Automated content delivery networks are being blamed for the rise of digitally signed malware threats. Can you...
please offer some best practices for securing a CDN?
Criminal hacker exploitation of content delivery networks, or CDNs, is not much different than exploiting the privileges of compromised user accounts. The assumption is that if the user is authenticated (or the code is signed), whatever he or she is doing (or whatever it represents in the case of files in a CDN) must be legitimate because it has a password the minimum standards of security set forth.
However, we've come to a point where self-signed certificates are not even questioned; as long as some sort of certificate mechanism is in place, connections and files are assumed to be safe. It's a side effect of overworked employees (IT and security staff included) and our need for immediate gratification: We need it now and we'll address any perceived consequences later.
In the end, it comes down to trust -- but it also goes beyond that. I'm not sure there's a great way to secure the actual CDN other than via traditional means: malware scanning, content filtering, and similar threat intelligence to detect and/or block problematic traffic. Interestingly, I've tested the security of a few CDN environments and, in predictable fashion, they each had several critical security flaws – namely, around input validation and user session management -- that could have further enabled different sorts of system abuse.
Ensuring the security of files obtained from a CDN ultimately requires a layered set of controls -- including those listed above -- that can analyze and block malicious code when it's detected. This burden lies in the hands of the end user (i.e., to make good decisions around what they're doing), as well as the endpoint security controls put in place by enterprise IT or security team. Therefore, each enterprise is effectively on its own to ensure a secure means for doing this.
Ask the Expert!
Perplexed about network security? Send Kevin Beaver your questions today! (All questions are anonymous.)
Read an intro to content delivery networking
Check out more network security best practices
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Kevin Beaver
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.