Critical applications are often so baked into the day-to-day tempo of an organization that users often forget their importance — until they go down. The first key definition of a critical application is how much an enterprise relies on it. By their nature, critical apps have enormous data stores, multifaceted processing engines, spread globally, and are deeply integrated into other dependent application services.
Here are four of the most complex and vulnerable critical applications:
Financial applications are often focused on the unique requirements of an organization. Banks have thousands of applications, all critical to revenue and business operations. But consider accounting applications, which are also often intricate and tailored to the particular industry of the organization. Nearly all financial applications are subject to regulation as they hold, process, and move critical data, which must remain confidential and untampered. Often you will see internet commerce systems with direct ties to financial systems to process customer payments. All of these are potential ingress points for attackers.
Hospitals are usually assemblages of independent, smaller clinics, doctor’s offices, and diagnostic facilities. Their applications exist in the same manner: deeply vertical and highly variable. This means lots of applications with different levels of security and reliability all sitting side-by-side exchanging confidential medical data. It’s not surprising for an old Windows XP box to be connected to a drug dispenser machine. Some systems are so specialized that you may have software developed by a singular researcher, who supports the program as a side project (if ever). This is also an environment where patient safety trumps all other requirements, sometimes even security. So you can see things like the network protocols that embed patient identification into the network packet itself to ensure medical information is never mixed up.
Another overlooked but critical application is email and communication systems. Messaging systems need to touch everyone as well as accept connections from the outside. Mail systems are notorious dumping grounds for years of yet-to-be-classified-but-probably-should-be-secret documents and private conversation threads. Email systems are also often the gateway to authentication with password resets landing in people inboxes. An analysis of the California Attorney General breach notifications for 2017 showed that 5% of reported significant data breaches were directly attributed to credential exposure via email compromise. Email messages often stand in as the primary identity on the Internet. A compromised email account can be leverage point for a variety of insidious scams, targeting both your customers and internal employees.
Legacy systems could fit into any of the earlier categories, although most them are specialized applications, often heavily customized. Think of airline reservation systems, customer management software, and one-off unique software. Legacy systems exact an excessive burden in their high operating cost and incompatibility with modern systems and security tools. The most difficult and insecure of these systems have existed in a long period of stasis, rarely updated due to their being written in archaic programming languages.
Managing the Common Risks
One of the first things that should be done is to become aware of what and where critical apps live. As part of a forthcoming report on protecting applications, F5 commissioned a survey with Ponemon that found that 38% of respondents had "no confidence" in knowing where all their applications existed. These large, sprawling, and critical systems have common vulnerabilities that can be exploited by attackers.