Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
5/3/2018
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

4 Critical Applications and How to Protect Them

Since critical apps are, well, critical, security teams must take preventive measures to keep attackers from exploiting their vulnerabilities.

Critical applications are often so baked into the day-to-day tempo of an organization that users often forget their importance — until they go down. The first key definition of a critical application is how much an enterprise relies on it. By their nature, critical apps have enormous data stores, multifaceted processing engines, spread globally, and are deeply integrated into other dependent application services.

Here are four of the most complex and vulnerable critical applications:

Financial Apps
Financial applications are often focused on the unique requirements of an organization. Banks have thousands of applications, all critical to revenue and business operations. But consider accounting applications, which are also often intricate and tailored to the particular industry of the organization. Nearly all financial applications are subject to regulation as they hold, process, and move critical data, which must remain confidential and untampered. Often you will see internet commerce systems with direct ties to financial systems to process customer payments. All of these are potential ingress points for attackers.

Medical Apps
Hospitals are usually assemblages of independent, smaller clinics, doctor’s offices, and diagnostic facilities. Their applications exist in the same manner: deeply vertical and highly variable. This means lots of applications with different levels of security and reliability all sitting side-by-side exchanging confidential medical data. It’s not surprising for an old Windows XP box to be connected to a drug dispenser machine. Some systems are so specialized that you may have software developed by a singular researcher, who supports the program as a side project (if ever). This is also an environment where patient safety trumps all other requirements, sometimes even security. So you can see things like the network protocols that embed patient identification into the network packet itself to ensure medical information is never mixed up.

Messaging Systems
Another overlooked but critical application is email and communication systems. Messaging systems need to touch everyone as well as accept connections from the outside. Mail systems are notorious dumping grounds for years of yet-to-be-classified-but-probably-should-be-secret documents and private conversation threads. Email systems are also often the gateway to authentication with password resets landing in people inboxes. An analysis of the California Attorney General breach notifications for 2017 showed that 5% of reported significant data breaches were directly attributed to credential exposure via email compromise. Email messages often stand in as the primary identity on the Internet. A compromised email account can be leverage point for a variety of insidious scams, targeting both your customers and internal employees.

Legacy Systems
Legacy systems could fit into any of the earlier categories, although most them are specialized applications, often heavily customized. Think of airline reservation systems, customer management software, and one-off unique software. Legacy systems exact an excessive burden in their high operating cost and incompatibility with modern systems and security tools. The most difficult and insecure of these systems have existed in a long period of stasis, rarely updated due to their being written in archaic programming languages.

Managing the Common Risks
One of the first things that should be done is to become aware of what and where critical apps live. As part of a forthcoming report on protecting applications, F5 commissioned a survey with Ponemon that found that 38% of respondents had "no confidence" in knowing where all their applications existed. These large, sprawling, and critical systems have common vulnerabilities that can be exploited by attackers.

  • Credential Attacks: Many older applications do not have robust authentication systems, leading to mismatches with authentication requirements. If a critical app doesn’t support better authentication, or can’t hand off to an access directory server, then authentication gateway servers can be used. These are proxies that stand in front of the critical application and provide superior authentication schemes. All access to the critical app flows through the gateway, which in turn pass the legacy credentials to the critical app invisibly. Even weak passwords could be strengthened with this to use newer authentication technologies like federation, single sign-on, and multi-factor. For this to be effective, you need network segregation to enforce it.
  • Segregation from Exploits and Denial-of-Service Attacks: Segregation with firewalls and virtual LANs reduce inbound network traffic to the few limited protocols necessary for the application to function. Since some legacy or specialized apps aren’t patchable or have limited hardening capability, a firewall restricts connection attempts to those vulnerable services. Easily exploited services such as Telnet, FTP, CharGen, and Finger can all be blocked from external access. It’s not perfect, but at least you’ve reduced your attack surface. In some cases, smarter firewalls with intrusion prevention capability or virtual patching can also help.
  • Encryption to Prevent Network Interception: A malicious insider or an attacker that’s already breached your network is a potential threat, so any internal traffic carrying confidential information should be protected. If the critical app doesn’t support a secure transport protocol, then a TLS or VPN gateway can be used. Like the authentication gateway, these sit in front of the critical app and encapsulate all traffic passing through into an encrypted tunnel. These should also be used for all external links from the application, even to trusted third parties.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20811
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
CVE-2019-20812
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
CVE-2020-13776
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
CVE-2019-20810
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
CVE-2020-4026
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...