main

Application SecurityMobile DataMobile SecuritySecurity

Growing Your Business: Millennials and M-Commerce

December 6, 2018 — by Mike O'Malley0

mcommerce-960x640.jpg

Millennials are the largest generation in the U.S. labor force—a position they’ve held since 2016—and they’re involved in the majority (73%) of B2B purchasing decisions. Raised in the age of the Internet, they’re digital natives and easily adopt and adapt to new technologies. And mobile apps are their lifelines.

Why does this matter? Well, when you combine Millennials’ tech savviness with their business acumen, their clout in a digital economy comes into focus. As both decision-makers and connoisseurs of mobile technology, they can make or break you in a low-growth economy if your business model doesn’t square with their preferences.

In other words, if you’re not embracing mobile commerce, you may soon be ancient history. This generation has little-to-no use for brick-and-mortar storefronts, banks, etc., instead preferring to use apps for shopping, financial transactions and more.

Of course, making m-commerce a linchpin of your business model isn’t risk free; cybersecurity concerns are of critical importance. Increasingly, personal data protection is tied directly to consumer loyalty to a particular brand, and Millennials in particular care about how their data is used and safeguarded.

You Can’t Rush Greatness

While Millennials are renowned for an “I want it fast, and I want it now” attitude (which explains why 63% of them use their smartphone to shop every day, versus trekking to a store), the biggest mistake you can make is overlooking security in a rush to roll out a mobile strategy.

The fact is, vulnerabilities on m-commerce platforms can result in severe financial impacts; the average cost of a corporate data breach is $3.86 million. If a mobile app or mobile responsive e-commerce site is hit by an application attack, for example, short-term profit loss (which can escalate quickly) and longer-term reputation loss are serious risks. And as we move into 2019, there are several mobile security threats that we need to take seriously.

[You may also like: Are Your Applications Secure?]

Baking cybersecurity into your mobile strategy—as a core component, not an add-on—is, without question, necessary. The reason is manifold: For one thing, mobile devices (where your app primarily lives) are more susceptible to attacks. Secondly, mobile commerce websites are often implemented with a web application firewall to protect it.  Thirdly, Millennials’ reliance on m-commerce, both as B2B and B2C consumers, means you stand to lose significant business if your app or website go “down.” And finally, Millennials are security conscious.

Securing the Secure Customer Experience

So how can you help ensure your m-commerce platform, and thereby your Millennial customer base, is secure? A number of ways:

  • Guard your app’s code from the get-go. Test the code for vulnerabilities, ensure it’s easy to patch, and protect it with encryption.
  • Consider a Web Application Firewall (WAF) to secure your APIs and your website.
  • Run real-time threat analytics.
  • Be mindful of how customer data is stored and secured. (Don’t pull an Uber and store data unencrypted!)
  • Patch often. Because security threats evolve constantly, so must your security patches! Just ask Equifax about the importance of patching…

[You may also like: Growing Your Business: Security as an Expectation]

Of course, this isn’t an exhaustive list of proactive security measures you can take, but it’s a good start. As I’ve said time and time again, in an increasingly insecure world where security and availability are the cornerstones of the digital consumer, cybersecurity should never be placed on the back burner of company priorities. Don’t wait for an attack to up your security game. At that point, trust is broken with your Millennial customer base and your business is in trouble. Be proactive. Always.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityAttack MitigationDDoS AttacksSecurityWAF

Protecting Applications in a Serverless Architecture

November 8, 2018 — by Ben Zilberman0

Serverless-960x640.jpg

Serverless architectures are revolutionizing the way organizations procure and use enterprise technology. Until recently, information security architecture was relatively simple; you built a fortress around a server containing sensitive data, and deployed security solutions to control the flow of users accessing and leaving that server.

But how do you secure a server-less environment?

The Basics of Serverless Architecture

Serverless architecture is an emerging trend in cloud-hosted environments and refers to applications that significantly depend on third-party services (known as Backend-as-a-Service or “BaaS”) or on custom code that’s run in ephemeral containers (known as Function-as-a-Service or “FaaS”). And it is significantly more cost effective than buying or renting servers.

