Cyber-criminals are increasingly sophisticated and targeted in their attacks. If you are in charge of ensuring the security of your company’s website, it has not been easy going as these notable security incidents reveal:
There are numerous lessons to be learned from these breaches. Despite the growing stream of news stories about highly damaging attacks that compromise customer information, leading to lost sales and a significant impact on the reputations of brands, it is surprising how many organizations do not have adequate security measures in place. These topics will be covered in this paper. Discussions will include options organizations have to defend against cyber threats, from basic protection, to increasingly sophisticated defensive solutions.
The paper is organized as studies of the most popular digital content delivery use cases, the primary focal point of consumer engagement. The use cases are—online video delivery, ecommerce, and software and file download. Each study will look at cyber threats, the risks when not adequately securing web infrastructure and applications, and protections that can be implemented to defend against attacks. Proactive protections include securing content and data against theft, controlling access to digital assets, and keeping your website infrastructure available to users.
Comprehensive security measures can be grouped as follows:
The good news is you have options for implementing security solutions. If you are lucky enough to have the right skills in-house, you can handle it internally. However, a recent article in Forbes2 predicts there will be a global shortage of two million cyber security professionals by 2019. This is driving many companies to use external cloud security services for some or all protection measures. The increased sophistication and size of attacks makes it challenging to stay current on the latest defensive strategies and for on-premise security appliances to handle the volume of attack traffic. Increasingly, organizations are relying on cloud-based services, which are supported by security experts and have the global scale to present a large defense surface against today’s growing attack sizes.
Online consumer video and audio content has grown in popularity and availability, with video content expected to account for the majority of internet traffic by 2021 according to Cisco’s Visual Networking Index3. Given digital content’s importance in consumer entertainment and ecommerce, significant amounts of revenue depend on the quality of experience delivered to consumers. This use case will follow the journey of live streaming video content as well as video and audio on-demand. We will follow content from origin to delivery to consumers, the online cyber threats faced along the way, and the associated security measures that can protect against them.
Here is a typical online video distribution workflow:
Figure 1: Video Distribution Workflow
Most organizations that distribute online video or audio, whether live or on-demand, utilize Content Delivery Networks (CDNs) because of their global reach, integrated digital content management services, scalability and comprehensive cloud security services. Much of the media content you distribute, either licensed from third parties or your own, must be protected to maintain distribution rights.
Each step in the video workflow has unique security challenges—from ingesting content into the CDN, securely distributing it, controlling access, and protecting delivery webservers from attacks.
Starting with ingesting and moving the content through the CDN to where audience is located, content needs to be secured against eavesdropping and tampering of the communication. This can be accomplished by communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The primary benefit of the use of HTTPS is authentication of the website and protection of the privacy and integrity of the exchanged data. The first is to assure your users that they are interacting with your website and not an imposter site. This is done through a trusted certificate that verifies ownership of the destination, ensuring a safe online experience as users can be certain with whom they are communicating. The second role is establishing a TLS connection between users and the delivery webserver. Once this secured connection is setup, any content that passes over the connection can be encrypted using TLS, a standard security protocol for encrypting online communication between a web server and a browser.
TLS encryption can also play an important role in how media is transferred internally in media organizations involved in creation of digital content. For example, in film and television production, digital media often has to be electronically transferred between locations where scenes are shot and where editing and assembly take place. Encrypting media in transit using TLS prevents theft of these valuable assets while the media is being transferred.
According to the Online TV Piracy Forecasts Report Nov. 20174, revenues lost to online piracy of TV episodes and movies are expected to nearly double between 2016 and 2020 to $51.6 billion. OTT and other video distribution services that deliver rights protected video need to be able to only allow access to content only to authorized users. Protection can be provided by Digital Rights Management (DRM), a set of access control technologies for restricting the use of proprietary and copyrighted works. DRM encrypts content to prevent unauthorized access. License policies can then be created that define the access rights that are granted to users, such as sharing, recording, or viewing only. The request is then authenticated by the DRM server to ensure the content license is valid. Once the authentication process is successful, the player can unencrypt the video and play it for the end user.
The way DRM works is when a video file is encoded into streaming formats such as HLS or DASH, the encoder will also encrypt the files with media keys from a DRM server. There are multiple DRM encryption formats - the most widely used are Google Widevine, Microsoft PlayReady and Apple FairPlay. Each of these formats support selected devices, operating systems, and browsers. To reach the broadest possible audience, DRM support should include all three of these formats, resulting in Multi-DRM capability. A Video on Demand (VoD) library can be pre-encrypted in all three DRM formats and stored for play when requested. However, storing files in multiple different streaming and DRM formats requires significantly more storage than storing a single file format. A more cost efficient option is an implementation like Limelight’s MMD OD Multi-DRM On the Fly solution. Rather than pre-encoding and storing multiple versions of a file, Multi-DRM On the Fly encodes the file in the appropriate streaming format with DRM encryption as it is requested by the viewer. Storage costs are dramatically reduced by only storing a single master file for each video.
