With cyberthreats increasing in size and scope, businesses are scrambling to find new ways to protect their financial and human capital assets. Many enterprise solutions offer endpoint protection and network security, but the SMB sector doesn't have the budget to deploy enterprise security solutions and typically lacks the in-house expertise to keep their networks and users adequately protected. In particular, as employees bring mobile devices onto corporate networks, and with new attack variants being introduced almost daily, small and mid-sized businesses have no way of keeping up. This is where communications service providers (CSPs) can step in to provide a broad layer of protection, visibility, and control from within their own networks.
Get In Touch
You've probably seen a long list of complaints from players, and it might even drive you to say, "If I can't keep them all happy, what's the point?" But some concerns deserve your attention, and most of those fall into a single theme.
In a word: friction.
Over the last two years, Akamai has seen an increase in the number of customers who wish to run their own review of Akamai, either to satisfy their own information security or risk management program, or to gain the expertise to explain Akamai to their regulators and consumers. This increase is due to a confluence of factors, from Akamai's increased global sales presence, to heightened regulation of certain verticals by governments and other organizations. We expect to see demand for custom assessments continue to grow in 2017 and beyond, and we expect the breadth and depth of questions from customers to increase as well.
The fourth quarter of 2016 was relatively quiet for web application attacks. The biggest sales season of the year usually signals a marked increase in the number of attacks for all customers - especially retailers. Many merchants breathed a sigh of relief at not being attacked during their most important shopping days.
The other half asks "May I please have some more (application security)."
Another lifetime ago, way back in 2014, I wrote that "updating WAF rules is like flossing, everybody knows they should be doing it but it can be an easy step to forget and difficult to find the time to do it." At the time my conclusion was something along the lines of "so if you don't have time to do it, you should pay someone to do it for you". In hindsight that conclusion was flawed for two reasons: First my analogy at that point got a little bit weird - who in their right mind would let someone else floss their teeth for them? By the same token, what if you don't trust a 3rd party to update your rules for you? Some security professionals, quite rightfully, probably take better care of their apps than they take care of their own teeth, and they are perfectly able, thank you very much, of taking care of their apps and their WAF rules themselves. Some of the larger eCommerce companies and banks, for instance, have teams of 4, 5 or even 6 full time employees studying WAF rules, tuning configurations, and generally making sure that the bad guys are kept out while the good guys get through to their websites unmolested. Second, even if you are comfortable with someone else flossing your teeth or updating your rules, what if you can't afford to pay someone else to do it for you?
I recently spent time with Joe DeFelice. Joe is a Sr. Director Enterprise Security & Infrastructure Engineering here at Akamai. He is responsible for IT risk and security, Akamai infrastructure architecture and engineering (network, voice, video, platform, messaging, etc.), as well as our Akamai On Akamai initiative, which is a program built around sipping our own champagne or how we can best utilize Akamai products in the enterprise.
On Tuesday, February 1, 2017, security vendor Sucuri disclosed a severe vulnerability in the WordPress REST API in versions prior to 4.7.2. The vulnerability allows for remote, unauthenticated and easily automated modification of blog post and page content by manipulating a parameter payload. Sucuri, Inc. notified Akamai of this vulnerability in advance of the public disclosure, which allowed the Threat Research team to internally confirm exploitability and to develop a new rule for Kona Site Defender designed to protect customers from this vulnerability. It's important to understand the new Wordpress REST API before we discuss the technical details of the vulnerability.
Many customers ask Akamai about Disaster Recovery testing and Business Continuity planning as a part of their due diligence or risk management process. Customers expect to see a governance document maintained by a central authority, a list of systems with Recovery Point Objectives (RPO), Recovery Time Objectives (RTO), and a documented testing plan that is enacted quarterly or annually. Akamai reframes these questions to better match our approach to continuity and recovery, all of which we include under the umbrella of "resilience."
Have you ever tried to login to your favorite website and mistakenly typed the wrong user name and password once, or even twice? I bet you have. And what about submitting a third consecutive false attempt? In most cases, at that point a secure website will start questioning the integrity of your actions.
From a defense point of view, websites should suspend and limit false login attempts to confirm authenticity once abnormal usage is detected.
In common slang, FTW is an acronym "for the win" and while that's appropriate here, I think a better expansion is "for the world."
We're pleased to announce that we have sponsored the development of TLS 1.3 in OpenSSL. As it is one of the most widely-used TLS libraries, it is a good investment for the overall health and security of the Internet, so that everyone is able to deploy TLS 1.3 as soon as possible.