The rapid adoption of micro-efficiency-based pricing models (a.k.a PPU, or pay-per-use) pushes public cloud providers to introduce a business model that meets this requirement. Serverless computing helps providers optimize that model by dynamically managing the allocation of machine resources. As a result, organizations pay based on the actual amount of resources their applications consume, rather than ponying up for pre-purchased units of workload capacity (which is usually higher than what they utilize in reality).

What’s more, going serverless also frees developers and operators from the burdens of provisioning the cloud workload and infrastructure. There is no need to deploy operating systems and patch them, no need to install and configure web servers, and no need to set up or tune auto-scaling policies and systems.

[You may also like: Application Delivery and Application Security Should be Combined]

Security Implications of Going Serverless

The new serverless model coerces a complete change in architecture – nano services of a lot of software ‘particles.’ The operational unit is set of function containers that execute REST API functions, which are invoked upon a relevant client-side event. These function instances are created, run and then terminated. During their run time, they receive, modify and send information that organizations want to monitor and protect. The protection should be dynamic and swift:

  • There is no perimeter or OS to secure
  • Agents and a persistent footprint become redundant.
  • To optimize the business model, the solution must be scalable and ephemeral automation is the key to success

If we break down our application into components that run in a serverless model, the server that runs the APIs uses different layers of code to parse the requests, essentially enlarging the attack surface. However, this isn’t an enterprise problem anymore; it’s the cloud provider’s. Unfortunately, even they sometimes lag in patch management and hardening workloads. Will your DevOps read all of the cloud provider documentation in details?  Most likely, they’ll go with generic permissions. If you want to do something right, you better do it yourself.

Serverless computing doesn’t eradicate all traditional security concerns. Application-level vulnerabilities can still be exploited—with attacks carried out by human hackers or bots—whether they are inherent in the FaaS infrastructure or in the developer function code.

When using a FaaS model, the lack of local persistent storage encourages data transfer between the function and the different persistent storage services (e.g., S3 and DynamoDB by AWS) instead. Additionally, each function eventually processes data received from storage, the client application or from a different function. Every time it’s moved, it becomes vulnerable to leakage or tampering.

In such an environment, it is impossible to track all potential and actual security events. One can’t follow each function’s operation to prevent it from accessing wrong resources. Visibility and forensics must be automated and perform real time contextual analysis. But the question is not whether to use serverless or not because it is more in/secure. Rather, the question is how to do it when your organization goes there.

[You may also like: Web Application Security in a Digitally Connected World]

A New Approach

Simply put, going serverless requires a completely different security approach—one that is dynamic, elastic, and real-time. The security components must be able to move around at the same pace as the applications, functions and data they protect.

First thing’s first: To help avoid code exploitation (which is what attacks boil down to), use encryption and monitor the function’s activity and data access so it has, by default, minimum permissions. Abnormal function behavior, such as expected access to data or non-reasonable traffic flow, must be analyzed.

Next, consider additional measures, like a web application firewall (WAF), to secure your APIs. While an API gateway can manage authentication and enforce JSON and XML validity checks, not all API gateways support schema and structure validation, nor do they provide full coverage of OWASP top 10 vulnerabilities like a WAF does. WAFs apply dozens of protection measures on both inbound and outbound traffic, which is parsed to detect protocol manipulations. Client-side inputs are validated and thousands of rules are applied to detect various injections attacks, XSS attacks, remote file inclusion, direct object references and many more.

[You may also like: Taking Stock of Application-Layer Security Threats]

In addition to detecting known attacks, for the purposes of zero-day attack protection and comprehensive application security, a high-end WAF allows strict policy enforcement where each function can have its own parameters white listed—the recommended approach when deploying a function processing sensitive data or mission-critical business logic.

And—this is critical—continue to mitigate for DDoS attacks. Going serverless does not eliminate the potential for falling susceptible to these attacks, which have changed dramatically over the past few years. Make no mistake: With the growing online availability of attack tools and services, the pool of possible attacks is larger than ever.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityDDoS AttacksSecurity

The Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?

October 30, 2018 — by Radware4

balance_risk_cybersecurity_risk-960x640.jpg

Cybersecurity is often an afterthought. Executives are quick to focus on the endgame benefits of customer-centric strategies, digital transformation, mobility, IoT and cloud computing, yet cybersecurity often falls by the wayside compared to these strategic initiatives. In fact, many executives view cybersecurity strictly as a cost center.

This cost-savings, bolt-on approach to implementing cybersecurity might yield short-term financial savings that leave the finance department feeling good. But it also leaves organizations in a “pay me now, pay me later” scenario that runs the risk of significant financial loss and damage to customer satisfaction and market reputation in the long run. Resulting breaches devalue and compromise any digital transformation and/or customer-facing programs, resulting in lost time, money and, most importantly, customer faith.

In an increasingly insecure world where security and availability are the cornerstones of the digital consumer, organizations must reevaluate how they balance the investment versus risk equation and alter how and when they implement cybersecurity.

THE TRUE COST OF A CYBERATTACK/DATA BREACH

To understand just how detrimental this approach can be to the long-term health of an organization requires a grasp of the true cost of a cyberattack and any resulting data breaches. Sadly, these types of statistics are often poorly understood by organizations. According to Radware, 80 percent of organizations don’t calculate the cost of cyberattacks. You can’t manage what you don’t measure.

Ultimately, cyberattacks are far more expensive than organizations realize. Not only in monetary costs but also by damage incurred to brand reputation, operational expenses and, most importantly, the impact on the customer experience.

As a starting point, cyberattacks cost, on average, more than 1 million USD/EUR, according to 40 percent of global executives. This figure represents the actual operational costs associated with “cleaning up” an attack. Five percent of executives estimate this cost to be more than 25 million USD/EUR. But these figures only represent the tip of the iceberg.

The larger, more damaging effect is the impact on customer loyalty and trust, brand damage and a wide array of other “hidden costs.” According to executives, the top three impacts from a cyberattack are:

  • 41% Customer loss
  • 34% Brand reputation loss
  • 34% Productivity/operational loss

Specifically, there is a high price for not securing the customer experience. In today’s digitally driven world where consumers own the relationship, the foundation of the customer experience is a mix of security and availability. When an organization’s customers have their data compromised, the price is steep. Customer attrition rates can increase by as much as 30 percent following a cyberattack. Moreover, organizations that lose over four percent of their customers following a data breach suffer an average total cost of $5.1 million. In addition to these direct impacts, there are “hidden” costs associated with a data breach as well, including increased insurance premiums, a lower credit rating, devaluation of trade name and loss of intellectual property. Lastly, there are legal fees as well because today’s customers are willing to retaliate. Forty-one percent of executives report that customers have taken legal action against their companies following a data breach. Target, among many name brands such as Panera Bread, Sears, and Saks, is just one well-publicized example of both the legal and customer loyalty impact that cyberattacks have had on name brands.

Flip The Paradigm

What if organizations could flip the paradigm? What if organizations could create a secure environment for their customers and, in the process, use security as a competitive differentiator?

That opportunity now exists because 21st-century digital consumers are asking if they are conducting business with organizations that are proactive about safeguarding their information and how they will fix it if a breach does occur. For example, consumers are now more concerned about having their personal data stolen than their physical possessions such as wallets, automobiles and house keys. High-profile attacks in recent years (and the resulting fallout) mean that cybersecurity and data protection is no longer a topic just for network analysts and IT professionals. It has transitioned from the back pages of tech publications to mainstream conversation.

The impact on businesses is twofold. Whereas companies were once reticent to speak publicly about cybersecurity because it could cause consumers to question their business’s fragility, they must now embrace and communicate their ability to safeguard customer data. Forward-thinking organizations must use security and due diligence as competitive differentiators to build trust and loyalty with customers in the face of an increasingly insecure world.

It is no longer about delivering a world-class experience. It is about delivering a SECURE, world-class experience. In today’s digitally driven, social media world where consumers own the relationship, security has to become the very fabric of the business.

