Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
5/3/2018
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

4 Critical Applications and How to Protect Them

Since critical apps are, well, critical, security teams must take preventive measures to keep attackers from exploiting their vulnerabilities.

Critical applications are often so baked into the day-to-day tempo of an organization that users often forget their importance — until they go down. The first key definition of a critical application is how much an enterprise relies on it. By their nature, critical apps have enormous data stores, multifaceted processing engines, spread globally, and are deeply integrated into other dependent application services.

Here are four of the most complex and vulnerable critical applications:

Financial Apps
Financial applications are often focused on the unique requirements of an organization. Banks have thousands of applications, all critical to revenue and business operations. But consider accounting applications, which are also often intricate and tailored to the particular industry of the organization. Nearly all financial applications are subject to regulation as they hold, process, and move critical data, which must remain confidential and untampered. Often you will see internet commerce systems with direct ties to financial systems to process customer payments. All of these are potential ingress points for attackers.

Medical Apps
Hospitals are usually assemblages of independent, smaller clinics, doctor’s offices, and diagnostic facilities. Their applications exist in the same manner: deeply vertical and highly variable. This means lots of applications with different levels of security and reliability all sitting side-by-side exchanging confidential medical data. It’s not surprising for an old Windows XP box to be connected to a drug dispenser machine. Some systems are so specialized that you may have software developed by a singular researcher, who supports the program as a side project (if ever). This is also an environment where patient safety trumps all other requirements, sometimes even security. So you can see things like the network protocols that embed patient identification into the network packet itself to ensure medical information is never mixed up.

Messaging Systems
Another overlooked but critical application is email and communication systems. Messaging systems need to touch everyone as well as accept connections from the outside. Mail systems are notorious dumping grounds for years of yet-to-be-classified-but-probably-should-be-secret documents and private conversation threads. Email systems are also often the gateway to authentication with password resets landing in people inboxes. An analysis of the California Attorney General breach notifications for 2017 showed that 5% of reported significant data breaches were directly attributed to credential exposure via email compromise. Email messages often stand in as the primary identity on the Internet. A compromised email account can be leverage point for a variety of insidious scams, targeting both your customers and internal employees.

Legacy Systems
Legacy systems could fit into any of the earlier categories, although most them are specialized applications, often heavily customized. Think of airline reservation systems, customer management software, and one-off unique software. Legacy systems exact an excessive burden in their high operating cost and incompatibility with modern systems and security tools. The most difficult and insecure of these systems have existed in a long period of stasis, rarely updated due to their being written in archaic programming languages.

Managing the Common Risks
One of the first things that should be done is to become aware of what and where critical apps live. As part of a forthcoming report on protecting applications, F5 commissioned a survey with Ponemon that found that 38% of respondents had "no confidence" in knowing where all their applications existed. These large, sprawling, and critical systems have common vulnerabilities that can be exploited by attackers.

  • Credential Attacks: Many older applications do not have robust authentication systems, leading to mismatches with authentication requirements. If a critical app doesn’t support better authentication, or can’t hand off to an access directory server, then authentication gateway servers can be used. These are proxies that stand in front of the critical application and provide superior authentication schemes. All access to the critical app flows through the gateway, which in turn pass the legacy credentials to the critical app invisibly. Even weak passwords could be strengthened with this to use newer authentication technologies like federation, single sign-on, and multi-factor. For this to be effective, you need network segregation to enforce it.
  • Segregation from Exploits and Denial-of-Service Attacks: Segregation with firewalls and virtual LANs reduce inbound network traffic to the few limited protocols necessary for the application to function. Since some legacy or specialized apps aren’t patchable or have limited hardening capability, a firewall restricts connection attempts to those vulnerable services. Easily exploited services such as Telnet, FTP, CharGen, and Finger can all be blocked from external access. It’s not perfect, but at least you’ve reduced your attack surface. In some cases, smarter firewalls with intrusion prevention capability or virtual patching can also help.
  • Encryption to Prevent Network Interception: A malicious insider or an attacker that’s already breached your network is a potential threat, so any internal traffic carrying confidential information should be protected. If the critical app doesn’t support a secure transport protocol, then a TLS or VPN gateway can be used. Like the authentication gateway, these sit in front of the critical app and encapsulate all traffic passing through into an encrypted tunnel. These should also be used for all external links from the application, even to trusted third parties.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.