(Image by Darwin Laganzon/Pixabay)

Recent data breaches, not only in the private sector but in the government as well, raised cybersecurity awareness in the Philippines. While the conversation is still limited to organizations and information security experts, it is still a long way to go before it becomes a primary concern for businesses.

American content delivery network (CDN) and cloud services provider Akamai Technologies Inc., (Akamai), which has been in the Philippines for two years now, believes that organizations are now realizing the need for applications security while undergoing their digital transformation.

“We’ve seen that the education and the maturity from a security perspective are really growing significantly fast in the Philippines,” said Fernando Serto, head of Security Technologies and Strategy, APJ, at Akamai. “What we’re seeing are types of attacks that include SQL injections, remote foreign inclusion and cross-site scripting, which Akamai protects its customers against.”

“We saw a big uptake in DDoS attacks in the Philippines as well,” he said. “We started to get a lot of traction from financial institutions. They were in need of protecting their infrastructure and they started to trickle to every other industry you can think of.”

In the past, the idea of security protection is having a firewall and/or anti-virus installed within an organization’s network. Cybercriminals have become more innovative that malware codes can remain undetected for years.

The threat of malware in advanced persistent threat (APT) has been increasing, which has also increased the concern of organizations in protecting corporate data and information.

“People must understand what sort of traffic, from a malware perspective, is inside the farm,” Serto explained. “It is not just about what people are taking from the outside, but also about what the device could bring inside the network. How can you ensure that the device is not stealing data from your network and sending it outside or talking into a command and control system?”

According to Serto, Akamai has built services based on the volume of traffic that they see globally on the internet.

“There was a point when we were actually building rules and services where customers can protect themselves against not just from external users but also from internal users,” he said. “Things like, how can you provide access to applications in a safer manner.”

Zero Trust

Serto mentioned American market research company Forrester’s Zero Trust premise. “A Zero Trust (ZT) architecture abolishes the idea of a trusted network inside a defined corporate perimeter. Zero Trust mandates the creation of microperimeters of control around an enterprise’s sensitive data assets and provides visibility into how it uses data across its ecosystem to win, serve, and retain customers.”

Akamai has a Zero Trust methodology that it offers to customers to allow them to fully transform their corporate networking environment from relying on a firewall to being able to provide a cloud-based service that would protect users and stop attacks as close to the attackers as possible rather than already inside the network.

“We expect to see a big shift in the security posture in the Philippines,” Serto said. “We have an architecture that we recommend to customers from a Zero-Trust perspective. How can we make sure that you remove these users and applications from the network.”

The service can give organizations the visibility of what every person in the company is trying to access or which applications employees are logged on to. Through this service, Akamai hopes to still give a good user experience such as a single sign-in and multifactoral authentication that are all built into the cloud platform. ”

“Organizations don’t have to install boxes anymore and we still allow them to remove the old PCs from the networking environment,” he said. “If you see all the ransomware attacks that we saw last year, and we’re still seeing a lot of it this year, the problem is that some PCs are still unpatched. When one gets compromised, it spreads out across the whole fleet of devices.”

“The idea of Zero Trust is to remove the network from the equation so you don’t let two machines talk to each other,” he said. “I only rely on what the users are trying to access or what they are authorized to access. That’s the key part as well, not just authentication but also authorization.”

While variations of attacks depend on the region, Serto explained that the easiest attacks to launch is DDoS (distributed denial of service attacks) based on the number of devices that are participating on these gigantic botnets.

“They are not secure, they are still running with default passwords, and are still running vulnerable software,” he said. “It’s very easy to recruit all of these devices to generate large volumes of traffic. It’s very easy for you to hire a DDoS out of these botnets. ”

“We have to build this platform that protects against several different vectors depending on the day or what the government said,” Serto said. “We’re going to see a big shift on the attack vector in different regions being targeted.”

(Security Online defines DDoS as “a distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resources, and cause a denial of service for users of the targeted resource.”)

Response

Serto said that protection and detection are as important as the response to attacks.

“The big misconception is how much money should I spend on security,” he said, “Or what sort of controls do I need to have. A lot of people don’t even understand where the vulnerabilities are.”

He said there is a problem with protection because organizations have outdated ideas of network protection, as mentioned above some of them still think that having firewalls and anti-virus software is enough.

“Because people are still learning how to protect themselves and what do they need to do from the detection perspective, I don’t think they’re ready for the response yet,” Serto said. “We saw some organizations in the past doing a horrible job of communicating when they do have a breach.”

Organizations are afraid that they may lose the public trust once they communicate that they had a breach. Serto, however, said there have been instances of data breaches that didn’t affect a company’s stock shares.

“They had no impact in the business at all,” he said. “We are at a point now where everyone transacts online and expects a security-related incident. I think that response still needs a lot of work. People need to understand what the actual damage is and how quickly can they report a breach to their users and what they can do to prevent further damage from that one breach.”

(The European Union’s General Data Protection Regulation requires all organizations to report any data breach and the extent of the damage, to proper authorities and other affected parties, especially the customers.)