Understand web application vulnerabilities to minimise cloud security risk

null

Increasingly more organisations of all sizes and across all industries migrate their workloads to the cloud and this transition allows them to grow and deliver competitive advantage. However, many worry about cloud security and being exposed to attacks. So how can businesses protect against cyber criminals?   

An indicator of the general state of cloud security comes from cloud security provider Alert Logic, whose Cloud Security Report analyses an impressively large data set (147 petabytes of data, analysed via 3807 customers). The report is one of the few that analyses customer security data across cloud, on-premises and hybrid infrastructures. Here are the most interesting findings: 

Pure public cloud installations experienced the fewest security incidents

Alert Logic’s extensive analysis shows more evidence that the cloud is secure - and very likely more secure than on-premises infrastructure. Perhaps the most surprising element of these results is the marked difference in the numbers of escalated incidents in public, hosted and hybrid cloud service providers. The public cloud has proved itself relatively secure, experiencing 405 security incidents over the 18-month period. Comparatively, on-premises customers experienced a 51% higher rate of security incident escalations (612), hosted private cloud 69% higher (684) and hybrid cloud 141% higher (977). This does not prove public cloud impenetrable, but that the analysis of the incidents within Alert Logic’s customer base saw a significantly lower rate of security incidents in a public cloud environment.   

Alert Logic speculates this is due to hybrid cloud having a large attack surface, allowing for the greatest number of entry points for the cyber criminal. Most companies have hybrid infrastructure and what they need to know is simply that it requires the highest levels of security vigilance and sophistication; those with hybrid infrastructure are working with the most complex and integration-reliant infrastructure model. 

Web Applications still the Leading Source of Data Breach 

The report also reveals that web applications are indeed the soft belly of organisations - 73% of all the flagged incidents in the 18-month period were directed towards web applications, with a staggering 85% of all Alert Logic customers targeted by such attacks. The cyber security company also found that for bad actors targeting web applications, e-Commerce platforms or content management systems were rich hunting grounds due to a concentration of vulnerabilities within these application stacks. Attacks targeting content management system Joomla accounted for 25% of total web application attacks followed by WordPress with 10% and Magento with 7%.   

Spotlight on Machine Learning 

While this paints a bleak image for web applications, there is some good news outlined in the report also. Alert Logic researchers have been working over the last year on developing new ways to use machine-learning solutions to fight web application attacks - specifically, SQL Injection, which accounted for 55% of all observed attacks. Over the 9-month period during which their machine-learning effort came to life, they identified over 200 attacks in which malicious SQL injection was deployed with a high degree of complexity and sophistication. This means that 8-10% of customers were targeted by bad actors with better-than-average levels of skill and determination. Just over half (53%) of these 231 attacks were detected mainly by use of their more traditional detection and analysis methods. In those cases, machine-learning techniques allowed them to better understand attack progression and to provide meaningful context for the attack the SOC had identified. The remaining 47 percent of these incidents were detectable only with the use of machine learning, which when carried forward into 2018, could represent an exciting development in the fight to secure web applications. 

Conversely, the much-discussed media buzzword of ransomware paled in comparison to web application attacks. Server-side ransomware attacks, whilst serious, only accounted for 2% of the total incidents recorded in Alert Logic’s data set.   

Another finding, spanning all incident categories, is that specific vulnerabilities observed and recorded well over a decade ago are still being exploited today. Of the total incidents in our database, we found that over 70 percent were related to vulnerabilities reported in 2014 and 2015, however, we saw vulnerabilities representing the full 29-year history of modern malware.  This includes 4 percent of incidents traceable to 1999-era Windows IIS vulnerabilities - described by Misha Govshteyn, Senior Vice-President and Alert Logic Co-Founder as “vulnerabilities old enough to vote!”. The takeaway from this finding is that attackers like tried-and-true vulnerabilities and exploits that, thanks to sloppy patching habits, continue to work well. 

How to Prevent Cyber Attacks? 

So, with attack surfaces changing and so much more likely to come, what can you do to optimise your company’s security? Alert Logic’s advice below “should hang on the wall of every Information Security office, regardless of whether the business uses public, hybrid, or on-premises computing power” according to the report – it’s a baseline for good security practice wherever your data resides. To prevent targeted cyber attacks:    

• First, rely as much as possible on application whitelisting. Blocking access to unknown programs can keep malicious applications from gaining access to the network and its assets. And never be afraid to take a hard risk-assessment look at the value an app adds versus the risk to which it exposes you.   

• Understand your own patching process and, when patches are available, make it a priority to evaluate and deploy them. If your providers don’t provide notifications and clear communications about security issues, insist that they improve their customer service. 

• Finally, remember that users, or at least their access to your system, are always a potential problem. Restricting administrative and access privileges based on current user duties can prevent malware or other types of attacks from spreading. Privileges for both applications and operating systems should be kept up to date. 

Read the full Cloud Security Report to get more details on the findings, deep dive into our cyber security discoveries and find out more about Cloud Security Platform solutions.  

Oliver Pinson-Roxburgh, EMEA Director at Alert Logic 

Image Credit: ESB Professional / Shutterstock