searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
May 27, 2020
Share

Application threats and security trends you need to know about

Applications are a gateway to valuable data, so it’s no wonder they are one of attackers’ preferred targets.

And since modern applications aren’t a monolithic whole but consist of many separate components “glued together” over networks, attackers have at their disposal many “doors” through which they can attempt access to the data.

application threats

Easy targets will remain popular

Some of these doors are more popular than others. According to the latest Application Protection Report by F5 Networks, attackers love to:

1. Exploit PHP vulnerabilities such as CVE-2018-12613 and CVE-2018-20062, and poorly secured PHP-enabled admin interfaces.

“PHP is a widespread and powerful server-side language that’s been used in 80% of sites on the web since 2013. It underpins several of the largest web applications in the world, including WordPress and Facebook,” F5 analysts explained the attraction.

2. Engage in injection attacks and formjacking (the latter especially when targeting the retail sector).

In 2019, formjacking payment cards was resposible for 87% of web breaches and 17% of known breaches in total (up from 71% and 12% in 2018). In 2019, the retail sector was the most significant formjacking target. 81% percent of retail breaches were from formjacking attacks, while nearly all other sectors tended to be breached most often through the access tier.

“The lesson is clear: for any organization that accepts payment card via the web, their shopping cart is a target for cyber-criminals,” the analysts pointed out.

3. Getting access to accounts (and especially email accounts) via phishing, brute forcing, credential stuffing or using stolen credentials.

“Access tier attacks are any that seek to circumvent the legitimate processes of authentication and authorization that we use to control who gets to use an application, and how they can use it. The result of this kind of attack is a malicious actor gaining entry to a system while impersonating a legitimate user. They then use the legitimate user’s authorization to accomplish a malicious goal— usually data exfiltration,” the analysts explained.

Attackers use a number of tactics to keep these attacks unnoticed, but organizations also have a lot of defensive options at their disposal to prevent them.

4. Go after unmonitored, vulnerable, poorly secured or misconfigured APIs.

“In the days of monolithic apps, whatever core business logic generated value needed to be supported by a user interface, storage, and other meta-functions. Now it is sufficient to develop a single specialized service, and use APIs to either outsource other functions to bring an app to market, offer the service to other app owners, or both,” the analysts explained.

Their widespread used makes them a big target, and a combination of factors make them rich targets:

  • They are often configured with overly broad permissions
  • Lack of visibility and monitoring.

There are solutions to these problems

Attackers go where the data is, and that’s why organizations in each sector/industry should develop risk-based security programs and tailor controls and architecture to reflect the threats they actually face, the analysts advise.

application threats

To counter access attacks, organizations should implement multi-factor authentication where fitting and possible, but should also consider:

  • Checking passwords against a dictionary of default, stolen, and well-known passwords
  • Making sure the system can detect and prevent brute force attacks by, for example, using CAPTHA, slowing down sessions, setting up alarms, etc.
  • Creating simple methods for users to report suspected phishing
  • Encrypting or eliminating confidential data from the organization’s email caches
  • Enabling logging (to be able to discover what the attackers did when they gained access).

Spotting and foiling injection and formjacking attacks can be done with securing servers, patching injection vulnerabilities,employing change control, using web application firewalls (WAFs), through testing and watching of all third-party components on sites with forms accepting critical information, and so on.

But organizations should be aware that the injection landscape is constantly changing, and they have to follow the trends and adapt.

Finally, organizations can mitigate the risk of API attacks by:

  • Making (and maintaining) an inventory of their APIs
  • Deploying authentication for them and storing credentials securely
  • Limiting their permissions
  • Monitoring them (by logging connections and reviewing them)
  • Encrypting the API connections
  • Testing APIs
  • Implementing API security tools.
More about
  • account protection
  • API security
  • application security
  • F5 Networks
  • Magecart
  • PHP
  • report
  • trends
  • vulnerability
  • web application security
Share this

Featured news

  • CISA releases free tool for detecting malicious activity in Microsoft cloud environments
  • Top ways attackers are targeting your endpoints
  • Why organizations shouldn’t fold to cybercriminal requests
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

CISA releases free tool for detecting malicious activity in Microsoft cloud environments

Top ways attackers are targeting your endpoints

Why organizations shouldn’t fold to cybercriminal requests

Fake ChatGPT for Google extension hijacks Facebook accounts

A common user mistake can lead to compromised Okta login credentials

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us