2012 AKAMAI FASTER FORWARDTM

Similar documents
Web Application Vulnerability Testing with Nessus

Getting Started with AWS. Hosting a Static Website

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Web Application Firewall on SonicWALL SSL VPN

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Penetration Testing Scope Factors

(WAPT) Web Application Penetration Testing

Baidu: Webmaster Tools Overview and Guidelines

Secure Web Appliance. Reverse Proxy

Where every interaction matters.

NSFOCUS Web Application Firewall White Paper

Web Application Vulnerability Scanner: Skipfish

Creating "Origin Pull" on Akamai (1)

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

SpamPanel Level Manual Version 1 Last update: March 21, 2014 SpamPanel

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Hacker Intelligence Initiative, Monthly Trend Report #15

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Intro to Firewalls. Summary

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

External Network & Web Application Assessment. For The XXX Group LLC October 2012

OPC & Security Agenda

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

How To Attack A Website With An Asymmetric Attack

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Akamai to Incapsula Migration Guide

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Oracle Communications Cartridge Feature Specification for Broadsoft Broadworks Enterprise Services

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

STARTER KIT. Infoblox DNS Firewall for FireEye

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Criteria for web application security check. Version

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Portal Administration. Administrator Guide

Cloud Security In Your Contingency Plans

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Check list for web developers

IndusGuard Web Application Firewall Test Drive User Registration

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

The Pentester s Guide to Akamai

Multi-Layer Security for Multi-Layer Attacks. Preston Hogue Dir, Cloud and Security Marketing Architectures

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Threat Intelligence UPDATE: Cymru EIS Report. cymru.com

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guidelines for Web applications protection with dedicated Web Application Firewall

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Getting Started with AWS. Hosting a Static Website

Getting Started with Clearlogin A Guide for Administrators V1.01

Access Control Rules: URL Filtering

Akamai Security Products

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Kona Site Defender. Product Description

An Insight into Cookie Security

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

What is Web Security? Motivation

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

Application security testing: Protecting your application and data

Using Free Tools To Test Web Application Security

Yottaa Site Optimizer Guide

COORDINATED THREAT CONTROL

Secure Coding in Node.js

From the Bottom to the Top: The Evolution of Application Monitoring

Client logo placeholder XXX REPORT. Page 1 of 37

Course Content: Session 1. Ethics & Hacking

HGC SUPERHUB HOSTED EXCHANGE

Load Balancing Security Gateways WHITE PAPER

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Domains Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc.

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

OWASP Top Ten Tools and Tactics

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

A Layperson s Guide To DoS Attacks

Content. Global Delivery Network: Folders

Application Layer -1- Network Tools

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Adding New Clients to Your Account. Adding Orgs With a Unique Mail Server pg 2 Adding Orgs That Share Similar Mail Servers pg 6

IDENTITY SOLUTIONS: Security Beyond the Perimeter

Introduction to the AirWatch Browser Guide

Distributed Denial of Service Attack Tools

Deploying NetScaler with Microsoft Exchange 2016

Workday Mobile Security FAQ

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

Remote DNS Cache Poisoning Attack Lab

Tenable for CyberArk

Shell over what?! Naughty CDN manipulations. Roee Cnaan, Information Security Consultant

Getting Started with Web Application Security

Centrify Mobile Authentication Services

HP WebInspect Tutorial

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Auditing the Security of an SAP HANA Implementation

10 Configuring Packet Filtering and Routing Rules

Using Application Insights to Monitor your Applications

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

F5 (Security) Web Fraud Detection. Keiron Shepherd Security Systems Engineer

Transcription:

2012 AKAMAI FASTER FORWARDTM

Extending Your Perimeter of Defense and Visibility Patrick Sullivan, CISSP, GSLC Jonathan Anderson, CISSP, GCED

What We ve Seen 2012 YTD 170 DDoS or Malicious Attacks on Akamai Customers Multiple customers under attack almost every weekend thru June Attack durations varied from hours to days Industry Severity of A;ack Geography 12% 22% 11% 24% 31% Commerce Digital Media 18% High Impact 19% Moderate Impact Enterprise 48% Low Impact High Technology 6% Public Sector 35% 74% Americas APAC EMEA

Agenda Easy things you can do with Akamai to reduce your attack surface Protect your DNS and Top Level Domain Disable unnecessary HTTP Methods and Query Strings Limit unneeded information disclosure about your site Optimize caching policy for Security Don t treat all pages equally Leverage Akamai s insights into attack tools Develop DDoS Runbook

Attacks targeting DNS have increased significantly in 2012 Adversaries are spending more time thinking about DNS than defenders across all adversary classes Recreational Hackers: Attacking for the lulz Chaotic Actors: Hactivism Organized Crime: Profit motivated State Sponsored: Nationalistic agenda Several high profile Managed DNS providers have suffered outages recently following DNS based DDoS attacks

Is Your Top Level Domain Protected? www.example.com is CNAMEd to Akamai and protected DNS RFC s prevent CNAMEing the top level domain example.com Do you serve from http://example.com/? Possibly a direct route around Akamai to origin Options for the Top Level Domain Perform a 301/302 at origin from example.com to www.example.com Establish separate hosting serve the redirects Have Akamai edns manage the Top Level Domain at the Edge Lets Akamai serve the redirects Akamai Primary DNS is currently in Limited Availability

Disable unnecessary HTTP Methods Do you need POST enabled for your entire site? Enabled globally in most Web servers and Akamai configurations Only accept the minimum HTTP Methods that you require Enable POST only on URLs that require it Do not enable PUT, DELETE, OPTIONS, or TRACE unless truly needed Kona Site Defender protects against attacks that use POST Slow POST protection Many WAF rules inspect POSTs for application layer attacks Signature-based controls for many popular attack tools

Coming soon: Slow POST Controls

Increase Reconnaissance Work Effort Akamai can filter responses to eliminate verbose headers Rewrite Server header Remove X-Powered-By headers Whitelist Akamai Debug to specific IP addresses Remember robots.txt! Don t let Google expose vulnerabilities in your site:

Optimizing Configuration for Security Do you need query string s to be included in your cache keys? If not, having Akamai ignore them will reduce attack surface With Kona, Akamai can protect against HTTP Request Floods Rate Controls can be used monitor uncacheable parts of the site Signature based controls can screen for specific attack tools Network Layer and Geographic Controls

Query String Attack Demo

Special Considerations for your Landing Page www is a very frequent target of attacks Is Akamai treating your home page differently for you? Redirects at the edge Dynamic page caching provides very powerful defense for the homepage

Design Considerations for Login Page(s) Our customers are seeing frequent abuse of login pages Attacks appear to be leveraging large databases of compromised credentials

Develop a DDoS Runbook Have a plan ready to execute for when you are attacked Procedures Contacts Akamai can help provide some best practices based on our lessons learned from managing so many DDoS attacks with our customers

Summary Lots of low-hanging fruit to address when hardening your site Top level domain, HTTP Methods, Query Strings Default landing page, login page, etc. DDoS Runbook what would you do if you came under attack? Come visit us at the Security Booth to see more attack demos! Slowloris slow POST Nikto XSS Havij SQLi HOIC with custom booster pack Siege brute-force DDoS Query string manipulation Hydra brute-force login

Edge App Session Evaluations How it works 1 2 Click on the agenda icon Select the session you are currently attending Click on the surveys tab Click on the session survey made available at the start of your session Complete the session survey Get points for the Akamai Conference Game and win prizes 3 4

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information