Akamai Edge attendees will hear the names of two security vulnerabilities a lot this week: Shellshock and Heartbleed. Both shook the security industry to the core this year, and Akamai security staff spent countless hours working to protect customers against these threats.
A look at two of six security holes summarized last week in six CVE advisories. These were the last two to be published late last week.
CSO Andy Ellis’ update to customers on the Shellshock situation, published Thursday afternoon.
CSO Andy Ellis’ first post regarding the threat.
Akamai Launches New Protection for Shellshock-Bash
An update on what Akamai is doing to protect customers from the Shellshock-Bash vulnerability, by Akamai Director of Product Marketing Daniel Shugrue.
Shellshock-Bash CVE List: Where Akamai Fits In
A look at all of the CVE advisories now in circulation, and how they relate to Akamai’s mitigation strategies, by Akamai CSO Andy Ellis, Akamai Chief Security Architect Brian Sniffen, and Akamai Senior Program Manager Bill Brenner.
Shellshock Bash Explained
In this podcast, Akamai’s Martin McKeay, Michael Smith and Bill Brenner discuss the Shellshock Bash bug and what Akamai is doing to keep customers secure.
Through The Bashdoor
The Shellshock story as told by Akamai’s Security Platform Statistics, by Ezra Caltum, Adi Ludmer and Ory Segal
The Evolution of TLS/SSL – Improving the Foundations of Internet Security: In the wake of the Heartbleed vulnerability, attention has turned to TLS, the fundamental building block of Internet encryption and authentication. In this session we’ll look at the evolving TLS standard and concentrate on new ciphers, authentication mechanisms, and asymmetric key changes – how they propose to impact the security of our data, and considerations for implementation and performance.
In recent months we’ve also released blog posts and a podcast outlining what Akamai has been doing to mitigate the vulnerability. All posts were written by CSO Andy Ellis:
The Brittleness of the SSL/TLS Certificate System
Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy.
Podcast: CSO Andy Ellis on Heartbleed
My “lessons learned” interview with Andy.
Heartbleed: A History
A history of Heartbleed.
During the Heartbleed crisis, we gave a series of updates in The Akamai Blog. This was the third such update, which captured all the important points.
Each year at Akamai Edge we update customers on some of the more persistent threats we’ve dealt with in the 12 months prior. Slides detailing the 2013 threat picture are available here. For an idea of what we’ll be sharing at Edge 2014 in a couple weeks, I’ve assembled this primer.
Web Vulnerabilities: Low-Hanging Fruit for DDoSers
About a new Akamai PLXsert whitepaper released last week: “Web Vulnerabilities: The foundation of the most sophisticated DDoS campaigns.”
David Fernandez, head of our Prolexic Security Engineering Research Team (PLXsert), offers additional details on the countermeasures regarding the Linus DDoS threat.
Linux Systems Exploited for DDoS Attacks
Linux users have a new threat to worry about. According to Akamai’s Prolexic Security Engineering Research Team (PLXsert), the bad guys have discovered a weakness in Linux systems they can exploit to expand their botnets and launch DDoS attacks.
On Wednesday, 2014-08-06, the OpenSSL Project disclosed nine low- and moderate-severity vulnerabilities, with details published here. These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.
Hackers “Join” World Cup 2014 Matches on the Web
George Orwell once said, “International football is the continuation of war by other means” – as we will demonstrate in this post – Mr. Orwell was spot-on, according to statistics on web application layer attacks collected by Akamai’s Cloud Security Intelligence platform, the 2014 world cup soccer matches spurred sophisticated cyber attacks between soccer-fan-hackers of competing sides.
Highlights of Prolexic Attack Report for Q2 2014
As attacks go, the second quarter of 2014 was quieter than the first. But when you compare the numbers to this time last year, that’s of little comfort. According to Prolexic’s newly-released attack report for Q2 2014, the rate of DDoS attacks rose 22 percent over the second quarter of 2013.
Blackshades RAT is a Serious Threat
Akamai’s Prolexic Security Engineering & Research Team (PLXsert) is warning companies of stealth surveillance and computer hijacking attacks by the Blackshades Remote Administration Tool (RAT) crimeware kit.
State of the Internet: Fewer Attacks Than Previous Quarter
The latest Akamai State of the Internet Report is out. Here’s a look at what we saw on the security front in the first quarter of 2014.
Anonymous Continues Targeting World Cup
In which we monitored attempts by Anonymous and others to cause Internet disruptions during the World Cup. Here’s how those attacks are playing out in the media.
World Cup 2014 Attack Targets
Attack targets were under the gun as soon as the World Cup started.
Threat Advisory: High-Risk Zeus Crimeware Kit
Akamai’s PLXSert team has discovered new payloads from the Zeus crimeware kit in the wild, deeming it “high risk” in an advisory.
Fresh Wave of Online Extortion Attacks Underway
Akamai CSIRT has identified a trend in online extortion that has the potential to impact customer websites and their users.
OpenSSL vulnerability (CVE-2014-0224)
The OpenSSL Project disclosed new vulnerabilities in the widely-used OpenSSL library. These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.
PLXsert Eyes Spike in SNMP Reflection DDoS Attacks
Akamai’s Prolexic Security Engineering Response Team (PLXsert) has seen a significant resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks this past month.
The Brittleness of the SSL/TLS Certificate System
Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy. (As an historical example, in the wake of CA certificate misissuances, the industry looked at one set of flaws: how any one of the many trusted CAs can issue certificates for any site, even if the owner of that site hasn’t requested them to do so; that link is also a quick primer on the certificate hierarchy.)
