Apps are gateway to business data for cyber attackers

Protecting applications is a critical task for security professionals because most cyber attacks are now at the application layer, according to Ray Pompon, principal threat research evangelist at F5 Labs.

“Applications are the centre of the business and consequently they are the gateway to the corporate data that attackers are targeting,” he told attendees of IPExpo in London.

A global survey by F5 Labs found that 34% of organisations polled identified web applications that they considered to be mission critical and that, on average, organisations were using 765 applications to enable them to function on a day-to-day basis.

“This is increasing as apps become more business-centric and means that when applications go down, the impact on the business is great and often means that the business goes down and data goes right out the door into criminal networks,” said Pompon.

When it comes to defending applications from attackers, he said it is useful to think of apps not as single entities, but as comprising a multitude of independent components, running in separate environments with different operational requirements and supporting infrastructure – both in the cloud and on-premise – “glued together” across networks.

“Those interacting tiers – application services, application access, transport layer services (TLS/SSL), domain name services (DNS) and the network – are all integral to making an application work and each is a potential target of attack to break open the app and access business data,” he said.

F5 Labs’ research shows that the majority of attacks are happening at applications’ services and access layers.

Services-level attacks include application programming interface (API) attacks, SQL injection (SQLi), malware, distributed denial of service (DDoS), cross-site scripting (XSS), cross-site request forgery (XSRF), man in the middle (MiTM) and functionality abuse attacks.

“Globally, credential theft was identified as the biggest problem in terms of impact by 68% of those polled, followed by DDoS attacks (63%), web fraud (50%), XSS (25%) and SQLi (24%), but in the UK, web fraud was top of the list, cited by 58% of the organisations polled,” said Pompon.

Access-level attacks include credential theft, credential stuffing, session hijacking, phishing and brute force attacks.

“Among access attacks, compromised email is at the top, accounting for 34% of reported attacks, followed by phishing (26%), access misconfigurations (23%) and credential stuffing (9%),” said Pompon.

The research also looked at the cost of application layer attacks and found that in the UK in 2017, the cost of loss of confidential information was estimated at £6.6m, while the cost associated with application tampering, including malware injection, was estimated at £6.2m.

The importance of application security was further underlined this week by a report by security firm Radware, which revealed that 89% of organisations polled admit they have had an application layer attack in the past year.

Despite the risks and potential consequences, the Radware survey showed that most businesses have inadequate security around APIs, with 82% of those that use API gateways doing so to share and/or consume data, but 70% of respondents do not require authentication from third-party APIs, 62% do not encrypt data sent by APIs, and 33% allow third parties to perform actions, opening the door to additional threats.