So how are executives expected to accomplish this facing new security threats, tight budgets, a shortfall in cybersecurity professionals and the need to safeguard increasingly diversified infrastructures? The key is creating a secure climate for customers by embracing technology and change. Corporate networks are the linchpins of interactions with customers who expect responsive apps, fast performance and, above all, protection of their data.

To create this climate, research shows that executives must be willing to accept new technologies, be open-minded to new ideologies and embrace change. Executives committed to staying on top of this ever-evolving threat must break down the silos that exist in the organization to assess the dimensions of the risks across the enterprise and address these exposures holistically. Next is balancing the aforementioned investment versus risk equation. All executives will face tough choices when deciding where to invest resources to propel their companies forward. As the threat of cyberattacks becomes a question of when not if, C-suite executives must leverage the aforementioned data points and carefully evaluate the risks associated with security vulnerabilities and the costs of implementing effective security solutions. As identified in the same report, four in 10 respondents identify increasing infrastructure complexity, digital transformation plans and integration of artificial intelligence as putting pressure on security planning and budget allocation.

The stakes are high. Security threats can seriously impact a company’s brand reputation, resulting in customer loss, reduced operational productivity, and lawsuits. C-suite executives recognize the multiple pressures on their organizations to integrate new network technologies, transform their businesses and defend against cyberattacks. Those executives who are willing to embrace technology and change and prioritize cybersecurity will be the ones to win the trust and loyalty of the 21st-century consumer.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Application SecuritySecurityWeb Application Firewall

Credential Stuffing Campaign Targets Financial Services

October 23, 2018 — by Daniel Smith2

credential_financial_hacking-960x677.jpg

Over the last few weeks, Radware has been tracking a significant Credential Stuffing Campaign targeting the financial industry in the United States and Europe.

Background

Credential Stuffing is an emerging threat in 2018 that continues to accelerate as more breaches occur. Today, a breach doesn’t just impact the compromised organization and its users, but it also affects every other website that the users may use.

Additionally, resetting passwords for a compromised application will only solve the problem locally while criminals are still able to leverage those credentials externally against other applications due to poor user credential hygiene.

Credential Stuffing is a subset of brute force attacks but is different from Credential Cracking. Credential Stuffing campaigns do not involve the process of brute forcing password combinations. Credential Stuffing campaigns leverage leaked username and passwords in an automated fashion against numerous websites in an attempt to take over users accounts due to credential reuse.

Criminals, like researchers, collect and data mine leaks databases and breached accounts for several reasons. Typically cybercriminals will keep this information for future targeted attacks, sell it for profit or exploit it in fraudulent ways.

The motivations behind the current campaign that Radware is seeing are strictly fraud related. Criminals are using credentials from prior data breaches in an attempt to gain access and take over user’s bank accounts. These attackers have been seen targeting financial organizations in both the United States and Europe. When significant breaches occur, the compromised email addresses and passwords are quickly leveraged by cybercriminals. Armed with tens of millions of credentials from a recently breached website, attackers will use these credentials along with scripts and proxies to distribute their attack in an automated fashion against the financial institution in an attempt to take over banking accounts. These login attempts can happen in such volumes that they resemble a Distributed Denial of Service (DDoS) attack.

Attack Methods

Credential Stuffing is one of the most commonly used attack vectors by cybercriminals today. It’s an automated web injection attack where criminals use a list of breached credentials in an attempt to gain access and take over accounts across different platforms due to poor credential hygiene. Attackers will route their login request through proxy servers to avoid blacklisting their IP address.

Attackers automate the logins of millions of previously discovered credentials with automation tools like cURL and PhantomJS or tools designed specifically for the attack like Sentry MBA and SNIPR.

This threat is dangerous to both the consumer and organizations due to the ripple effect caused by data breaches. When a company is breached, those credentials compromised will either be used by the attacker or sold to other cybercriminals. Once credentials reach its final destination, a for-profit criminal will use that data, or credentials obtain from a leak site, in an attempt to take over user accounts on multiple websites like social media, banking, and marketplaces. In addition to the threat of fraud and identity theft to the consumer, organizations have to mitigate credential stuffing campaigns that generate high volumes or login requests, eating up resources and bandwidth in the process.

