Steps for Defending Your MaxCDN Account Against Malicious Intent
November 18, 2015 | Robert Gibb
Earlier this month, a customer of ours experienced a security breach.
Essentially, a hacker gained access to an email account owned by our customer and then requested a password reset from MaxCDN. Our system sent the password – thinking it was our customer, not a malicious user – and the hacker obtained access to our customer’s MaxCDN account.
This could have been prevented with MaxCDN’s account security features, mainly Two-Step Authentication and Login Whitelist.
In this post, we’ll show you how to enable these security features. We’ll also go over other ways you can protect your MaxCDN account and monitor account activity.
Block Them At the Gate
We provide account monitoring and email notification tools to help you identify potentially malicious activity, but these are not tools of prevention, merely tools of awareness. To stop hackers from accessing your account in the first place, there are some security features you need to enable.
Enable Two-Step Authentication
Two-Step Authentication is a security layer that prevents unauthorized access to MaxCDN accounts. When enabled, the user is prompted to enter a unique verification number after completing the first login step with their email and password.
Because this unique number is only sent to the mobile device authorized by the original user, this serves as a roadblock to malicious users who have somehow acquired the username and password.
Related Tutorial: Enabling Two-Step Authentication
Enable Login Whitelist and API Whitelist
Login Whitelist is an additional security layer. With this enabled, only users with an IP address specified by the account manager can access the MaxCDN Control Panel. Users on a non-whitelisted IP – with malicious intentions or not – are unable to even attempt a login. They’re blocked at the gate.
Related Tutorial: Whitelisting Login IP
Login Whitelist protects your control panel, but API access needs to be protected as well. After all, API gives users 100% access to your MaxCDN account unless you create a limited function key.
Related Tutorial: Whitelisting Your Server IP to Use the API
Enforce Account Security
We strongly recommend that you, as an account owner, whitelist login IPs and enforce the use of two-step authentication for users on your account.
To ensure IP whitelisting is enabled, and to see which users have enabled two-step authentication, go to the Users dashboard in your control panel. If the mobile phone icon and list icon are the color orange (see image below), both security features are enabled.
Leverage “Watchmen” Tools
In addition to offering security features designed to keep hackers out, we also provide monitoring tools and security notification emails. These keep you aware of any suspicious and malicious activity.
The Activity Stream in your MaxCDN Control Panel gives you an overview of what actions you and other users have completed. In addition to letting you know what users created a pull zone, deleted a pull zone, etc., you can also use the stream to monitor security-related actions.
Other stream activity not listed in the screenshot above includes:
- All remembered two-step devices have been forgotten
- A new IP, 127.0.0.1, has logged in for the first time.
- User Updated [user_id: 1337]
Whenever any important security-related activity takes place, an automated email is sent to the MaxCDN account owner. This helps you keep your finger on the pulse of your account’s security level. You know immediately when it becomes compromised (i.e. Two-Step Authentication Disabled) and when it becomes stronger (Two-Step Authentication Enabled).
Email alerts with the following subjects lines are also sent out:
- MaxCDN Account Accessed from Unknown IP
- MaxCDN API Blocked IP
- Updates to your SSL certificate
Manage Users and Permissions
On the same dashboard in your control panel where you can monitor the security strength of user accounts, you can also delete, add, and manage users. Keeping an updated collection of users with appropriate permissions lowers the chance of mistakes and malicious “in-house” activity.
Here are some best practices for user management:
- Remove user accounts created for past employees
- Remove API keys created for past employees
- Whitelist only specific IPs for API access
- Use limited function keys (purge only, reports only, etc.) for the MaxCDN API
Stay Sharp. Keep in Touch.
Security is something we often overlook because we think it has no direct impact on business results. After obtaining a service, we just want to use it. Securing the service account doesn’t take precedence. But it should.
With a single security breach, a service you trust can quickly turn against you and negatively impact your bottom line. Also, the positive business results you and the service helped generate can quickly be forgotten. (Thanks negativity bias.)
To prevent such inconveniences, you should enable the account security features we mentioned above for MaxCDN and other services (if they offer them). You can also document and implement an account security process. For instance, every week, check logs for suspicious activity; every month, monitor account protection for all users; when onboarding new employees, educate them to enforce your security policies; etc.
Finally, let us know if you ever have a concern regarding account security. Even if it’s a hint of a doubt, email us at firstname.lastname@example.org. We’re here to help you keep your content in your control.