how we secure our servers and racks around the globe. Also popular are documents that map out Akamai human resource policies and insider threat information. 

"PCI is a very thorough standard about how you secure cardholder information," Meg says. "It allows us to talk about a variety of topics."

When the new security microsite goes online, customers will be able to go to the compliance page and type any topic they want to know about into a search box, which will then return every scrap of public documentation we have on the given topic, be it HIPAA, PCI, FedRamp or Sarbanes-Oxley.

security-b.46e2201935c36179fab5beeeda4db6702477.jpeg

Starting next week, I'm beginning a series on Akamai InfoSec compliance efforts. It's an extensive effort to be sure, and customers probably ask us more about it than anything else.

The first post will be about our process for getting customers the answers they need. From there, I will delve into the following (in no particular order):

  • Akamai InfoSec and the challenges of ISO 27002 
  • How ISO compliance shaped Akamai security training for vets and newbies alike 
  • How Akamai achieved FedRAMP certification, and why it's a huge deal 
  • Pen testing: Why it's essential to Akamai's security compliance efforts 
  • Case studies in pen testing: What Akamai learns about itself 
  • Edge tokenization deployments: How we do it 
  • How we approach 3rd-party assessments (HIPAA/ISO /PCI
  • The importance of code review as part of our security efforts and how it fits into the compliance puzzle
  • How we welded security and compliance into a process that makes sense
  • CP/DR at Planetary Scale
That won't be the end of the series. In fact, it will just be the beginning.

Meanwhile, the new security section of Akamai.com will launch around February, and giving customers quicker access to documentation that addresses their compliance questions is a major part of that.

Stay tuned for more. Much more. And if you have questions about a compliance issue you don't see covered in the list above, email me at wbrenner@akamai.com.

Medical-Billing-Compliance-Checklist.jpg


Video: Security and Compliance 101

Chief Security Officer Andy Ellis gives a brief overview of security and compliance and what they mean to Akamai. Andy's overview includes common terms along with definitions and an overview of common standards and their components.


Microsoft's November Patch Load

Yesterday was the second Tuesday of the month, which those of us in security know as Patch Tuesday -- the day Microsoft unloads its security updates. It's an important calendar item for Akamai customers, given how dominant Windows machines are in many companies.

What follows is the full November 2013 update. Please review, see which are most important in your network, and deploy.

Bulletin IDBulletin Title and Executive SummaryMaximum Severity Rating and Vulnerability ImpactRestart RequirementAffected Software
MS13-088Cumulative Security Update for Internet Explorer (2888505) 

This security update resolves ten privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Critical 
Remote Code Execution
Requires restartMicrosoft Windows, 
Internet Explorer
MS13-089Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Critical 
Remote Code Execution
Requires restartMicrosoft Windows
MS13-090Cumulative Security Update of ActiveX Kill Bits (2900986)

This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Critical 
Remote Code Execution
May require restartMicrosoft Windows
MS13-091Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093)

This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted WordPerfect document file is opened in an affected version of Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Important 
Remote Code Execution
May require restartMicrosoft Office
MS13-092Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker passes a specially crafted function parameter in a hypercall from an existing running virtual machine to the hypervisor. The vulnerability could also allow denial of service for the Hyper-V host if the attacker passes a specially crafted function parameter in a hypercall from an existing running virtual machine to the hypervisor.
Important 
Elevation of Privilege
Requires restartMicrosoft Windows
MS13-093Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure (2875783) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if an attacker logs on to an affected system as a local user, and runs a specially crafted application on the system that is designed to enable the attacker to obtain information from a higher-privileged account. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Important 
Information Disclosure
Requires restartMicrosoft Windows
MS13-094Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514) 

This security update resolves a publicly disclosed vulnerability in Microsoft Outlook. The vulnerability could allow information disclosure if a user opens or previews a specially crafted email message using an affected edition of Microsoft Outlook. An attacker who successfully exploited this vulnerability could ascertain system information, such as the IP address and open TCP ports, from the target system and other systems that share the network with the target system.
Important 
Information Disclosure
May require restartMicrosoft Office
MS13-095Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate.
Important 
Denial of Service
Requires restartMicrosoft Windows

Akamai Security Videos, Part 2

Last week, I began making compilations of Akamai InfoSec's multimedia content. This post is the final roundup of videos we've released thus far.

For the compilation of Akamai security podcasts, go here. For the first installment of videos, go here.

