Maksim Kabakou - Fotolia
Security Think Tank: Defend application layer with good security hygiene
What should organisations be doing to address application layer attacks and reduce the likelihood of a breach through this type of attack?
Application layer attacks are not a new attack vector. For as long as we have pierced our firewalls for applications, there has been exploitation of the resulting vulnerability, resulting in this particular kind of attack.
As soon as you allow an application through your firewall, there is a possibility of a layer attack on it. Of course, we have to let applications through firewalls to do business – to allow remote users to access email and to do myriad other things.
Countless times I have seen Hollywood representations of “hacking a firewall”, which is very misleading for people who are coaxed into thinking that is what hackers do. In fact, they are simply finding a way through a firewall that an organisation has opened.
Organisations can buy more firewalls or take the defence-in-depth approach, but as soon as they open something up to the internet, they have burned a hole right through it.
Technically, the means of protecting or minimising the risk from application layer attacks needs to be proportionate, of course, and may vary. But securing the application layers still depends on people and great security hygiene and processes.
We need to allow applications through our firewalls – think of using remote access to email – but we can make sure we have done everything practical and appropriate to secure the use of those applications, and their users, that are piercing that defence.
We know that the majority of breaches come from insiders, either through negligence – poor training or simply failing to understand why their behaviour impacts security – or malicious activity. There is a variety of things to consider around users of applications. Our people, as happens so often, not only may be part of the threat, but will be our best defence:
- Application password hygiene – force them to choose an excellent password, but don’t force them to change it every 30 days.
- Put appropriate barriers in place for authentication by users. Use two-factor authentication.
- Keep measures appropriate and usable so they are user-friendly enough to stop users trying to circumnavigate them, creating more risk.
- Understand information assets – use defence in depth at the application layer.
- Segregate sensitive and non-sensitive assets.
Remember that most breaches come from people and add pastoral care to your security strategy. As it is ongoing, it is much more effective than vetting alone. If you need examples, look at the Morrisons breach by a disgruntled employee with access to sensitive data, or Edward Snowden.
We can’t ignore external threats, of course, but breaches are so frequently enabled by internal weakness that we must make sure we have done everything we can with people, supported by technology, who are easily enabled to do the right thing.
We can’t stop allowing applications through firewalls, so let’s do it in full knowledge and understanding of the risk to information assets.