Locks In the Time Of Lock-pickers

TL;DR; How much security is enough in a world where the malicious agents are always devising newer attack vectors to compromise your product? In a fast moving work environment, security tends to be overlooked and parked into several product backlogs till there is a fire drill which will then bring this work to the fore. The focus of this piece is to share some basic hygiene and common sense tactics to cover most of your bases. By no means exhaustive, but definitely prescriptive to tend to a more secure environment. 

Here Be Lock Pickers

In a world where attackers are constantly looking for vulnerabilities to find a way into the “walled garden”, how does one protect what needs protecting? Often times, it’s the simplest things that cause a breach even in an environment that seems ultra secure. In an ever changing threat landscape, it pays to get some of the basics right first. 

Batten The Hatches

History is filled with epic battles which were won because forts were impregnable. These forts had ingress and egress protection, control how someone can come in and create multiple layers and perimeters of defence, so that at each layer, the attacker is faced with overcoming a different type of defence. 

Most compromises and breaches would occur because allowances were made for practicality perhaps which were then in turn exploited and then led to the compromise of the fort. In a digital world, your infrastructure is your fort and we’re going to talk about all manner of protection tactics from external agents as well as your own team members!

My Precious

Gollum doted over an all powerful ring, what is precious to your organisation? There’s customer data and copyright protected content that we monetize on our platform. Both of these are the most important to protect. Put your most precious item in your “fort” and then build up defences. Content and customer data is at the core, which can then be viewed through a two faceted attack surface, one via the customer facing vector and the other is the exposure from internal sources. 

Customer Facing Hardening

The place we do our business is also the primary attack surface. What can we do to limit our exposure? 

Exchanging Data : Ingress & Egress Security

• Use HTTPS on all communication with the back-end systems
• Use token based authentication schemes to allow only authorised clients to access the back-end systems
• Sign URL’s whenever possible as an additional protection
• Switch websites to be HTTPS only
• Use secure file exchange protocols if you’re content will be in motion

Handling Data / Content : Security at Rest

• Encrypt customer data if you’re storing it locally
• Pin certificates into your mobile applications to avoid man-in-the-middle
• Tie data access to customers via short lived access tokens
• DRM schemes where mandated and as feasible
• Don’t handle credit card data as far as possible (use vaults)

Perimeter Defences

• Use a good WAF (Web Application Firewall). You get what you pay for!
• Ensure volumetric controls are in place for DDoS attacks
• Ensure rules are reviewed and tweaked frequently
• Guard your origin with everything you got! Mask it / white list IP ranges for access.

Reduce Your Attack Surface

• Block all ports that are not used. Question aggressively why the ports that are in use, are in use.
• Reduce the number of public facing systems.
• Go gardening! Create network “walls" around your systems so that you tightly control what goes in and out. Avoid promiscuous network settings.
• White list access to authorized systems only
• Delete un-used artefacts (websites / DNS / security groups / exclusions etc)

Patrol the perimeter : Work with your allies

• Setup alerts for suspicious access
• Run penetration (Pen) tests via third parties
• Work with ethical hacker groups that can “red team” and help to expose flaws in your defences
• Leverage cloud infrastructure security assessments to flag vulnerabilities

Internal Hardening

Phew, that was just pointers on what one could to do protect customer access. Dwelling on history again, most compromises occur when someone internal is involved, whether collusion or inadvertently. Security, like good manners, starts at home! 

Walled Garden

• Production systems have a very short access control list. Approvals are granted sparingly and are always time bound.
• Production networks are not accessible by developer systems
• Only authorised hardware can even attempt to access production systems
• Minimal production systems accessible over the internet

Access Control : Who goes there!

• Separation of roles - builders are not deployers
• No human access - all software is deployed without human intervention with appropriate approval controls
• Use 2FA compulsorily
• Use strong password policies with rotation
• VPN’s for layered access control
• Robust onboard / off board processes
• Periodic sweeps of access to production systems

Auditing : CSI

• Server access logs
• VPN logs
• Application logs
• Server change control logs

Alerting

• Volumetric thresholds breached
• Unusual auto-scaling activity
• Privilege escalations

Being Draconian

Security inevitably leads to draconian measures, it’s a tightrope. As an engineering leader I’ve now been on both sides and it’s always super painful. However, in these times where enterprises are constantly under attack and business and reputations are on the line, certain manner of hardening is needed. The answer is to create tooling that removes the need to reach out to production systems unless absolutely needed. Having a strong DevOps culture in the organization helps. A follow-up post, for sure! 

Social Engineering

Another often overlooked vector is social engineering, where team members with privileged access inadvertently grant access to third party attackers, either via injected malware or by allowing access to their laptops etc. Educating your team members is the a strong policy against this. 

Protecting Video Content

Pirates are constantly finding ways to skim off your streaming content. Whether it is around illegal broadcasting or whether it is exploiting your CDN network to financial gain, the threats are never ending. 

Video protection follows these themes:

DRM

The most secure form of exchanging video, however, also adds a lot of baggage to your workflow in terms of packaging and distribution. Places demands on your infrastructure as well to scale up key servers and such. Technology is catching up, though the trade off’s are always around how much to DRM. 

Fingerprinting

Fingerprinting allows you to trace back a stream to an individual customer and is helpful when zeroing in on someone who is exploiting the content for illegal purposes if enforcement / monitoring agencies report an issue. While there are plenty of techniques in this area, doing this at scale is another beast. 

Watermarking

Identifying the source of the content is important. When content is pre-air, watermarking and time-coding identifies sources accessing the content clearly and are helpful in controlling breaches. When content is on-air, watermarks help enforcement / monitoring agencies track down (or provide deniability) of which source is leaking content. 

Skimming off the Top

Pirates can always record content that is playing back and render it on other video platforms. While there are run-books in place to report and take down such content, doing it at scale poses a lot of challenges. 

There is no surface

This piece is by no means exhaustive and the security journey is never complete. In the time of lock-pickers, you will do well to be mindful to lock the doors behind you.