Organizations of all types today face an ever evolving threatscape and growing pressure to rethink security strategies for long-term sustainability. Today’s enterprises operate in a complex technological environment, with a variety of devices, applications, and users accessing the network. Fortinet’s Mark Byers discusses the issues and trends affecting the security of enterprise applications.
Q&A with Mark Byers
What do companies need to know about security as it relates to their application infrastructure?
When most companies think about cyber security, they think of their network. This is a great place to start—but it’s not the whole picture. The question we need to ask is, what exactly needs to be secured, and why? At the end of the day, we’re really talking about the need to secure data—whether it’s customers’ credit card data, health information, corporate financial data, employee information, proprietary information, etc. And that means we need to consider all the different access points that need to be secured. One of the weakest links is applications. You can have multiple layers of network security, but once you expose an application to the Internet, your network security is not enough. When a company provides users access to an online application with a user ID and password, that user and attackers now have access to the data that can potentially bypass many layers of carefully crafted security protections.
So where do companies need to focus to ensure their applications are secure?
This sounds daunting but the truth is, they need to consider everywhere. You need to protect all access points to data – where it sits in a repository or server, where and when the data is accessed through an application, and when it’s shared with other applications or users. This is why a security fabric is critically important. You need policies to ensure enterprise users have different passwords for certain systems, two-factor authentication to verify they are who they say they are and that they’re authorized to access particular systems or information. Companies need increased intelligence of network services that allow users to identify threats in emails and machine learning that helps detect threat signatures. Administrators need a system strategy that correlates data and helps identify threats spanning multiple systems. They need security systems that are deeply integrated so that they can share threat intelligence and events to close the gap between devices and applications.
Talk about some of the well-known application security issues we have heard in the media. What’s happening?
From an enterprise perspective, the UK telecommunications company TalkTalk was in the news in October 2015 when nearly 157,000 customer data records were compromised. At fault was a breach in an application code; a simple SQL command opened up a back door to their data. This event resulted in the loss of more than 200,000 customers and significant dip in their revenues.
In general, though, some of the most well-known security issues involve Adobe Flash. In fact, Google recently announced that their Chrome browser will no longer support Flash by the end of 2016. Flash is so pervasive; it’s used by the majority of devices. And the challenge is that when a critical vulnerability is uncovered, it’s then only a matter of days before an attack occurs. That means one vulnerability in this one platform can have a widespread effect. What’s also concerning is that users do not regularly update to the latest version of Flash as it’s available. According to the Verizon 2016 Data Breech Investigations Report (DBIR) in one year’s time 45 percent of devices still had not updated to the latest version of flash and so still have no patch to address security issues.
It seems like there are patches pushed every day. We are constantly being asked to update our applications. Are they really that insecure?
The short answer is yes. The common vulnerability and exposures section of DBIR is important to review to understand the variety of issues. As soon as vulnerabilities are exposed, malicious attackers will instantly act on and exploit these vulnerabilities. Using Flash again as an example, should users update Flash as soon as a new version is pushed out? Yes. Do they? No. And the consequence is that one infected computer can affect the rest of the system.
If you’re running an enterprise system and the SSL protocol is compromised, this must be updated as soon as possible. There are tools available to help patch security holes, to scan for problems and malware, and to help mitigate those situations when updates don’t occur regularly.
There are lots of different types of applications: cloud apps, enterprise apps, consumer apps, database apps. Are there different security concerns that customers need to address?
Cloud-based applications are generally fairly good in terms of their security. But if an end user doesn’t change his/her password regularly, then your data could be compromised. In most instances, breaches occur because users are sharing credentials, or they’re not changing their passwords regularly. So it’s really a user issue and not an application issue.
On the enterprise side, an organization may have great e-commerce system all based on code that needs to be kept up to date. As long as you’re patching regularly and staying up to date, you’re fine. Companies need to employ application firewalls to help with zero day attacks. And they need to isolate their systems so that they’re not sitting directly on the Internet, which makes them more vulnerable. If applications and data are on the same server, you need to ensure that all information is channeled through a secure access point. Often within a company there’s a need to bring up a web-based application quickly for many users to access, and simple steps are overlooked that are the security equivalent to forgetting to lock the door behind them.
Data is growing exponentially, and our use of applications to run our businesses and our lives is never ending. What lies ahead for security and applications?
It’s becoming more and more important to have a deeply integrated security fabric that can help close the gaps, share intelligence across systems, and sift through vast amounts of data rapidly. Companies and security administrators don’t have the ability to review thousands of pages of data only to realize that a breach occurred the prior week. Every minute counts.
Technology is trying to stay ahead of the bad guys, to better identify threats and determine behavior abnormalities. Advanced persistent threats are many times customized to an organization and can employ multiple attack types until the target is compromised. Behavioral tools with advanced heuristics can help diagnose attacks as they’re happening, even if they’re different from previously identified attacks. Companies can run a baseline behavioral view in as little as an hour, and then this information helps the system identify abnormal behaviors. It could be as overt as a user attempting to access unauthorized systems or as unique as a user who is logging into applications from an unknown device at an atypical time of day.
Companies need to enforce a robust security policy that includes passwords, two-factor authentication, and regularly updated training.