When licensing video content from a third party or serving customers in a specific location, there are often requirements to restrict access to viewers in specific geographic regions. A common use case is a live sports event that is blacked-out to the local region, usually to encourage attendance at the event. To know where a user is located, geolocation is determined from the user’s IP address, which is taken from the user request. A business rules engine compares that IP address against a database of geolocations, which has resolution to world region, country, city, and zip code. Based on that information about a viewer’s location, access is either approved or denied. Another useful capability from the IP database is detecting the use of a VPN or anonymizer designed to disguise a user’s location. Access will be denied to any request from an anonymizer.
All the measures put in place to secure digital media content against theft with encryption and access controls won’t matter if your website is victim to an attack intended to take your website offline. With the increased sophistication, size, and number of attacks, it’s critical to enable a layer of security in front of your website that mitigates the potential of Distributed Denial of Service (DDoS) attacks.
A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Attackers build networks of infected devices and computers, known as botnets, and by spreading malicious software through emails, websites and social media. Once infected, these machines can be controlled remotely, without their owners’ knowledge, and used like an army to launch an attack against any target. Botnets can generate huge floods of traffic to overwhelm a target. These floods can be generated in multiple ways, such as sending more connection requests than a server can handle. Specialized online marketplaces exist to buy and sell the services of botnets or individual DDoS attacks, such as the Mirai Botnet software used for many of the recent large attacks. Mirai is malware that turns online consumer devices such as IP cameras and home routers into remotely controlled “bots” that can be used as part of large-scale network attacks.
There are multiple ways to implement DDoS attack protection. On-premise DDoS attack interceptor appliances connected in-line with the internet service link can be effective against small-scale attacks. But today’s increasingly expanding attacks can cause potential issues with these solutions. Large-scale DDoS attacks can overwhelm premise-based devices, causing web sites to become unresponsive and unable to support legitimate user traffic. Defending against large-scale DDoS attacks requires a different approach.
CDNs by their nature of being huge globally distributed networks with large Points of Presence (PoPs) positioned around the world, can absorb volumetric flood traffic at Layer 3 and Layer 4 (two common DDoS vectors), providing passive attack mitigation against smaller attacks. To complement attack traffic absorption, CDNs can also offer active DDoS mitigation to defend against larger scale attacks.
The most effective and scalable DDoS detection and mitigation solution is the use of a CDN with in-network detection and attack mitigation. The distributed nature of DDoS attacks, with malicious traffic coming from multiple sources against a single target, can be quickly detected by a CDN that utilizes monitoring in multiple different geographic locations. By quickly detecting attacks, mitigation measures can be implemented much faster, minimizing any potential site downtime. In addition, on-network high-capacity regional scrubbing centers located in the same PoPs that are used to deliver CDN traffic, provide greater scalability and performance by not having to move traffic off CDN for scrubbing, and move the clean traffic back to the CDN.
Figure 2: Advanced Detection and Scrubbing System
This image illustrates how Limelight’s scalable cloud-based architecture provides uncompromising performance. An advanced detection system distributed at the network edge constantly monitors for malicious traffic. Once an attack is detected, the attack traffic is passed to the nearest scrubbing center to be filtered so only legitimate traffic is sent to the web server, preventing your bandwidth from being flooded with bad traffic.
TLS encryption and DDoS protection can protect data in transit and ensure your site is not taken offline by flooding it with malicious traffic, but they provide no protection against a web application attack because access to the website has to be made public. Web applications often have direct access to backend data such as valuable customer databases and are much more difficult to secure.
Similar to DDoS attack detection and mitigation, web application security is best achieved with a globally distributed infrastructure. This implementation leverages the CDN as an integral part of protecting websites. As shown in the diagram below, the WAF nodes are positioned between origin servers and the CDN.
Figure 3: WAF-CDN Integration Minimizes Performance Impact
One of the concerns with using a web application firewall is the potential performance impact of having to inspect all incoming requests to the web infrastructure to determine if they are malicious. By using WAF protection that is integrated into the CDN, performance impacts can be mitigated. CDNs cache static content to minimize requests to web servers. Since the WAF is deployed between the CDN and the origin web servers, only requests for content that is not cached by the CDN need to be sent to the WAF nodes. This reduces the amount of traffic that needs to be filtered by the WAF nodes, improving performance and reducing potential WAF performance bottlenecks.
