Articles by Jeff Curley
In the next three years, software as a service ‘SaaS’ is likely to grow by around 23%. That’s according to reports by Cognizance. It’s growth rests on the adoption of cloud public, private and hybrid. Without the cloud applications can’t truly pervade an organisation, nor can operational or customer benefits be derived. But there’s no point in adopting the cloud if it’s not secure - the proliferation of SaaS demands security, none more so in a GDPR world. Large cloud environment But modern applications are difficult to secure. SaaS based, web, mobile, or custom made all work on different platforms and frameworks. It’s a headache managing all the APIs needed to automate and sync tools. This introduces risk. The greater the number of apps the broader the attack surface and therefore the greater the chance there will be blind posts. Keeping up to date with updates and new security policies is never easy There are also added hazards. Applications are always changing. Keeping up to date with updates and new security policies is never easy, but especially hard in a large cloud environment. Failure to adopt changes puts the organisation and customers at further risk. But the biggest obstacle is keeping applications and APIs out of harm’s way. It’s a near on impossible task when attack methods and sources are constantly changing. More advanced threats To be specific there are four emerging challenges when it comes to protecting apps. Firstly, managing the good and the bad bots and spotting which is which, secondly securing APIs as IoT adoption intensifies, thirdly the relationship between securing apps and DevOps and ensuring ownership of security, and finally denial of service attacks that use newer tactics such as brute force. Basic security hygiene dictates that security teams refer to the OWASP Top 10. It’s considered the ‘ten commandments’ in security circles, providing a starting point for ensuring the most common threats and vulnerabilities are managed, detected and mitigated. Web Application Firewalls also come into the fray with guidance on testing for the ways hackers exploit vulnerabilities. However, though the basics are good to have in place, there are always more advanced threats to take care of. Bots being a big one. Bot management The more sophisticated bots will go as far as to mimic human behaviourAstonishingly about half of internet traffic is bot generated. Half of it is from bad bots. Discerning the good from the bad isn’t easy though and explains why around 80% of organisations can’t make a clear distinction between the two. Bad bots can do a lot of damage like take over user accounts and payment information, scrape confidential data, or hold up inventory and skew marketing metrics. The more sophisticated bots will go as far as to mimic human behaviour and bypass tools like CAPTCHA and even device fingerprinting based protection ineffective. Securing APIs Then there’s the complications derived from machine-to-machine and internet of things (IoT) communications. The more integrated ‘things’, the more data there is, the more events there are report on, and the more activity there is reliant on APIs to make the ‘things’ useful and agile. That’s what makes them a target and the threats to API vulnerabilities include injections, protocol attacks, parameter manipulations, invalidated redirects and bot attacks. There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks. There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks Denial of service (DoS) You might think there’s little to add to the swathes of denial of service warnings. Yet when businesses are still being targeted and feeling the ill effects it’s worth mentioning again that different forms of application-layer DoS attacks are still very effective at bringing application services down. Even the greatest application protection is worthless if the service itself can be knocked down This includes HTTP/S floods, low and slow attacks (famous examples being Slowloris, LOIC, Torshammer), dynamic IP attacks, buffer overflow, Brute Force attacks and more. The IoT botnets are the culprits and have made application-layer attacks so popular that they have become the preferred DDoS attack vector. Even the greatest application protection is worthless if the service itself can be knocked down. Continuous security It may seem easy to say but for modern DevOps, agility is valued at the expense of security. We see time and again examples of where development and roll-out methodologies, such as continuous delivery, mean applications are exposed to threats each time they are modified. There’s no doubt it is extremely difficult to maintain a valid security policy and protect sensitive data in dynamic conditions without creating a high number of false positives. But we now find that this task has gone way beyond the capability of humans. Organisations now need machine-learning based solutions that map application resources, analyse possible threats, and create and optimise security policies in real time. Reaching this level in security planning should be a big wake-up call that security automation is an essential not a nice to have. Running security plans The board needs to know that investment is critical to protect their profits It’s critical that the security solution your company adopts protects applications on all platforms, against all attacks, through all the channels and at all times. The board needs to know that investment is critical to protect their profits. As such there are six things they need to know: Application security solutions must encompass web and mobile apps, as well as APIs. Bot management solutions need to overcome the most sophisticated bot attacks. DDoS mitigation must be an essential and integrated part of application security solutions. A future-proof solution must protect containerised applications, severless functions, and integrate with automation, provisioning and orchestration tools. To keep up with continuous application delivery, security protections must adapt in real time. A fully managed service should be considered to remove complexity and minimise resources. No amount of human power will beat the bots. That last point is the most critical. Skill is essential in designing and running security plans and policies that work. But the plans can’t be executed without automated tools. There are just too many decisions to make in a split second. Combining both is the path to an effective app protection strategy and a stronger brand to boot.