Credential Cracking

Credential Cracking attacks are an automated web attack where criminals attempt to crack users password or PIN numbers by processing through all possible combines of characters in sequence. These attacks are only possible when applications do not have a lockout policy for failed login attempts.

Attackers will use a list of common words or recently leaked passwords in an automated fashion in an attempt to take over a specific account. Software for this attack will attempt to crack the user’s password by mutating, brute forcing, values until the attacker is successfully authenticated.

Targets

In recent campaigns, Radware has seen financial institutions targeted in both the United States and Europe by Credential Stuffing campaigns.

Crimeware

Sentry MBA is one of the most popular Credential Stuffing toolkits used by cybercriminals today. This tool is hosted on the Sentry MBA crackers forum. The tool simplifies and automates the process of checking credentials across multiple websites and allows the attackers to configure a proxy list so they can anonymize their login requests.

SNIPR – Credential Stuffing Toolkit

SNIPR is a popular Credential Stuffing toolkit used by cybercriminals and is found hosted on the SNIPR crackers forums. SNIPR comes with over 100 config files preloaded and the ability to upload personal config files to the public repository.

Reasons for Concern

Recent breaches over the last few years have exposed hundreds of millions of user credentials. One of the main reasons for concern of a Credential Stuffing campaign is due to the impact that it has on the users. Users who reuse credentials across multiple websites are exposing themselves to an increased risk of fraud and identity theft.

The second concern is for organizations who have to mitigate high volumes of fraudulent login attempts that can saturate a network. This saturation can be a cause for concern, as it will appear to be a DDoS attack, originating from random IP addresses coming from a variety of sources, including behind proxies. These requests will look like legitimate attempts since the attacker is not running a brute force attack. If the user: pass for that account does not exist or authenticate on the targeted application the program will move on to the next set of credentials.

Mitigation

In order to defend against a Credential Stuffing campaign, organizations need to deploy a WAF that can properly fingerprint and identify malicious bot traffic as well as automated login attacks directed at your web application. Radware’s AppWall addresses the multiples challenges faced by Credential Stuffing campaigns by introducing additional layers of mitigation including activity tracking and source blocking.

Radware’s AppWall is a Web Application Firewall (WAF) capable of securing Web applications as well as enabling PCI compliance by mitigating web application security threats and vulnerabilities. Radware’s WAF prevents data from leaking or being manipulated which is critically important in regard to sensitive corporate data and/or information about its customers.

The AppWall security filter also detects such attempts to hack into the system by checking the replies sent from the Web server for Bad/OK replies in a specific timeframe. In the event of a Brute Force attack, the number of Bad replies from the Web server (due to a bad username, incorrect password, etc.) triggers the BruteForce security filter to monitor and take action against that specific attacker. This blocking method prevents a hacker from using automated tools to carry out an attack against Web application login page.

In addition to these steps, network operators should apply two-factor authentication where eligible and monitor dump credentials for potential leaks or threats.

Effective Web Application Security Essentials

  • Full OWASP Top-10 coverage against defacements, injections, etc.
  • Low false positive rate – using negative and positive security models for maximum accuracy
  • Auto policy generation capabilities for the widest coverage with the lowest operational effort
  • Bot protection and device fingerprinting capabilities to overcome dynamic IP attacks and achieve improved bot detection and blocking
  • Securing APIs by filtering paths, understanding XML and JSON schemas for enforcement, and activity tracking mechanisms to trace bots and guard internal resources
  • Flexible deployment options – on-premise, out-of-path, virtual or cloud-based

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityAttack MitigationSecurityWeb Application Firewall

Are Your Applications Secure?

October 3, 2018 — by Ben Zilberman7

WAF_REPORT_BLOG_Cover_img-960x715.jpg

Executives express mixed feelings and a surprisingly high level of confidence in Radware’s 2018 Web Application Security Report. 

