Bonus Post: Takeaways from the Akamai Government Forum
Today we had the pleasure of bringing both a government and now client-advisory perspective to the Akamai Government Forum in Washington, DC and wanted to share quick takeaways from the day.
Akamai touches about one-third of the HTTP traffic on the internet today and as much as two-thirds of recursive DNS lookups. They see, model, and prevent so may of the attacks in our modern cyber-warfare climate that they’re in a key position to socialize ideas and help stakeholders take action in securing their digital infrastructure.
Cyber Security Threats are Evolving and Attacks are Increasing
Two big takeaways from today are:
- In addition to the attacks of old: looking for unpatched systems, general phishing emails, and brute-force attacks against the “front door” of network infrastructure, the attackers are getting much more savvy in their approach: LDAP denial of service attacks, spear-phishing emails, and internet-of-things devices being leverages for attack vectors are now becoming more common
- The attack volume has dramatically increased. Where just a few years ago a multi-gigabit DDoS attack was rare, we’ve now seen attacks in the terrabit sizes, and they’re only going to grow.
Zero-Trust is the New Way Operating — by Necessity
Coming up through the ranks of Enterprise IT and Network Operations back in the day, taking the “trusted” model of a three-tier network architecture: external, DMZ, and internal made a lot of sense. But as we’re learning from so many compromises in both the private and public sector recently, the idea of “everything has been compromised” has been prevalent recently. But that mindset is now shifting to a new model which is the flipside of that coin: “don’t trust anyone” aka Zero-Trust is the next wave of doing business as security professionals.
This includes a lot of layers in the approach to securing organizations but some of the highlights are:
- VPNs should be a way of the past for user-based connections. Gone are the days where you can trust an user endpoint to be safe and give them access to an entire segment of your internal network by virtue of coming in through a VPN or with hard-coded firewall rules.
- Just because a user or device is behind the firewall doesn’t mean they can be trusted. You should be pushing internal traffic through the same sort of traffic/application/inspection rules that you do external connections. In fact, because they’re internal connections you should assume they have more access to things that may be sensitive.
- Don’t trust DNS by default. This one is tough and particularly nefarious on the part of the attackers: DNS runs the internet and without it nothing works. Therefore our previous postures have been to just allow DNS traffic carte blanche as a critical service and call it a day. But Akamai is now providing services that monitor DNS lookups and just kill malware, hijacking, and ransomware attacks before they even get started. Think about it: If Akamai has lists of known bad-actor IP addresses, domain names, and has done homework on DNS registrants, they can just squelch any network call to known bad guys just as the initial lookup occurs! This is tremendously powerful, prevents so many attacks, and lets your security professionals spend their time in other areas with more impact.
Identity Management is Crucial
Baked into the Zero-Trust model is making sure that you know who’s accessing systems and sending traffic on your networks. The old days of a username and password combination being good enough for widespread access to technology services are gone. We have to move to a model where we are validating a user’s identity by multi-factor authentication (for the government that means PIV/CAC cards and a PIN — at least), tightening the window of time a user can access systems before re-validating them, and then giving them access to data and resources through a least-privilege model. Government and private sectors can’t afford to lose command and control of the identity and authentication of their users any longer.
Best Practice Digital Hygiene Helps Tremendously
We saw two great presentations from both the FBI and DHS going into great detail about the depth and complexity of the current state of cyber defense across the government. But both of them echoed shared sentiment we’ve seen lately and that makes us hopeful: teaching people and organizations some basic best-practice for digital hygiene goes a long, long way to preventing mistakes. You’ll see more from us in the coming days on how to put this in to action, but some basic steps to secure your organization’s infrastructure and user accounts can start small and be manageable — and it will pay dividends.