James Aguilan | 11 December 2018
Application layer attacks has been an attack vector for the ages now. Application-layer attacks target computers by causing a fault in a system which as a result enables to gain the ability to bypass normal access controls. For as long as there are entry points in firewalls for applications, there will always be exploits of the resulting vulnerability, resulting in this kind of attack. However, letting applications through firewalls is necessary to do certain business operation. For example, to allow remote users to access email.
Businesses can take the defence-in-depth approach, however as soon as they open a port up to the internet, they introduce a new risk of attack. Technically, the means of mitigating the risk from application layer attacks needs to be proportionate and may vary. However, securing the application layers is dependent on people and great security processes and hygiene. Most breaches come from insiders, either through negligence such as poor training or simply failing to understand why their behaviour impacts security, or malicious activity. There is a variety of things to consider around users of applications. People are not only part of the threat, but will be the best defence to the threat:
- Application password hygiene – force them to choose an excellent password but force them to change it every 30 days.
- Put appropriate barriers in place for authentication by users. Use two-factor authentication.
- Keep measures appropriate and usable so they are user-friendly enough to stop users trying to circumnavigate them.
- Understand information assets – use defence in depth at the application layer.
- Segregate sensitive and non-sensitive assets.
Remember that most breaches come from people as proven by the epic story of Morrison breach by a disgruntled employee with access to sensitive data, or Edward Snowden. External threats can’t be ignored, of course, however the frequent occurrence of breaches by internal weakness with people, supported by technology can play a part in best defence. It would be impractical for businesses to stop allowing applications through firewalls, so understanding the risk to information assets is imperative.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.