DNS-based DDoS attacks have gained mindshare among Akamai customers lately, most recently with last year's Dyn attacks (written about on the Akamai Blog here and here) and this week's attack against Cedexis. DNS infrastructure is a ripe target for malicious actors hoping to disrupt a digital property's availability because it provides the initial resolution for an end user's browser client from hostname to IP address. At best, an attack against your DNS records can significantly delay an end user's connection. At worst, it can render your application inaccessible to the end user, either through a denial of service or through a DNS record hijack or forgery. DNS attacks have consistently been one of the top attack vectors for DDoS, according to Akamai's recent security data.
Get In Touch
Recently by Meg Grady-Troia
Adversaries calling themselves the Lizard Squad have been sending businesses extortion letters, demanding payment in bitcoin to prevent a Distributed Denial of Service (DDoS) or other attack against their applications. These letters have been sent to businesses across the globe and across industries for several years, with little follow-through. These letters appear to come from multiple groups including Lizard Squad, the Armada Collective, and DD4BC, though in many case they are from copy-cat or imposter groups. A new wave of these letters seen by Akamai customers from "Lizard Squad" raise concerns that these threats may be legitimate.
Managing risk is a key aspect of any business. This becomes more complicated when additional parties, such as vendors are brought into the mix. One of the strongest pieces of guidance on managing vendors that customers have brought to Akamai comes from the US Office of the Comptroller of the Currency (OCC) Bulletin 2013-29, wherein the OCC recommended that financial institutions strengthen their preparedness around third-party risk management, particularly in the field of cybersecurity. Many other global regulations exist with similar requirements.
Over the last two years, Akamai has seen an increase in the number of customers who wish to run their own review of Akamai, either to satisfy their own information security or risk management program, or to gain the expertise to explain Akamai to their regulators and consumers. This increase is due to a confluence of factors, from Akamai's increased global sales presence, to heightened regulation of certain verticals by governments and other organizations. We expect to see demand for custom assessments continue to grow in 2017 and beyond, and we expect the breadth and depth of questions from customers to increase as well.
Many customers ask Akamai about Disaster Recovery testing and Business Continuity planning as a part of their due diligence or risk management process. Customers expect to see a governance document maintained by a central authority, a list of systems with Recovery Point Objectives (RPO), Recovery Time Objectives (RTO), and a documented testing plan that is enacted quarterly or annually. Akamai reframes these questions to better match our approach to continuity and recovery, all of which we include under the umbrella of "resilience."
Akamai completed its first assessment against the SOC 2 standard this summer, and has released its first report on compliance under NDA.
What is the SOC 2?
The SOC (Service Organization Controls) 2 is a security standard aimed at Service Organizations. The SOC 2 is developed and maintained by the AICPA (American Institute of CPAs),which breaks goals for secure operations into 5 different categories called trust principles. The trust principles include Security, Availability, Processing Integrity, Confidentiality, and Privacy. An organization may be assessed against one or more of the trust principles. There is no certification available for the SOC 2 standard, as the controls of each trust principle, called common criteria, are interpreted by each organization undergoing assessment.
Here at Akamai, we call the on-boarding process "drinking from the firehose." With the blessing of the InfoSec department, I'll be sharing some of that firehose process with you, starting with excerpts from my blog about my experiences at one of the country's biggest hacker and security conventions, DefCON.
The Lion Sleeps Tonight: Preparing for DefCON
As I began preparations for my trip to DefCON, co-workers and peers gave me all manner of advice. As with all advice, some of it was contradictory, some of it was impossible, and some of it was indispensible. The advice about where to eat (taco stand reviews forthcoming, hopefully), what the Strip's environment is like (over-oxygenated air, brutal sun, great pools), and who I should try to meet (everyone!) was easily assimilated, but as the feedback about safety and security rolled in, it was hard not to panic.
Some of the things I was told were:
- all traffic in Las Vegas is monitored, no network (even with VPN or Tor) is secure;
- all data traffic on mobile devices is insecure & 4G is easy to sniff;
- all power outlets might be transmitting more than power or tampered with to damage equipment;
- all public places may be scanned for RFID tags, compromising my identity or finances;
- not to identify my employer or my job;
- not to travel alone;
- not to accept drinks from anyone;
- not to bring electronics that had any controlled or secret data; and
- most hotel rooms are bugged.
Most of these things could be true most of the time, in fact: I understand that "safety" is an absolute rather than an actual possibility. I take risks every day; the more complex and valuable the actions I am taking are, the higher the risks are, too. Even so, one co-worker likened DefCON as "walking into the lion's den." Lions are dangerous, but in predictable ways. And, he added graciously, "only lions walk into lion's dens most of the time."
My boss gave me the best advice, though, and it is advice that is relevant to all Security professionals and amateurs: decide what your risk tolerance is, know what your powers of protection are, understand what vulnerabilities are inevitable, calm down.
