Story image

Cybercrime focus shifts from servers and OS to applications

08 Mar 2016

‘Little bugs’ in applications are a creating an attractive attack surface for cybercriminals, with 60% of all successful security exploits occurring through an app.

That was one of the messages delivered by Paul Muller, Hewlett Packard Enterprise vice president of strategic marketing, strategy and consulting, at this week’s Digital Transformation Summit, where he was a keynote speaker.

Muller cautioned attendees at the conference to think not just about the security of traditional business apps, but across the spectrum, as companies seek to become digital businesses.

He says security of applications is something that doesn’t get enough publicity, but which is critical – and increasingly so.

“As we start to embed applications into everything, let me by crystal clear: 60% of all successful security exploits occur through the app.

“It’s all those little bugs in the app that create a really attractive attack surface for the bad guys. It’s not the firewall – they do their job. It’s not the SSL certificate that’s not working properly. By and large they do their job. It’s the actual application itself.”

Muller cited a recent HPE security report which shows on average IoT devices had 25 ‘significant’ vulnerabilities per device.

“Sixty percent of them had what is called a cross-site scripting vulnerability – one of the oldest security vulnerabilities in the book, which enables you to exploit a device and take complete control of it.

“You can literally get script on the internet to enable you to do this,” Muller says.

He says of even more concern was that most of the devices were collecting personably identifiable information.

“These devices are collecting and not only capable of storing it, but so easily being breached.”

The HPE survey shows six in 10 IoT devices had user interfaces vulnerable to simple hacks, while 70% used unencrypted network services.

Eighty percent of the devices didn’t require sophisticated passwords, while 90% collected at least one piece of personal information and 70% allowed attackers to identify valid user accounts.

Muller’s comments come as HPE warns that attackers have shifted their focus from servers and operating systems to directly attack applications.

“They see this as the easiest route to accessing sensitive enterprise data and are doing everything they can do to exploit it,” HPE says in the HPE Security Research Cyber Risk Report 2016.

“Today’s security practitioner must understand the risk of convenience and interconnectivity to adequately protect it.”

Muller cites the example of a breach in the United States several years ago, when 250,000 credit card records were stolen.

“The important message about this, was that the hackers were inside the system for about two years before they were identified, [the company] had passed four separate audits in those two years, and the way it was identified that they had been breached… was when someone said we’ve found your data, you’ve been breached.

“The scary part was they didn’t break in through the front door, they got in through a time management system [for booking holiday leave] off to the side – an innocuous system, right. And vulnerable to simple attack.

“It’s the same with these IoT devices or any device. The applications are the weak point. And any weak point in your organisation creates a systemic vulnerability.”

Muller advocated the use of pervasive encryption, in particular format preserving encryption, which enables data to be processed by the internal system and look the same, but can not be used outside of the system.

“Assume the bad guys will get in. The only reason they want to get in is to monetise your data so they can sell it to other people. If it’s garbled when they get there, it’s effectively useless.”

He says while building better perimeter defences is still needed, more important is better detection systems to minimise the time between a breach and detection.

“Those are the two things I’d suggest you do technologically. And the third thing is education, education, education [of executives and security staff].”

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.