Podcast: CSO Andy Ellis on Heartbleed
By now, most of you are aware of the Heartbleed vulnerability that sent shockwaves through the tech industry. Like many of you, Akamai had to work overtime to ensure our customers were protected. We did that, but as is the case with any large security threat, we continue to be vigilant and, while letting everyone know what we did to keep them secure, we’re looking back at the lessons learned and how to turn it into even better security going forward. The details in this episode are not new, as CSO Andy Ellis has blogged at length about it. I’ve included those links below. But with so many of us working overtime to address Heartbleed, this was my first opportunity to sit down with Andy and discuss it.
Interviewing Akamai InfoSec’s summer interns recently, I was reminded of a six-step guide I wrote a few years ago for CSOonline on how young people can get their break in the industry. I think the suggestions are as valid today as they were then.
Written April 24, 2010…
If you’re young, breaking into the security industry can be difficult.
Companies have either suffered a data security breach or live in fear of one. So when they’re hiring new IT security personnel, they want years of experience. If you’re fresh out of college, that’s a problem.
Another problem is that security practitioners are control freaks by nature. They have to be, if you stop and think about it. They have a huge responsibility, and delegating some of the work to younger pups is a lot to expect.
But here’s the problem: The future of information security is in the hands of the youth. That may seem a cliched statement; so obvious it sounds stupid. But it’s a fact.
This column isn’t an invitation for young upstarts to cry and lament about the disadvantages they have. Instead, it’s about a few things you can do to break through and make it in the industry. Think of it as suggestions for becoming a security rock star, which you almost have to be to make a difference these days.
This morning I’m at Security B-Sides Boston, listening to a talk from someone who is fighting this battle right now. Joseph Sokoly, a security analyst at NetBoundary, recently gave a talk at the Austin, Texas B-Sides event about the troubles of being young in the security industry. This time, he’s in Boston giving an update on where his career trajectory has taken him in the weeks since then.
He has found that breaking into the security community is not nearly as hard as it first seemed. In fact, his career got a big boost simply because he had the guts to stand up in front of people and give his talk. “Giving the talk in Austin helped me tremendously,” Sokoly said. “It has opened doors. My being here is a result of that. First, the positive reaction from the community encouraged me not just to listen but to speak again.”
His Austin talk has also inspired security heavyweights like Chris Hoff and James Arlen to look at establishing a mentor program to coincide with this summer’s B-Sides Las Vegas event.
“Being proactive works. Put yourself out there and things will open up, but speaking doesn’t have to be it. Use Twitter. Start blogging,” Sokoly said. He’s absolutely right.
His suggestion young security practitioners speak up and force others to take notice isn’t a new concept. But it’s advice that too few people take.
Instead, prospective employees try to let their raw technical ability do the talking. They get so bogged down on the technical that they ignore the cultural. It’s unfair to be frozen out, especially if you’re skills are well above someone who gets the job simply because they’ve been kicking around as employed security practitioners for five or more years. In other words, because they’ve simply managed to survive.
But life is always going to be unfair, so it’s better to focus on ways to get ahead. In that spirit, here are some suggestions, which I’ve admittedly borrowed from Sokoly. Call this imitation that’s meant to be a form of flattery, because what he said makes sense.
1. Learn how to write: Like it or not, writing is part of your job in the information age. You can’t make a difference simply by knowing how to configure a NAC system or do penetration testing. You have to be able to tell colleagues, bosses and business partners what you are doing, in their language. You’ll have to do this in board presentations and in reports. And if you really want to make a difference, you can share your experience by blogging. That gets you noticed, and in many cases will get you hired.
2. Learn How to Talk: The days of a security administrator holing up in a dark room shut off from the outside world is over. You have to be able to articulate what you’re trying to do in the spoken world. This isn’t just about learning how to be a good public speaker, though that is of high value. Learning to talk means learning to speak the language of those who decide how much budget you get for security or who gets hired.
3. Learn how to dress: This might sound weird, because most practitioners will dress according to the requirements of their employer. That could mean suit and tie, business casual, or something in between. But then there are times to dress to match the crowd you are in, particularly at security conferences. Business attire won’t help you network in a crowd of hackers at ShmooCon or DEFCON. Dressing like a punk rocker won’t cut it at a more C-level event.
4. Master social networking: You can be shy as can be and still be heard thanks to the world of social networking. Set yourself up on Twitter, Facebook and LinkedIn and share what you know. If you know what you’re talking about, people will follow you, including prospective employers.
5. Learn to work with suits AND mohawks: One of the problems in security today is that the profession is split into two groups who don’t communicate well: The executive-level suit and tie CSOs working for billion-dollar corporations or high-level government agencies, and the torn jeans-wearing, ear-pierced researchers. You can see the cultural chasm clearly when you go to a conference like ShmooCon and then something like CSO Perspectives. If you work on being able to communicate and work in both crowds, your stock will rise considerably.
6. Get to conferences: This one is easier said than done, because conferences cost money that you may not have. There are ways around that. Some companies will send interns to security events to get some real-world experience. If you blog, some conferences will give you a free press pass so long as you write about the conference in your blog. Then there are events like B-Sides, which is free and ongoing around the country. These events are full of knowledge. But just as importantly, these are places to meet people. The more people you meet, the more you know, and the more you know, the better your career prospects.
None of this is scientific advice, backed up with statistics and other data. It’s my personal observation as a security journalist. I hope it helps.0