Story image

Cybercrime focus shifts from servers and OS to applications

08 Mar 2016

‘Little bugs’ in applications are a creating an attractive attack surface for cybercriminals, with 60% of all successful security exploits occurring through an app.

That was one of the messages delivered by Paul Muller, Hewlett Packard Enterprise vice president of strategic marketing, strategy and consulting, at this week’s Digital Transformation Summit, where he was a keynote speaker.

Muller cautioned attendees at the conference to think not just about the security of traditional business apps, but across the spectrum, as companies seek to become digital businesses.

He says security of applications is something that doesn’t get enough publicity, but which is critical – and increasingly so.

“As we start to embed applications into everything, let me by crystal clear: 60% of all successful security exploits occur through the app.

“It’s all those little bugs in the app that create a really attractive attack surface for the bad guys. It’s not the firewall – they do their job. It’s not the SSL certificate that’s not working properly. By and large they do their job. It’s the actual application itself.”

Muller cited a recent HPE security report which shows on average IoT devices had 25 ‘significant’ vulnerabilities per device.

“Sixty percent of them had what is called a cross-site scripting vulnerability – one of the oldest security vulnerabilities in the book, which enables you to exploit a device and take complete control of it.

“You can literally get script on the internet to enable you to do this,” Muller says.

He says of even more concern was that most of the devices were collecting personably identifiable information.

“These devices are collecting and not only capable of storing it, but so easily being breached.”

The HPE survey shows six in 10 IoT devices had user interfaces vulnerable to simple hacks, while 70% used unencrypted network services.

Eighty percent of the devices didn’t require sophisticated passwords, while 90% collected at least one piece of personal information and 70% allowed attackers to identify valid user accounts.

Muller’s comments come as HPE warns that attackers have shifted their focus from servers and operating systems to directly attack applications.

“They see this as the easiest route to accessing sensitive enterprise data and are doing everything they can do to exploit it,” HPE says in the HPE Security Research Cyber Risk Report 2016.

“Today’s security practitioner must understand the risk of convenience and interconnectivity to adequately protect it.”

Muller cites the example of a breach in the United States several years ago, when 250,000 credit card records were stolen.

“The important message about this, was that the hackers were inside the system for about two years before they were identified, [the company] had passed four separate audits in those two years, and the way it was identified that they had been breached… was when someone said we’ve found your data, you’ve been breached.

“The scary part was they didn’t break in through the front door, they got in through a time management system [for booking holiday leave] off to the side – an innocuous system, right. And vulnerable to simple attack.

“It’s the same with these IoT devices or any device. The applications are the weak point. And any weak point in your organisation creates a systemic vulnerability.”

Muller advocated the use of pervasive encryption, in particular format preserving encryption, which enables data to be processed by the internal system and look the same, but can not be used outside of the system.

“Assume the bad guys will get in. The only reason they want to get in is to monetise your data so they can sell it to other people. If it’s garbled when they get there, it’s effectively useless.”

He says while building better perimeter defences is still needed, more important is better detection systems to minimise the time between a breach and detection.

“Those are the two things I’d suggest you do technologically. And the third thing is education, education, education [of executives and security staff].”

Better data management: Whose job is it?
An Experian executive’s practical advice on how to structure data-management roles within a modern business environment.
Platform9 and Intersect partner to bring unified cloud to A/NZ
“For Intersect, Platform9 represents the single most strategic solution to a set of challenges we see expanding across the board."
Meet the future of women in IT
Emily Sopers has just won Kordia’s first ever Women in Technology Scholarship, which was established to address gender imbalance in the information and communications technology (ICT) sector.
Web design programmers do an about face – again!
Google is aggressively pushing speed in the mobile environment as a critical ranking factor, and many eb design teams struggling to reach 80%+ speed scores on Google speed tests with gorgeous – but heavy - WordPress templates and themes.
Digital spending to hit US$1.2 trillion by 2022
A recent study by Zinnov shows that IoT spend reached US$201 billion in 2018 while outsourcing service providers generated $40 billion in revenue.
'Iwi Algorithm' can grow Aotearoa's mana
Ngāti Whātua Ōrākei innovation officer Te Aroha Grace says AI can help to combine the values from different cultures to help grow Aotearoa’s mana and brand – and AI is not just for commercial gain.
Dropbox brings in-country document hosting to A/NZ & Japan
Dropbox Business users in New Zealand, Australia, and Japan will be able to store their Dropbox files in-country, beginning in the second half of 2019.
Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”