As we close out a year of headline-grabbing data breaches (British Airways, Under Armor, Panera Bread), the introduction of GDPR and the emergence of new application development architectures and frameworks, Radware examined the state of application security in its latest report. This global survey among executives and IT professionals yielded insights about threats, concerns and application security strategies.

The common trend among a variety of application security challenges including data breaches, bot management, DDoS mitigation, API security and DevSecOps, was the high level of confidence reported by those surveyed. 90% of all respondents across regions reported confidence that their security model is effective at mitigating web application attacks.

Attacks against applications are at a record high and sensitive data is shared more than ever. So how can execs and IT pros have such confidence in the security of their applications?

To get a better understanding, we researched the current threat landscape and application protection strategies organizations currently take. Contradicting evidence stood out immediately:

  • 90% suffered attacks against their applications
  • One in three shared sensitive data with third parties
  • 33% allowed third parties to create/modify/delete data via APIs
  • 67% believed a hacker can penetrate their network
  • 89% saw web-scraping as a significant threat to their IP
  • 83% run bug bounty programs to find vulnerabilities they miss

There were quite a few threats to application services that were not properly addressed, challenging traditional security approaches. In parallel, the adoption of emerging frameworks and architectures, which rely on numerous integrations with multiple services, adds more complexity and increases the attack surface.

Current Threat Landscape

Last November, OWASP released a new list of top 10 vulnerabilities in web applications. Hackers continue to use injections, XSS, and a few old techniques such as CSRF, RFI/LFI and session hijacking to exploit these vulnerabilities and gain unauthorized access to sensitive information. Protection is becoming more complex as attacks come through trusted sources such as a CDN, encrypted traffic, or APIs of systems and services we integrate with. Bots behave like real users and bypass challenges such as CAPTCHA, IP-based detection and others, making it even harder to secure and optimize the user experience.

[You might also like: WAFs Should Do A  Lot More Against Current Threats Than Covering OWASP Top 10]

Web application security solutions must be smarter and address a broad spectrum of vulnerability exploitation scenarios. On top of protecting the application from these common vulnerabilities, it has to protect APIs and mitigate DoS attacks, manage bot traffic and make a distinction between legitimate bots (search engines for instance) and bad ones like botnets, web-scrapers and more.

DDoS Attacks

63% suffered a denial of service attack against their application. DoS attacks render applications inoperable by exhausting the application resources. Buffer overflow and HTTP floods were the most common types of DoS attacks, and this form of attack is more common in APAC. 36% find HTTP/Layer-7 DDoS as the most difficult attack to mitigate. Half of the organizations take rate-based approaches (such as limiting the number of request from a certain source or simply buying a rate-based DDoS protection solution) which are ineffective once the threshold is exceeded and real users can’t connect.

API Attacks

APIs simplify the architecture and delivery of application services and make digital interactions possible. Unfortunately, they also introduce a wide range of risks and vulnerabilities as a backdoor for hackers to break into networks. Through APIs, data is exchanged in HTTP where both parties receive, process and share information. A third party is theoretically able to insert, modify, delete and retrieve content from applications. This is nothing but an invitation to attack:

  • 62% of respondents did not encrypt data sent via API
  • 70% of respondents did not require authentication
  • 33% allowed third parties to perform actions (GET/ POST / PUT/ DELETE)

Attacks against APIs:

  • 39% Access violations
  • 32% Brute-force
  • 29% Irregular JSON/XML expressions
  • 38% Protocol attacks
  • 31% Denial of service
  • 29% Injections

Bot Attacks

The amount of both good and bad bot traffic is growing. Organizations are forced to increase network capacity and need to be able to precisely tell a friend from a foe so both customer experience and security are maintained. Surprisingly, 98% claimed they can make such a distinction. However, a similar amount sees web-scraping as a significant threat. 87% were impacted by such an attack over the past 12 months, despite a variety of methods companies use to overcome the challenge – CAPTCHA, in-session termination, IP-based detection or even buying a dedicated anti-bot solution.

