Akamai Diversity
Home > Web Security

Recently in Web Security Category

Public Compliance Docs: The List So Far (Updated Sept. 18)

As previously noted, Akamai InfoSec has been working to make its most sought after compliance documents publicly available. The goal is to make it easier for customers to access the answers they regularly seek, and also to show potential new customers how we operate. 

We're building the foundation in the form of a compliance page on the Akamai Security microsite, and hope to publish up to two fresh public docs a month. What follows is a list of what we've done so far.

Web Vulnerabilities: Low-Hanging Fruit for DDoSers

A new Akamai PLXsert whitepaper was released this morning: "Web Vulnerabilities: The foundation of the most sophisticated DDoS campaigns." The paper can be downloaded here

Security practitioners know this much from long experience: 

Attackers who successfully build botnets and launch DDoS campaigns start by exploiting web vulnerabilities. It is the low-hanging fruit. In the white paper, PLXsert explores specific examples of the exploitation of popular web content management systems and web management suites and how these compromises have led to the development of some of the most advanced and difficult-to-stop DDoS campaigns.

suspect-ddos-attack.jpg

It's fitting that the Akamai Edge customer conference is in October. It's the same month as National Cyber Security Awareness Month, and we'll have a robust security track at Edge.

How to evaluate a DDoS mitigation solution

How fast could your IT team stop a DDoS attack? IDG Research found that it takes an average of 10 hours before a company can even begin to resolve an attack. On average, an attack isn't detected until 4.5 hours after its commencement and typically an additional 4.9 hours passes before mitigation can commence. With outage costs averaging $100,000 per hour, it means that a DDoS attack can cost an Internet-reliant company $1 million before the company even starts to mitigate the attack.

Last year I launched the Akamai Security Podcast. Episode 1 was an interview with Akamai CEO Tom Leighton, who discussed the legacy of Co-Founder Danny Lewin, Akamai's role on 9-11-01, and his vision of Akamai as a major player in the security industry. This week being the anniversary of 9-11, it seems appropriate to re-share.

Listen HERE.

Related content:

9-11 Anniversary: Danny Lewin's Life and Legacy
Internet Security Central To Danny Lewin's Legacy

Akamai Offers Further Guidance to Blunt Linux DDoS Threat

Yesterday's advisory about attackers exploiting Linux vulnerabilities for DDoS assaults got a lot of attention. After hearing the feedback, we decided a follow-up post was necessary to help admins mount a better defense.

I spoke with David Fernandez, head of our Prolexic Security Engineering Research Team (PLXsert), and he offered additional details on the countermeasures.

First, for the basic details of the threat, check out yesterday's post.

Now for the next steps...

Linux Systems Exploited for DDoS Attacks

Linux users have a new threat to worry about.

According to Akamai's Prolexic Security Engineering Research Team (PLXsert), the bad guys have discovered a weakness in Linux systems they can exploit to expand their botnets and launch DDoS attacks. PLXsert released an advisory outlining the danger this morning.

  • The full advisory is available HERE.
  • Also read Akamai Security Advocate Dave Lewis' CSOonline blog post about the threat.

Let's make one thing absolutely clear at the outset: the time to think about the best options for cyber-threat mitigation is NOT when your network is being attacked. In the best-case scenario you will already have a mitigation strategy in place for defending against both network-layer and application-layer attacks. The most important thing to know when you are building a multi-layered approach to securing web applications is that security solutions aren't one-size-fits-all. You have several options to mix and match. Akamai's free eBook, "Threats and Mitigations: A Guide to Multi-Layered Web Security", gives you options for making the choices that best fit both your business and IT infrastructure requirements.

Reminder: Social Engineering Isn't Just An Online Threat

Shortly after DEF CON last month, friend and journalist Steve Ragan made an observation in his Salted Hash blog: People standing in the many long lines at the event were forgetting a basic social engineering risk.

6 Ways Young Upstarts Can Get Their Big Security Break

Interviewing Akamai InfoSec's summer interns recently, I was reminded of a six-step guide I wrote a few years ago for CSOonline on how young people can get their break in the industry. I think the suggestions are as valid today as they were then.

Also see: