Asia's Source for Enterprise Network Knowledge

Saturday, May 25th, 2019

Secure Your Cloud

Multi-cloud security: Web app, API protection against phishing, fraud

Details of two cyberattack on airlines in recent months offer further proof of applications becoming principal gateways to organizations’ and individuals’ valuable information.

The attack on Hong Kong flagship carrier Cathay Pacific (CX) compromised the personal information of up to 9.4 million passengers. From first detection in March 2018 until its notifying applicable regulators and affected passengers in late October 2018 about the unauthorized intrusion, the airline had to grapple with further attacks that made confirming which data of each individual passenger had been accessed and whether it could be read by the attackers a difficult and complex exercise. 

The attack on British Airways, which compromised information from more than 385,000 transactions, credit card and personal details, used cross-site scripting to skim credit card details from unsecured payment forms on websites. A Javascript library used for customer feedback by a range of e-commerce sites could have been tampered with to include malware – demonstrating the risk of embedding third-party code. 

Phish bait

Even so, in the age of connected systems and applications, the easiest way for cyber-attackers to gain access to critical data is through phishing. Attempts typically spike during the holiday season, a peak period for online shopping. Login credentials, account numbers, social security numbers, email addresses, phone numbers and credit card numbers are all critical information that will give attackers access to user accounts. 

In F5 Labs’ 2018 Phishing and Fraud Report: Attacks Peak During the Holidays, phishing and fraud season ramps up in October, with incidents jumping over 50% from the annual average. Training employees to recognize phishing attempts can reduce their click-through rate on malicious emails, links, and attachments from 33% to 13%. In another F5 Labs report, Lessons Learned from a Decade of Data Breaches, phishing was found to be not only the number one attack vector but also the most successful because it nets the greatest number of stolen records.

Stolen credentials from a phishing attack or data breach are used by scammers to carry out fraudulent transactions. Businesses whose customers are affected will have to deal with complaints, requests to reverse charges, fraud cleanup efforts, and damage to reputation. F5 Labs’ 2018 Application Protection Report estimated the average personally identifiable information (PII) breach costs organizations US$6.5 million, and a breach that involves tampering with or unauthorized access to an application costs $2 million more on average than a PII breach.

Under the threat of ever-evolving attack types, how well an enterprise protects its web applications and APIs guards the reputation of its online presence. Risks multiply as the pace of business accelerates with more apps and more APIs enabling the apps to communicate with one another. DevOps teams need to rapidly create and manage application services without worrying about cross-app vulnerabilities or APIs becoming additional targets of threats. 

To mitigate API-level threats, it is essential to first understanding how web apps can be compromised. Then, enable app-to-app authorization based on standardized and open methods across web, mobile and desktop environments.

Streamlining and centralizing access controls, the F5 Access Policy Manager proxy solution allows context-sensitive policies to secure access for authorized users, devices, and APIs. Real-time web form encryption also safeguards user credentials and prevent fraud.

This frees DevOps teams to hand off apps to NetOps personnel more quickly to deliver a consistent user experience without sacrificing manageability. 

Concerted defense

Further, standards-based identity federation, single sign-on (SSO) and adaptive multi-factor authentication provides secure anytime, anywhere access to applications deployed on heterogeneous platforms. One such standard is Kerberos-based authentication support coupled with Active Directory. For scalability into the cloud, Access Manager integrates with IDaaS solutions and capabilities. 

To proactively prevent credentials from being stolen and foil credential stuffing attempts, the F5 Advanced WAF addresses new attack surfaces and threats arising from the rapid adoption of APIs. It guards XML, JSON, and GTW APIs through rate limiting, behavioral analysis, and anti-automation for automatic threat detection as well as comprehensive authentication and token enforcement. 

IT organizations gain an overview of active security policies, security events and attacks, anomaly statistics, networking and traffic statistics, with room for other predefined and customizable dashboards, charts and reports.Integrations with SIEM or management services are easy with REST API support.

The effectiveness of F5 Access Manager and Advanced WAF are further extended with the F5 WebSafe and MobileSafe solutions to ensure greater online fraud protection to prevent credential theft, malware, and phishing. They identify and preemptively stop phishing threats; detect and stop threats from reaching users’ inbox; and analyze user interaction with the browser to identify transaction anomalies. 

This combination of app protection, network security, access controls, threat intelligence, and endpoint inspection shuts down phishing and fraudulent activities across heterogenous environments before they can exact a damaging toll on business.

This is a QuestexAsia feature commissioned by F5 Networks Asia Pacific.