Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/4/2020
10:00 AM
Brian Tremblay
Brian Tremblay
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Hidden Security Risks of Business Applications

Today's enterprises depend on mission-critical applications to keep them productive, help better serve customers, and keep up with demand. It's important that they also know the risks.

According to 451 Research, 64% of executives around the world — and 74% of those in the US — believe that adhering to compliance requirements is an effective way to keep data secure. This statistic is startling. An organization that only bases its data security on compliance standards can create gaps in protection, an increase in risks, and costly data breaches.

Related Content:

The Fatal Flaw in Data Security

Special Report: Computing's New Normal, a Dark Reading Perspective

In fact, a 2019 report from IDC shows just how susceptible data can be to hackers, finding that 64% of mission-critical applications, such as enterprise resource planning (ERP) systems, have been breached in the last 24 months. These breaches compromise sensitive private information, including sales, human resources, customers' personally identifiable information, intellectual property, and financial data.

The truth is we live in a market with increasing risks of cyberattacks on core business functions. Whether tasked with protecting and adhering to standards for software-as-a-service applications or ERP systems, security teams need to understand the hidden security and compliance risks of mission-critical business applications.

Siloed and Incomplete Assessments
Today, every organization performs audits and security assessments differently. Take internal audits, for example. An organization will conduct a risk assessment in a particular way based on a specific set of criteria. The same goes for security, IT, risk management, and a slew of other departments. Each of these groups thinks about risk differently and can view business-critical application risk through a completely different lens. Security may focus on vulnerabilities, IT may focus on availability, and finance and audit teams may focus on the integrity of the financial statements and internal controls over financial reporting. Each of these comes with a unique set of risks to mitigate.

While a comprehensive risk assessment might seem like a good idea for an organization, there may be a lack of communication and standardization across departments, which often leads to siloed reports. This partial alignment makes it impossible to have a complete picture of application and company risks and vulnerabilities.

Hidden and Missing Risks
What do these siloed assessments look like in real life? From a security perspective, teams are likely to assess the application through penetration testing, vulnerability and patch scans, custom code reviews, and threat landscape surveillance. These checks help security teams uncover known and potentially unknown vulnerabilities that would affect the overall security posture of the application and organization, yet this is only a piece of the puzzle.

When organizations look at mission-critical applications from an audit perspective, they usually focus on a couple of areas. User provisioning is a top target, covering tasks such as adding and removing users, identifying what employees are "super users" and establishing visibility into constantly shifting roles and permissions. Change management is another area of focus, covering how, when, and where change is happening in an application.

For example, if an employee requests a change in the business application, such as needing a new revenue report by geography, IT will check the user's privileges to see if that person has the appropriate delegated approval or authority to view the data, then develop the code for the custom report, test the code, and ensure the employee gets the right information when generating the report. In addition, IT will add a new privilege to the user to execute that new report.

Each step is documented in a ticket, so businesses can easily review the change. Was there a request? Was it developed and tested? Did the person who developed and tested the application have the necessary permissions to move it into production? This provides a simple string of tickets that show evidence that the correct process was followed, but does not specifically address the changes themselves.

However, no program today considers the following risks, which creates a large security blind spot in the industry:

  • Authorization administration: Was a user with high privileges following the necessary guidelines? Are other nonproduction users able to execute it?

  • Interfaces administration: Can users from other systems execute the new functionality remotely? How can we limit that kind of access?

  • Custom code development: Is the code generated for a particular request actually doing what it says? Does the new code always have the same behavior regardless of who is executing it?
  • Code migration: When code is pushed into production, is it bypassing authorizations and controls? Does the migration include only the new report? Or is there something else as part of the migration?

These are just some of the hidden risks within the code and deployment process of mission-critical business applications that can be abused and used to bypass authorizations and control. For instance, as cited in the example above, an individual could program the custom code to send the report to a personal email any time it's generated, creating an easy workaround to insider trading. That change, if undetected, will exist in that code forever.

Unifying Processes and Procedures
Security teams need to unify the processes and procedures associated with gaps in compliance, protection, and risk for applications.

The first necessary step is to start engaging cross-functional business units, such as finance, audit, IT, and compliance teams to address incomplete assessments and missing vulnerabilities. Think of creating a steering committee that will own the project and ensure its continued success.

Additionally, outside of department support, leading application testing and security software can help organizations understand and track baseline application behaviors to flag requests that might be out of the norm. These systems can be configured to prevent certain changes from happening, or notify teams when they do, providing the visibility organizations lack today.

As with every strategy, it's also important to understand that each company is going to have a different approach based on unique business needs. Security teams should start with the most sensitive data and applications. From there, break down the approach into small, easily digestible, bite-sized pieces.

As far as measuring success, recurring meetings and measuring progress against deliverables can help ensure that risks are mitigated and an organization's applications are protected.

Today's enterprises depend on mission-critical applications to keep them productive, help better serve customers, and keep up with demand. By addressing issues early, setting the stage with a dedicated steering committee, and uncovering unknown risks faster, companies can continue success without damage to the brand, bottom line, or compliance procedures.

 

Brian Tremblay is the Compliance Practice Leader at Onapsis, where he is responsible for helping customers understand and navigate the challenges and opportunities created by the increasing overlap of compliance, cybersecurity, and business continuity related to IT General ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...