Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

The Lesson of the GitHub DDoS Attack: Why Your Web Host Matters


Surviving a cyberattack isn’t like weatheringa Cat 5 hurricane or coming through a 7.0 earthquake unscathed.Grantingthat natural disasters too oftenhave horrendous consequences, there’s also a “right place, right time” elementto makingit through. Cyber-disasters which can be every bit as calamitous intheir own way as acts of nature don’t typicallybend to the element ofchance. If you come out the other side intact, it’s probably no accident.It is, instead, the result ofspecificchoices, tools, policies and practices that can be codified and emulated andthat need to be reinforced.

Consider the recent case of GitHub , thetarget of the largest DDoS attack ever recorded.GitHub’s experience isinstructive, andperhaps the biggest takeaway can be expressed in four simple words: Your webhost matters.

That’s especially crucial where security is concerned. Cloud security isn’t like filling out ajob application; it’s not amatter of checking boxes and moving on. Piecemealapproaches to security simply don’t work. Patching a hole or fixinga bug, andthen putting it “behind” you that’s hardly the stuff of which effectivesecurity policies are made.Becausesecurity is a moving target, scattershotrepairsignore the hundreds or even thousands of points of vulnerability that apolicyof continuing monitoring can help mitigate.

Any cloud provider worth its salt brings to the task aphalanx of time-tested tools, procedures and technologies thatensurecontinuous uptime, regular backups, data redundancy, data encryption,anti-virus/anti-malware deployment,multiple firewalls, intrusion preventionand round-the-clock monitoring.So whiledata is considerably safer in the cloudthan beached on equipment undersomeone’s desk, there is no substitute for active vigilance accent on active,sincevigilance is both a mindset and a verb. About that mindset: sound security planningrequires assessing threats, choosingtools to meet those threats, implementingthose tools, assessing the effectiveness of the tools implemented andrepeating this process on an ongoing basis.

Amongthe elements of a basic cybersecurity routine : setting password expirations,obtaining certificates, avoiding theuse of public networks, meeting with staffabout security, and so on. Perfection incountering cyberattacks is as elusivehere as it is in any otherendeavor. Even so, that can’t be an argument for complacence or anythingless than maximumdue diligence, backed up by the most capable technology ateach organization’s disposal.

In this of events is a counterintuitive lessonabout who and what is most vulnerable during a hack. The experienceof publiccloud providers should put to rest the notion that the cloud isn’t safe. GitHub’sexperience makes a compellingargument that the cloud is in fact the safest placeto be in a cyber hurricane. Internal IT departments, fixated on their ownin-house mixology, can be affected big-time as they were in a number ofrecent ransomware attacks ― raising the verylegitimate question of why someroll-your-own organizations devote precious resources, including Bitcoin, tothosedepartments in the belief that the cloud is a snakepit.

Cloudsecurity isn’t what it used to be and that’s a profound compliment to thecloud industry’s maturity andsophistication. What once was porous is nowsubstantially better in every way, which isn’t to deny that bad actors haveraised their game as well.Some aspectsof cloud migration have always been threatening to the old guard. Hereandthere, vendors and other members of the IT community have fosteredmisconceptions about security in the cloud not inan effort to thwartmigration but in a bid to control it. Fear fuels both confusion anddependence.

Sadly, while established cloud security protocols should bestandard-issue stuff, they aren’t.Theconventional wisdom isthat one cloud hosting company is the same as another,and that because they’re committed to life off-premises, they allmust do theexact same thing, their feature sets are interchangeable, and the underlyingarchitecture is immaterial.Themessageis, it doesn’t matter what equipment they’re using ― it doesn’t matter whatchoice you make.But in fact, itdoes. Never mind the analysts; cloudcomputing is not a commodity business.And never mind the Street; investors andCertain Others fervently wantit to be a commodity, but because those Certain Others go by the name ofMicrosoft andAmazon, fuzzing the story won’t fly.They want to grab business on price and makescads of money on volume (whichthey are).

The push to reduce and simplify is being driven by a combination ofmarketing gurus who are unfamiliar with thetechnology and industry pundits whobelieve everything can be plotted on a two-dimensional graph. Service providersare trying to deliverproducts that don’t necessarily fit the mold, so it’s ultimately pointless tosqueeze technologies intotwo or three dimensions.These emerging solutions are much more nuancedthan that.

Vendors need to level with users. The devil really is in the details. Thereare literally hundreds of decisions to makewhen architecting a solution, andthose choices mean that every solution is not a commodity. Digitaltransformation isn’tgoing to emerge from some marketing contrivance, but fromtechnologies that make cloud computing more secure, moreaccessible and morecost-effective.

Source: https://hostingjournalist.com/expert-blogs/the-lesson-of-the-github-ddos-attack-why-your-web-host-matters/

Viewing all articles
Browse latest Browse all 12749