SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Cybercrime focus shifts from servers and OS to applications
Tue, 8th Mar 2016
FYI, this story is more than a year old

‘Little bugs' in applications are a creating an attractive attack surface for cybercriminals, with 60% of all successful security exploits occurring through an app.

That was one of the messages delivered by Paul Muller, Hewlett Packard Enterprise vice president of strategic marketing, strategy and consulting, at this week's Digital Transformation Summit, where he was a keynote speaker.

Muller cautioned attendees at the conference to think not just about the security of traditional business apps, but across the spectrum, as companies seek to become digital businesses.

He says security of applications is something that doesn't get enough publicity, but which is critical – and increasingly so.

“As we start to embed applications into everything, let me by crystal clear: 60% of all successful security exploits occur through the app.

“It's all those little bugs in the app that create a really attractive attack surface for the bad guys. It's not the firewall – they do their job. It's not the SSL certificate that's not working properly. By and large they do their job. It's the actual application itself.

Muller cited a recent HPE security report which shows on average IoT devices had 25 ‘significant' vulnerabilities per device.

“Sixty percent of them had what is called a cross-site scripting vulnerability – one of the oldest security vulnerabilities in the book, which enables you to exploit a device and take complete control of it.

“You can literally get script on the internet to enable you to do this,” Muller says.

He says of even more concern was that most of the devices were collecting personably identifiable information.

“These devices are collecting and not only capable of storing it, but so easily being breached.

The HPE survey shows six in 10 IoT devices had user interfaces vulnerable to simple hacks, while 70% used unencrypted network services.

Eighty percent of the devices didn't require sophisticated passwords, while 90% collected at least one piece of personal information and 70% allowed attackers to identify valid user accounts.

Muller's comments come as HPE warns that attackers have shifted their focus from servers and operating systems to directly attack applications.

“They see this as the easiest route to accessing sensitive enterprise data and are doing everything they can do to exploit it,” HPE says in the HPE Security Research Cyber Risk Report 2016.

“Today's security practitioner must understand the risk of convenience and interconnectivity to adequately protect it.

Muller cites the example of a breach in the United States several years ago, when 250,000 credit card records were stolen.

“The important message about this, was that the hackers were inside the system for about two years before they were identified, [the company] had passed four separate audits in those two years, and the way it was identified that they had been breached… was when someone said we've found your data, you've been breached.

“The scary part was they didn't break in through the front door, they got in through a time management system [for booking holiday leave] off to the side – an innocuous system, right. And vulnerable to simple attack.

“It's the same with these IoT devices or any device. The applications are the weak point. And any weak point in your organisation creates a systemic vulnerability.

Muller advocated the use of pervasive encryption, in particular format preserving encryption, which enables data to be processed by the internal system and look the same, but can not be used outside of the system.

“Assume the bad guys will get in. The only reason they want to get in is to monetise your data so they can sell it to other people. If it's garbled when they get there, it's effectively useless.

He says while building better perimeter defences is still needed, more important is better detection systems to minimise the time between a breach and detection.

“Those are the two things I'd suggest you do technologically. And the third thing is education, education, education [of executives and security staff].