The attack that exploited a vulnerability resulting from a complex interaction of three distinct software bugs in Facebook’s code late September 2018 affected some 50 million users, of which about 30 million actually had their tokens stolen.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” officials at the company explained.
The attack is another reminder that critical apps and data – businesses’ most valuable asset – remain at risk even though the names of application vulnerabilities and insidious malware may have changed. Complicating the task of protecting that data are digital transformation efforts driving IT organizations to deploy apps in multiple locations and environments.
With the average organization using 765 different web applications, a Ponemon global survey conducted as part of the F5 Labs 2018 Application Protection Report found that a majority of organizations have little confidence in their ability to keep track of applications, including the mission-critical ones, across public cloud or multi-cloud environments.
Threats and risks
Coupled with fast-evolving threats often evading traditional defenses, organizations have to mitigate prevalent threats with a security strategy that emphasizes applications first. Application breaches may include web injections that steal customer payment card information; hack websites; and hack app databases. Further, access-related breaches steal credentials via compromised email; misconfigure access control; crack passwords via brute-force attacks; and steal passwords via credential stuffing.
Thinking application security first also calls for an awareness of common user attack paths in preparation for emergent threats. For example, the significant impact of deserialization attacks against app services came to the fore in 2017 with the Equifax breach.
“Deserialization attacks are becoming more common because applications are now networked clusters of subsystems that require data-serialized communication streams,” explained Ray Pompon, principal threat research evangelist with F5 Labs. “Attackers embed commands in the serialized data stream and pass them unfiltered directly into the heart of application engines.”
Despite the use of SSL/TLS encryption for the majority of applications, the threat of eavesdropping or man-in-the-middle hijacks from attackers persists. Trustworthiness of applications is further reduced by organizations using self-signed certificates. Other common attack paths include scripting attacks against app clients to hijack access and malware attacks against app clients.
Secure apps wherever deployed
A critical first step toward ensuring the security and availability of apps and data is to understand the threat landscape. Organizations should have at least taken the following steps:
In addition to username and password, implement stronger solutions such as federated identity or multi-factor authentication for critical web applications. For external applications, consider a cloud access security broker (CASB) to consolidate and augment authentication.
Prioritize finding, patching, and blocking injection vulnerabilities to mitigate the threat of web injections,
Protect customer’s app client sessions with powerful and flexible WAF systems that can detect bot attacks, brute-forcing and logins from compromised clients and suspicious locations.
Secure applications further with application scanning, penetration testing, and application hardening procedures. Ensure that applications scan and filter all user inputs, including serialization data streams, to combat serialization attacks.
Use web server options such as session cookies set to HTTP-only and domain restricted, as well as setting the X-frame-options to DENY to reduce scripting attacks.
Thinking application security first requires a holistic and integrated approach to protecting applications. Protection needs to extend beyond a WAF, a vulnerability scanning solution and a CASB. Given the potential impact of massive DDoS attacks, protection needs to encompass the network, application and infrastructure levels with on-premises scrubbing equipment or hosted solutions.
DNS servers should be well protected with DNS-savvy firewalls and transport-layer communications. All critical data flows should be suitably encrypted with security engineers having proper understanding or configuration of all products.
Ultimately, integrated defense tools must help establish controls that provide visibility into attacks and awareness of all assets, covering third-party connections, hosted environments and local subnets.
For example, a traffic decryption device provides visibility into encrypted traffic flowing to inspection systems for proper logging, properly tuned intrusion detection and security event monitoring. Such visibility enables companies to quickly discover and respond to an attack, closing any vulnerability being exploited.
Organizations that think application security first recognize the critical threats to the applications that drive business and digital transformation. They understand each application’s threat surface and apply essential threat intelligence to secure apps and lay the foundation for accelerating business.
This is a QuestexAsia feature commissioned by F5 Networks Asia Pacific.