His advice was to find my own tolerance for risk and my own security posture, rather than to blindly follow the precautions that my peers find valuable. But it was also like the serenity prayer for Security: "SuperUser grant me the powers to protect the resources that I can, the serenity to accept the risks I cannot mitigate, and the wisdom to know the difference."
As I worked to assemble the supplies I knew I wanted -- a burner laptop so that I could use the Akamai VPN and not risk exposing the compliance data that lives on my usual work machine, an RFID-blocking wallet to hold my credit cards and ID, a battery charger for my cellphone for long days at the Con, extra sunscreen for my pale, freckle-prone skin -- I worked to build a working model of what I wanted to take away from DefCON and why I was attending.
It turned out to be pretty easy: I want to know if I'm a lion, too. The opportunity to walk into rooms full of brilliant people who care deeply about testing the limits of our social contracts and agreements, who live on the Internet where the normal boundaries and borders of our geo-political world are blurred, and who are more deeply committed to the cycle of build-and-break than many people in this world is a great one.
It's not clear to me yet if I will be a lion, a lion-tamer, or just a sheep in lion's clothes, but I know am excited. I may not have prepared as well as some of my peers did, but I have a marked up schedule, a gorgeous badge of my own, and I am ready to learn.
DefCON Day 1: The Lay of the Land
Between talks, the hallways of the convention center fill with slow-moving streams of people walking between rooms. The hallways aren't ever empty, though, even when the scheduled Con events are long over for the day. At 3am, there are still parties, contests, and social events happening all over the conference center, not to mention the flocks of people at every bar nearby.
The rooms of the convention center come in a few main flavors:
- The "Tracks:" where talks take place on every subject from new 0days in routers to the ethics of working for the Feds;
- The "Villages:" where people practice skills and offer demos in social engineering, lockpicking, electronics tampering, and more;
- The "Contests:" where folks play Capture the Flag, and myriad other games, including Hacker Jeopardy; and
- The "Lounges:" where DJs play, art installations blink and move, and folks congregate with coffee or beer.
There is no shortage of folks who seem to spend all their time in just one of those places: hanging out in the chill out café, the lockpick village, or the vendor room. Neither is there a shortage of people who never make it into any of the rooms because they find strangers and friends in the hallways and stop to talk or hack together. Folks tend to refer to this practice of targeted socializing as HallwayCon or LobbyCon.
With over 13,000 attendees, the Con has its own fleet of volunteers and organizers who check badges, enforce physical security, help speakers manage time and equipment, sell merchandise, and answer a million odd questions. All these folks are called the "Goons," and they wear shirts that identify them to the crowd. Despite the strong currents of anti-establishment and independence in the attendees that I met, I saw nothing but smiles and respect for the Goons, their work appeared to be as much about social cohesion as enforcement. One of the traditions that amused me most was that every new speaker was interrupted by Goons with a bottle of bourbon and toasted by the Goons before being allowed to complete their talk.
DefCON isn't one single community, though, and I met people whose affiliations varied wildly. Attendees are breakers, builders, government employees, and Fed-haters, just to cite some of the most-discussed differences. Diversity in other directions was more limited, though, and I saw many more white people than people of color. I saw more women, more kids, and more binary-breakers than I had been led to expect, though, which was a treat. Despite a million jokes about the "uniform" of the Con being jeans and a black t-shirt, there were plenty of creative costumes and innumerable blinky LED and EL wire accessories.
One of the most interesting accessories of the DefCON attendees are the intricate badges. Wired posted an article when this year's were revealed, which you can read here. The badges are part of a suite of branding materials that come complete with puzzles to solve and a contest to win for the final decryption. This year, the badges are heavy plastic designed to look like playing cards with the traditional suits replaced by 4 hacker media: phone (phreaking and communication), key (cryptology and building), disk (code and data), and jolly roger (piracy and breaking). The badges also had numerical codes, circuit diagrams, kanji, and other forms of communication on them. The branding carried through to the programs, art on the walls and floors, and installations in many of the conference rooms and lounges.
DefCON happens outside of the conference spaces, too, at parties sponsored by various groups, ranging from hacker consortiums to big companies. The parties happen all over Las Vegas, taking over fancy suites, restaurants, pools, bars, and more. Getting into parties is as much as contest as any of the official ones: party entrance schemes involved solving riddles to find parties, being given small trinkets that granted access to parties, social engineering your name on to secret lists, or being physically being tagged by folks with stamps, markers, or cans of colored hairspray. Lest that sound too much like some hyperbolic movie representation, let me also tell you that the CON is also full of recruiters, full of folks disillusioned with the revelations of the last few years (wikileaks, Snowden, PRISM, etc.) looking for folks who might be able to save them, and more than a few folks who are there to sell something.
In other words, whatever it may have been in the past, DefCON, at 21 years of age, is old enough and big enough to be many different kinds of events at once, and the selection I saw has more to do with the people I met through my co-workers, the talks I attended, the shuttles I rode between hotels, and the contests in which I participated than with the nature of the event. As one colleague told me "DefCON is what you make of it."