Radware, a provider of cybersecurity and application delivery solutions, announced it has released its 2018-2019 Global Application and Network Security Report, in which survey respondents estimate the average cost of a cyberattack has climbed to $1.1M. For those organisations that calculate (versus estimate) the cost of an attack, that number increases to $1.67M. Cyberattack impact The top impact of cyberattacks, as reported by respondents, is operational/productivity loss (54%), followed by negative customer experience (43%). What’s more, almost half (45%) reported that the goal of the attacks they suffered was service disruption. Another third (35%) said the goal was data theft. “This year we’ve seen a real shift in the impact an attack has on a company financially and it’s especially interesting that more companies are taking the time to calculate the loss not just estimate it. That’s not surprising given how volatile economies are at the moment. Understanding the impact of downtime on productivity as well as sales and consumer trust is essential to justify spending money on protecting the business in the future, and staying competitive,” said Jeff Curley, head of online and digital for Radware UK, Ireland and the Nordics. Rise in the number of attacks 78% of respondents hit by a cyberattack experienced service degradation or a complete outage, compared to 68% last yearWhile the cost of attack mitigation continues to rise, so does the number of organisations under attack. Most organisations have experienced some type of attack within the course of a year, with only 7% of respondents claiming not to have experienced an attack at all. Twenty one percent reported daily attacks, representing a significant rise from 13% last year. Not only are attacks becoming more frequent, they are also more effective: 78% of respondents hit by a cyberattack experienced service degradation or a complete outage, compared to 68% last year. Even with these numbers, 34% of respondents do not have a cybersecurity emergency response plan in place. Other key findings of the report include: 43% of respondents reported negative customer experiences and reputation loss following a successful attack. Data leakage and information loss remain the biggest concern to more than one-third (35%) of businesses, followed by service outages. Hackers increased their usage of emerging attack vectors to bring down networks and data centres: Respondents reporting HTTPS Floods grew from 28% to 34%, reports of DNS grew from 33% to 38%, reports of burst attacks grew from 42% to 49%, and reports of bot attacks grew from 69% to 76%. Application-layer attacks cause considerable damage. Two-thirds of respondents experienced application-layer DoS attacks and 34% foresee application vulnerabilities being a major concern in the coming year. More than half (56%) reported making changes and updates to their public-facing applications monthly, while the rest made updates more frequently, driving the need for automated security. 86% percent of surveyed businesses indicated they explored machine-learning (ML) and artificial intelligence (AI) solutions. Almost half (48%) point at quicker response times and better security as primary drivers to explore ML-based solutions. ML and AI provide effective defence system It’s no surprise that ML and AI are growing in popularity. They are a way to provide defences that are effective 100% of the time"Jeff adds, “It’s a worry to see that a third of companies suffered data loss last year as I suspect a good proportion included personal data. The public is now far more aware of the risks of handing over information and the long-lasting impact to their lives if their data is caught up in a breach. Hackers will continue to exploit this, and I expect to see more and more automated attacks, especially those that target applications in the future. He adds: “It’s no surprise then that ML and AI are growing in popularity. They are a way to provide defences that are effective 100% of the time. Companies that fail to invest in these new technologies, will suffer the consequences.” Radware’s Global Application and Network Security Report, now in its eighth year, is a cross-industry report compiled by Radware’s Emergency Response Team (ERT), leveraging vendor-neutral survey data from 790 IT executives spanning several industries around the globe, Radware’s hands-on experience handling today’s leading threats, as well as third-party service provider commentary.