Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
5/3/2018
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

4 Critical Applications and How to Protect Them

Since critical apps are, well, critical, security teams must take preventive measures to keep attackers from exploiting their vulnerabilities.

Critical applications are often so baked into the day-to-day tempo of an organization that users often forget their importance — until they go down. The first key definition of a critical application is how much an enterprise relies on it. By their nature, critical apps have enormous data stores, multifaceted processing engines, spread globally, and are deeply integrated into other dependent application services.

Here are four of the most complex and vulnerable critical applications:

Financial Apps
Financial applications are often focused on the unique requirements of an organization. Banks have thousands of applications, all critical to revenue and business operations. But consider accounting applications, which are also often intricate and tailored to the particular industry of the organization. Nearly all financial applications are subject to regulation as they hold, process, and move critical data, which must remain confidential and untampered. Often you will see internet commerce systems with direct ties to financial systems to process customer payments. All of these are potential ingress points for attackers.

Medical Apps
Hospitals are usually assemblages of independent, smaller clinics, doctor’s offices, and diagnostic facilities. Their applications exist in the same manner: deeply vertical and highly variable. This means lots of applications with different levels of security and reliability all sitting side-by-side exchanging confidential medical data. It’s not surprising for an old Windows XP box to be connected to a drug dispenser machine. Some systems are so specialized that you may have software developed by a singular researcher, who supports the program as a side project (if ever). This is also an environment where patient safety trumps all other requirements, sometimes even security. So you can see things like the network protocols that embed patient identification into the network packet itself to ensure medical information is never mixed up.

Messaging Systems
Another overlooked but critical application is email and communication systems. Messaging systems need to touch everyone as well as accept connections from the outside. Mail systems are notorious dumping grounds for years of yet-to-be-classified-but-probably-should-be-secret documents and private conversation threads. Email systems are also often the gateway to authentication with password resets landing in people inboxes. An analysis of the California Attorney General breach notifications for 2017 showed that 5% of reported significant data breaches were directly attributed to credential exposure via email compromise. Email messages often stand in as the primary identity on the Internet. A compromised email account can be leverage point for a variety of insidious scams, targeting both your customers and internal employees.

Legacy Systems
Legacy systems could fit into any of the earlier categories, although most them are specialized applications, often heavily customized. Think of airline reservation systems, customer management software, and one-off unique software. Legacy systems exact an excessive burden in their high operating cost and incompatibility with modern systems and security tools. The most difficult and insecure of these systems have existed in a long period of stasis, rarely updated due to their being written in archaic programming languages.

Managing the Common Risks
One of the first things that should be done is to become aware of what and where critical apps live. As part of a forthcoming report on protecting applications, F5 commissioned a survey with Ponemon that found that 38% of respondents had "no confidence" in knowing where all their applications existed. These large, sprawling, and critical systems have common vulnerabilities that can be exploited by attackers.

  • Credential Attacks: Many older applications do not have robust authentication systems, leading to mismatches with authentication requirements. If a critical app doesn’t support better authentication, or can’t hand off to an access directory server, then authentication gateway servers can be used. These are proxies that stand in front of the critical application and provide superior authentication schemes. All access to the critical app flows through the gateway, which in turn pass the legacy credentials to the critical app invisibly. Even weak passwords could be strengthened with this to use newer authentication technologies like federation, single sign-on, and multi-factor. For this to be effective, you need network segregation to enforce it.
  • Segregation from Exploits and Denial-of-Service Attacks: Segregation with firewalls and virtual LANs reduce inbound network traffic to the few limited protocols necessary for the application to function. Since some legacy or specialized apps aren’t patchable or have limited hardening capability, a firewall restricts connection attempts to those vulnerable services. Easily exploited services such as Telnet, FTP, CharGen, and Finger can all be blocked from external access. It’s not perfect, but at least you’ve reduced your attack surface. In some cases, smarter firewalls with intrusion prevention capability or virtual patching can also help.
  • Encryption to Prevent Network Interception: A malicious insider or an attacker that’s already breached your network is a potential threat, so any internal traffic carrying confidential information should be protected. If the critical app doesn’t support a secure transport protocol, then a TLS or VPN gateway can be used. Like the authentication gateway, these sit in front of the critical app and encapsulate all traffic passing through into an encrypted tunnel. These should also be used for all external links from the application, even to trusted third parties.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.