Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/25/2013
06:37 AM
John H. Sawyer
John H. Sawyer
Quick Hits
50%
50%

How Attackers Target And Exploit Critical Business Applications

Applications such as ERP and CRM make businesses go, yet are often left unpatched and vulnerable

[The following is excerpted from "How Attackers Target and Exploit Critical Business Applications," a new report posted this week on Dark Reading's Applications Security Tech Center.]

Most enterprises rely on a few critical business applications for their day-to-day operations. Many of these applications are well-known, off-the-shelf or cloud-based products. Because of their critical nature and the value of the data contained within them, they are a prime target for attackers.

So why don't we hear more about attacks against enterprise resource planning systems, sensitive e-commerce and business-to-business applications, and customer resource management systems? The primary reason is that enterprises don't see them as being insecure. Also, their complexity makes it difficult to effectively monitor them and detect a compromise.

Even if such systems could be easily monitored, the collective experience in the 2013 Verizon Data Breach Investigations Report tells us that it would probably take months for anyone to notice the breach. Further, notes the report, notification is more likely to come from a third party than from internal monitoring.

But attackers are targeting these systems, and security professionals will need to up their game as targeted attacks and corporate espionage become more prevalent.

In the white paper "Forgotten World: Corpo-rate Business Application Systems," authors Alexander Polyakov and Val Smith say, "These days the majority of companies have strong security policies and patch management as it applies to standard networks and operating systems, but these defenses rarely exist or are in place for ERP-type systems. An attacker can bypass all company investments in security by attacking the ERP system."

It's the very nature of ERP and other enterprise apps that makes them so appealing to attackers.

These systems are complex, customized applications that house the inner workings of the business itself. In order to work effectively, these mega business applications typically have connections into, and receive input from, many different applications and servers throughout the enterprise. These systems are not turnkey, almost always requiring some type of middleware glue from a consulting company. All of these factors make for a-difficult- to-secure and nearly impossible-to-patch system.

Even if these systems were easy to patch, the vulnerabilities would likely go unnoticed because companies are often afraid to perform vulnerability scans on them: There are too many unknowns in how the systems would handle such a scan, and they don't want to impact business operations.

Part of the pushback that occurs around scanning running applications is that those organizations with a strong focus on application security have tended to throw their resources at the front-end of the application life cycle, says John Weinschenk, CEO of Cenzic. While that may be the most cost-effective method of addressing application security, the truth is that it doesn't address the realities of applications running in a production environment

"When you look at an enterprise, traditionally how they have handled application security has been focused at the pre-production level," he says. "But with every company that's been hacked that you've seen in the paper recently, its always the production applications that got hacked."

While this fear of scanning operational applications may be understandable to a point, it leaves some of your most critical systems at risk.

To read more about the challenges of maintaining and securing critical business applications -- and how attackers exploit those applications -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon6678820158
50%
50%
anon6678820158,
User Rank: Apprentice
7/29/2013 | 1:09:25 AM
re: How Attackers Target And Exploit Critical Business Applications
Firms have to evaluate the IA issues of the system they are buying into. No longer can company's trust that a vendor will secure their data. IT security should be involved in the vetting process for these systems.
anon7187962634
50%
50%
anon7187962634,
User Rank: Apprentice
7/26/2013 | 6:50:11 AM
re: How Attackers Target And Exploit Critical Business Applications
It's funny, I'm no longer working for a firm that was having MAJOR issues with CRM security (actually, the mass-emailing program). Since CRM is deemed (incorrectly) a "Marketing Application," IT always ignored it as much as possible. We became blacklisted because of insecure sending of emails, and the dipsh*t IT person said, "Well, why don't we just ad an 's' to our urls to make them read 'https' and then we'll be 'secure'."

With morons like that - and the continued thinking that CRM is somehow 'safe' because it's just a Marketing app - it's no wonder that CRM poses a threat.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35419
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
CVE-2021-28060
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
CVE-2021-28825
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
CVE-2021-28826
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
CVE-2021-28855
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).