The WAF detects attacks by filtering traffic according to rules from the Open Web Application Security Project (OWASP) ten most critical application security risks. The OWASP top 10 provides protection against the most common types of web attacks. In addition, custom rules can be developed to protect against other types of attacks that may be specific to a particular web site. WAF rules can be continually updated, as new attack threats are uncovered. When a new vulnerability is identified, a new security rule is created and pushed to all WAF nodes. Even “zero-day” attacks (new attack vectors that have not been previously seen) can be quickly identified and mitigated though the creation of new WAF rules.
Web Application Firewalls can also play the important additional role of protecting web applications against malicious automated bot traffic. Bots are software applications that are designed to automatically perform repetitive tasks on the internet. Bots generate a large amount of internet traffic. Many bots are malicious, but not all bots are bad. Criminal bots sniff out vulnerabilities, infect and control vulnerable machines, launch denial of service attacks, steal data, commit fraud, and more. At the same time, the internet depends on the beneficial bots that power search engines, monitor website health, scan for vulnerabilities, and do the behind the scenes work for digital assistants.
A Web Application Firewall can be used to differentiate the traffic coming from good bots and traffic coming from bad bots. Stopping bad bots and facilitating good bots is an important element in keeping ecommerce and other sites securely up and running and sustaining revenue generating web traffic. The bot manager is able to block traffic from malicious bots from reaching a website while ensuring beneficial bots are able to accomplish their tasks. Bot management helps secure web sites against attacks designed to steal sensitive data while ensuring fast customer experiences.
Securing your content and your web infrastructure requires a layered defense against malicious website attacks and unauthorized content access, that doesn’t impact the performance of web applications and content delivery. TLS encryption safeguards data so it cannot be intercepted in transit, and content security methods such as geo-fencing and DRM protection ensure only authorized users have access to content. DDoS attack mitigation protects against denial of service attacks intended to overload online services with large volumes of malicious traffic. Web Application Firewall and bot management protect web sites and web applications against malicious HTTP application layer attacks that are intended to compromise web sites and steal data.
Ecommerce and online retail continue to grow and account for an increasingly larger share of the total retail sales. The online engagement between shoppers and a retailer can take place on a web site or a dedicated mobile application and may include sensitive information such as credit card information. This use case presents several security challenges around protecting the online payment process, locking down web applications containing sensitive consumer data, and keeping the online shopping web site available 24X7. If a web application is breached and consumer data is stolen, 20% of consumers will stop going to that site5.
Critical cyber threat defenses to ensure secure online shopping experiences include DDoS attack protection, a web application firewall, and bot management.
The earlier discussions of DDoS attack protection, WAF, and bot management apply in this use case. The consequences of a successful and sustained DDoS attack against an ecommerce web site go beyond the obvious loss of revenue while the site is unavailable to shoppers. There is also a negative impact on brand reputation that can be long lasting. The most prevalent threats seen today are DDoS attacks.
This paper opened with examples of massive security breaches that compromised millions of consumer’s personal information. As disruptive as a DDoS attack can be, imagine having your customer’s credit card data stolen. Protecting your web application infrastructure against attacks requires both a WAF and Bot Management. Like the DDoS attack protection discussed earlier, the WAF discussion in the previous use case applies here.
With these security steps brand reputation and online revenue are maintained, web applications are protected from data theft, and online web sites are open for business 24X7.
If done right, delivering software updates and file downloads are an opportunity to enhance your brand, and an opportunity to interact with customers. A critical piece of providing the best experience is the security of your website in protecting customer’s private information.
To gain an understanding of the security measures needed here, let’s look at the typical workflow involved to develop and deliver software and file updates to devices over a CDN:
Figure 4: Delivering Software
Starting with the development cycle, it is common for the teams to be distributed geographically. As a result, file versions are managed and shared among locations. These transfers must be done securely to avoid compromising intellectual property, which means using TLS for encrypting them in transit.
At some point in the development cycle beta testing begins. Like developers, beta testers are geographically distributed, and their beta experience will influence brand perception. Here HTTPS is used for authentication of the visited website and for protection of the privacy and integrity of the exchanged data. As covered earlier, HTTPS is to assure your users that they are interacting with your website and not an imposter site. The second role of HTTPS is establishing a TLS (Secure Sockets Layer) connection between users and the delivery web server.
Whether the updates are for operating systems, applications, or devices, a common factor of all these is regional differences, specifically regarding language. The source IP address of a request for updates can be used to determine the country and region of the query via geolocation rules. With this information, a request can be redirected to a language specific download site, or denied due to restrictions on delivering software to a country or region.
Every customer interaction is an opportunity to enhance brand reputation. Implementing the security measures discussed here help ensure they have the best possible experiences each time they update software or devices.