searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
May 27, 2020
Share

Application threats and security trends you need to know about

Applications are a gateway to valuable data, so it’s no wonder they are one of attackers’ preferred targets.

And since modern applications aren’t a monolithic whole but consist of many separate components “glued together” over networks, attackers have at their disposal many “doors” through which they can attempt access to the data.

application threats

Easy targets will remain popular

Some of these doors are more popular than others. According to the latest Application Protection Report by F5 Networks, attackers love to:

1. Exploit PHP vulnerabilities such as CVE-2018-12613 and CVE-2018-20062, and poorly secured PHP-enabled admin interfaces.

“PHP is a widespread and powerful server-side language that’s been used in 80% of sites on the web since 2013. It underpins several of the largest web applications in the world, including WordPress and Facebook,” F5 analysts explained the attraction.

2. Engage in injection attacks and formjacking (the latter especially when targeting the retail sector).

In 2019, formjacking payment cards was resposible for 87% of web breaches and 17% of known breaches in total (up from 71% and 12% in 2018). In 2019, the retail sector was the most significant formjacking target. 81% percent of retail breaches were from formjacking attacks, while nearly all other sectors tended to be breached most often through the access tier.

“The lesson is clear: for any organization that accepts payment card via the web, their shopping cart is a target for cyber-criminals,” the analysts pointed out.

3. Getting access to accounts (and especially email accounts) via phishing, brute forcing, credential stuffing or using stolen credentials.

“Access tier attacks are any that seek to circumvent the legitimate processes of authentication and authorization that we use to control who gets to use an application, and how they can use it. The result of this kind of attack is a malicious actor gaining entry to a system while impersonating a legitimate user. They then use the legitimate user’s authorization to accomplish a malicious goal— usually data exfiltration,” the analysts explained.

Attackers use a number of tactics to keep these attacks unnoticed, but organizations also have a lot of defensive options at their disposal to prevent them.

4. Go after unmonitored, vulnerable, poorly secured or misconfigured APIs.

“In the days of monolithic apps, whatever core business logic generated value needed to be supported by a user interface, storage, and other meta-functions. Now it is sufficient to develop a single specialized service, and use APIs to either outsource other functions to bring an app to market, offer the service to other app owners, or both,” the analysts explained.

Their widespread used makes them a big target, and a combination of factors make them rich targets:

  • They are often configured with overly broad permissions
  • Lack of visibility and monitoring.

There are solutions to these problems

Attackers go where the data is, and that’s why organizations in each sector/industry should develop risk-based security programs and tailor controls and architecture to reflect the threats they actually face, the analysts advise.

application threats

To counter access attacks, organizations should implement multi-factor authentication where fitting and possible, but should also consider:

  • Checking passwords against a dictionary of default, stolen, and well-known passwords
  • Making sure the system can detect and prevent brute force attacks by, for example, using CAPTHA, slowing down sessions, setting up alarms, etc.
  • Creating simple methods for users to report suspected phishing
  • Encrypting or eliminating confidential data from the organization’s email caches
  • Enabling logging (to be able to discover what the attackers did when they gained access).

Spotting and foiling injection and formjacking attacks can be done with securing servers, patching injection vulnerabilities,employing change control, using web application firewalls (WAFs), through testing and watching of all third-party components on sites with forms accepting critical information, and so on.

But organizations should be aware that the injection landscape is constantly changing, and they have to follow the trends and adapt.

Finally, organizations can mitigate the risk of API attacks by:

  • Making (and maintaining) an inventory of their APIs
  • Deploying authentication for them and storing credentials securely
  • Limiting their permissions
  • Monitoring them (by logging connections and reviewing them)
  • Encrypting the API connections
  • Testing APIs
  • Implementing API security tools.



More about
  • account protection
  • API security
  • application security
  • F5 Networks
  • Magecart
  • PHP
  • report
  • trends
  • vulnerability
  • web application security
Share this

Featured news

  • The challenges and advantages of building behavior-based threat detection
  • Product showcase: Group-IB Unified Risk Platform
  • How businesses are prioritizing data privacy
Detection, isolation, and negotiation: Improving your ransomware preparedness and response

What's new

New infosec products of the week: July 1, 2022

Product showcase: Group-IB Unified Risk Platform

The challenges and advantages of building behavior-based threat detection

Infosec products of the month: June 2022

Don't miss

The challenges and advantages of building behavior-based threat detection

Product showcase: Group-IB Unified Risk Platform

Evaluating the use of encryption across the world’s top one million sites

Evolving online habits have paved the way for fraud. What can we do about it?

How businesses are prioritizing data privacy

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • OT security: Helping under-resourced critical infrastructure organizations
  • How to keep your NFTs safe from scammers
  • Is your organization ready for Internet Explorer retirement?
  • Attackers aren’t slowing down, here’s what researchers are seeing

(IN)SECURE Magazine ISSUE 71.5 (June 2022)

Several of the most pressing topics discussed during this year’s Conference included issues surrounding privacy and surveillance, the positive and negative impacts of machine learning and artificial intelligence, the nuances of risk and policy, and more.

Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise