Story image

Cybercrime focus shifts from servers and OS to applications

08 Mar 16

‘Little bugs’ in applications are a creating an attractive attack surface for cybercriminals, with 60% of all successful security exploits occurring through an app.

That was one of the messages delivered by Paul Muller, Hewlett Packard Enterprise vice president of strategic marketing, strategy and consulting, at this week’s Digital Transformation Summit, where he was a keynote speaker.

Muller cautioned attendees at the conference to think not just about the security of traditional business apps, but across the spectrum, as companies seek to become digital businesses.

He says security of applications is something that doesn’t get enough publicity, but which is critical – and increasingly so.

“As we start to embed applications into everything, let me by crystal clear: 60% of all successful security exploits occur through the app.

“It’s all those little bugs in the app that create a really attractive attack surface for the bad guys. It’s not the firewall – they do their job. It’s not the SSL certificate that’s not working properly. By and large they do their job. It’s the actual application itself.”

Muller cited a recent HPE security report which shows on average IoT devices had 25 ‘significant’ vulnerabilities per device.

“Sixty percent of them had what is called a cross-site scripting vulnerability – one of the oldest security vulnerabilities in the book, which enables you to exploit a device and take complete control of it.

“You can literally get script on the internet to enable you to do this,” Muller says.

He says of even more concern was that most of the devices were collecting personably identifiable information.

“These devices are collecting and not only capable of storing it, but so easily being breached.”

The HPE survey shows six in 10 IoT devices had user interfaces vulnerable to simple hacks, while 70% used unencrypted network services.

Eighty percent of the devices didn’t require sophisticated passwords, while 90% collected at least one piece of personal information and 70% allowed attackers to identify valid user accounts.

Muller’s comments come as HPE warns that attackers have shifted their focus from servers and operating systems to directly attack applications.

“They see this as the easiest route to accessing sensitive enterprise data and are doing everything they can do to exploit it,” HPE says in the HPE Security Research Cyber Risk Report 2016.

“Today’s security practitioner must understand the risk of convenience and interconnectivity to adequately protect it.”

Muller cites the example of a breach in the United States several years ago, when 250,000 credit card records were stolen.

“The important message about this, was that the hackers were inside the system for about two years before they were identified, [the company] had passed four separate audits in those two years, and the way it was identified that they had been breached… was when someone said we’ve found your data, you’ve been breached.

“The scary part was they didn’t break in through the front door, they got in through a time management system [for booking holiday leave] off to the side – an innocuous system, right. And vulnerable to simple attack.

“It’s the same with these IoT devices or any device. The applications are the weak point. And any weak point in your organisation creates a systemic vulnerability.”

Muller advocated the use of pervasive encryption, in particular format preserving encryption, which enables data to be processed by the internal system and look the same, but can not be used outside of the system.

“Assume the bad guys will get in. The only reason they want to get in is to monetise your data so they can sell it to other people. If it’s garbled when they get there, it’s effectively useless.”

He says while building better perimeter defences is still needed, more important is better detection systems to minimise the time between a breach and detection.

“Those are the two things I’d suggest you do technologically. And the third thing is education, education, education [of executives and security staff].”

How blockchain will impact NZ’s economy
Distributed ledgers and blockchain are anticipated to provide a positive uplift to New Zealand’s economy.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Human value must be put back in marketing - report
“Digital is now so widely adopted that its novelty has worn off. In their attempt to declutter, people are being more selective about which products and services they incorporate into their daily lives."
Wine firm uses AR to tell its story right on the bottle
A Central Otago wine company is using augmented reality (AR) and a ‘digital first’ strategy to change the way it builds its brand and engages with customers.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Protecting organisations against internal fraud
Most companies tend to take a basic approach that focuses on numbers and compliance, without much room for grey areas or negotiation.
Telesmart to deliver Cloud Calling for Microsoft Teams
The integration will allow Telesmart’s Cloud Calling for Microsoft Teams to natively enable external voice connectivity from within Teams collaborative workflow environment.
Jade Software & Ambit take chatbots to next level of AI
“Conversation Agents present a huge opportunity to increase customer and employee engagement in a cost-effective manner."