Now for more videos:


Major Areas of Technology within Security
In this Akamai InfoSec video tutorial, Security Intelligence Director Joshua Corman gives an overview of major areas of technology within security.

The Security Team's Role Within An Organization
In this Akamai InfoSec video tutorial, Akamai CSIRT Director Michael Smith gives an overview of the security team's role within an organization.

Cloud Security Made Simple
In this episode, Akamai CSIRT Director Michael Smith gives an overview of the cloud, cloud infrastructure and cloud delivery models.

video-clapperboard-512x512.png


Akamai.com Security Section Takes Shape

A few weeks ago I wrote about our efforts to develop a section for the Akamai website that's all security, all the time. Here's an update.

First, a summary:
 
This section will allow InfoSec practitioners to access all our security content in one place. There will be easier access to the security blog posts, podcasts and videos we already produce daily as well as such new content as slideshows, infographics, research papers and articles on topics that matter to customers and the security community as a whole.

Another goal is to make it a place where customers can get their questions answered more quickly. We constantly field questions. Sometimes it's a compliance question. Sometimes it's about how someone may or may not be affected by an attack making headlines. Along the way, we've written up a lot of answers, and want to make them available on the new page. If you can go to our page and find the answer to a question you have, it can save a lot of time.

Since the last post, we have come up with a design for the section and started building in the content. It will be more comprehensive than the initial plan, with boxes that will take readers from the main page to detailed sub-sections where they can access our public compliance documentation, CSIRT security advisories and calendar of events.

I can't show you the whole design yet, but I can share the whiteboard sneak preview I drew for the staff last week. (For a larger view, click on the image.)


539181_10202582193542486_1120288938_n.jpg


Stay tuned for additional updates.

Akamai Security Videos, Part 1

Several readers have asked me where they can find all our podcasts and videos. Our soon-to-be-released security microsite will make everything easy to find. But for now, we're creating a series of round-ups. Yesterday we published the first six podcast episodesFurther down the road, we'll have a round-up of our security webinars. What follows is the first compilation of videos.

What's a Zero-Day Vulnerability?
Akamai Chief Security Officer Andy Ellis gives a whiteboard lesson on zero-day vulnerabilities.

An Overview of Tokenization & the Credit Card Industry
Akamai CSO Andy Ellis gives an overview of tokenization and why it exists, as well as a brief history of the credit card industry.

Josh Corman on Different Adversary Classes
Akamai Director of Security Intelligence Josh Corman gives an overview of different adversary classes and their motivations.

An Overview of the OSI Model with Akamai CSO Andy Ellis
In this video, Akamai CSO Andy Ellis gives an overview of the OSI model, abstraction layers, HTTP, TCP/IP and how together these things make the Internet work.

Security Means Different Things to Different People
In this video, Akamai CSO Andy Ellis explains why security means different things to different people.

A Primer on Security Laws
In this video, Akamai CSIRT Director Michael Smith walks viewers through the regulatory minefield. It's a great primer, though we suggest, as always, that you consult your own attorneys to understand how the laws and standards discussed in this video apply to you.

video-clapperboard-512x512.png


Webinar: Preparing Your Web Security Strategy

For the third and final episode of our webinar series on Web security for small and medium businesses, Security Ledger Editor-in-Chief Paul Roberts joins me for a discussion on holiday-themed threats and strategies SMBs can adopt to fight back.

Webinar: Threats and Defenses for Smaller Businesses

Steve Ragan, a former hacker and current staff writer for CSOonline.com, joins me in part two of our series on Web security for small and medium businesses.

The focus of this episode is on hacking techniques, attacks and defenses.

Twitter Chat: Protecting Critical Infrastructure

Yesterday, Akamai InfoSec participated in a second Twitter forum as part of National Cyber Security Awareness Month. Participants supplied a ton of great resources, which I think is worth sharing here. 

What follows are some of the tweets from the conversation. If you want to better understand the threats to critical infrastructure and what's being done about it, you'll find what follows useful.

I was on a flight yesterday that had engine failure. Realtime telemetry was being sent to HQ. How easy would it be hack that? #ChatSTC


This video shows how we protect our network + help customers prepare for disaster: soc.att.com/HrWlGd ^CB #NCSAM #ChatSTC




14h

When critical #infrastructure is impacted, verify the issue through authoritative sources like #USCERT @ us-cert.gov/ncas #ChatSTC