Friday, October 23, 2015

Securing You Video Service

As telco giant TalkTalk in the UK becomes the latest corporation to suffer from cy ber attacks, I thought it might be useful to share some of the strategies we've used at TV Everywhere to deal with such attacks in the past on our video services.

We've experienced attacks on client systems ranging from political parties to the Red Cross down the years, so have developed a range of strategies for managing such attacks. First of all, let's presume that you've followed best practice in developing your systems, such as the guidelines found at http://www.fightfilmtheft.org/docs/CG.pdf, here are some further tips:

1) If you are able, don't make yourself a target. In other words, try and be nice. Unfortunately, as our Red Cross experience shows, this doesn't deter some of the people out there any more than being a child doesn't protect you from a mugger. There are just bad people in this world... Still, not writing about security as I'm foolishly doing here, or making any claims about the robustness of your systems
2) Monitor - make sure that you have monitoring in place so that you, not your users, are the first to detect an attack. And have a plan to make sure you know who does what in the case of an attack. There are tools that can even help you automate your response - most attacks start big and degrade, so your immediate response is crucial.

2) Control your DNS - your domain management should be separate from your hosting, otherwise you will have no control over your URL if your hosting company or cloud goes down. If you have control, you can repoint the service to a separate network or at least put up a holding page for your users as you put out the fires.

3) In most cases the first front of attack will be a distributed denial of service assault, which is the equivalent of a burglar using a tank to try and get into your house. Once all the walls are down there is little protection. The best way to ameliorate this is to have a large scale Content Delivery Network in place. The CDN can then scale the availability of your website whilst blacklisting the sources of the DDoS.

4) Ensure that you have redundancy. Using either a separate network or cloud hosting, make sure you have somewhere to redirect your traffic if necessary. We have also used degradable services, which mean, for example, that the video stream plays through a flat web page without all the heavy server calls,  JS and HTML that are usually deployed in video interfaces these days. You can also try redirects to apps, which are unlikely to be attacked. Of course, if you don't use a CDN and host your own video, you're in trouble.

5) Get sophisticated, which can use configuring your network to use sacrificial servers where you redirect the attack and bring it down whilst deploying your white hat team to track down the hackers and turn them over to the authorities.

Provided they're not the authorities of course....