Impact of Web-scraping:

  • 50% gathered pricing information
  • 43% copied website
  • 42% theft of intellectual property
  • 37% inventory queued/being held by bots
  • 34% inventory held
  • 26% inventory bought out

Data Breaches

Multinational organizations keep close tabs on what kinds of data they collect and share. However, almost every other business (46%) reports having suffered a breach. On average an organization suffers 16.5 breach attempts every year. Most (85%) take between hours and days to discover. Data breaches are the most difficult attack to detect, as well as mitigate, in the eyes of our survey respondents.

How do organizations discover data breaches?

  • 69% Anomaly detection tools/SIEM
  • 51% Darknet monitoring service
  • 45% Information was leaked publicly
  • 27% Ransom demand

IMPACT OF ATTACKS

Negative consequences such as loss of reputation, customer compensation, legal action (more common in EMEA), churn (more common in APAC), stock price drops (more common in AMER) and executives who lose their jobs are quick to follow a successful attack, while the process of repairing the damage of a company’s reputation is long and not always successful. About half admitted having encountered such consequences.

Securing Emerging Application Development Frameworks

The rapidly growing amount of applications and their distribution across multiple environments requires adjustments that lead to variations once a change to the application is needed. It is nearly impossible to deploy and maintain the same security policy efficiently across all environments. Our research shows that ~60% of all applications undergo changes on a weekly basis. How can the security team keep up?

While 93% of organizations use a web application firewall (WAF), only three in ten use a WAF that combines both positive and negative security models for effective application protection.

Technologies Used By DevOps

  • 63% – DevOps and Automation Tools
  • 48% – Containers (3 in 5 use Orchestration)
  • 44% – Serverless / FaaS
  • 37% – Microservers

Among the respondents that used micro-services, one-half rated data protection as the biggest challenge, followed by availability assurance, policy enforcement, authentication, and visibility.

Summary

Is there a notion that organizations are confident? Yes. Is that a false sense of security? Yes. Attacks are constantly evolving and security measures are not foolproof. Having application security tools and processes in place may provide a sense of control but they are likely to be breached or bypassed sooner or later. Another question we are left with is whether senior management is fully aware of the day to day incidents. Rightfully so, they look to their internal teams tasked with application security to manage the issue, but there seems to be a disconnect between their perceptions of the effectiveness of their organizations’ application security strategies and the actual exposure to risk.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityCloud SecurityDDoS AttacksSecurityWAF

Protecting Sensitive Data: The Death of an SMB

September 26, 2018 — by Mike O'Malley1

protecting-sensitive-data-death-of-small-medium-business-960x522.jpg

True or False?

90% of small businesses lack any type of data protection for their company and customer information.

The answer?

Unfortunately true.

Due to this lack of care, 61% of data breach victims are specifically small businesses according to service provider Verizon’s 2018 Data Breach Investigations.

Although large corporations garner the most attention in mainstream headlines, small and mid-sized businesses (SMB) are increasingly attractive to hackers because of the combination of valuable records and lack of security protections. The high priority of sensitive data protection should not be limited to large companies but for organizations of all sizes.

While large corporations house large amounts of data, they are also capable of supporting their data center with the respective necessary protections. The combination of lacking security resources while maintaining sensitive personal information is what makes smaller-sized businesses the perfect targets for attackers. Hackers aren’t simply looking at how much information they can gather, but at the ease of access to that data – an area where SMB’s are largely deficient.

The bad publicity and dark connotation that data breaches hold create a survive-or-die situation for SMBs, but there are ways SMBs can mitigate the threat despite limited resources – and they exist in the cloud.

The Struggle to Survive

Because of their smaller stature as a company, most SMBs struggle with the ability to manage cybersecurity protections and mitigation of attacks – especially data breaches. In fact, financial services company UPS Capital found that 60% of smaller businesses fall out of business within six months after a cyberattack. Unlike business giants, SMBs cannot afford the financial hit of data breaches.

Security and privacy of sensitive data is a trending hot topic in today’s society, becoming more of an influence on customers’ purchase decisions. Customers are willing to pay more for provided security protections. Auditor giant KPMG reports that for mobile service providers alone, consumers would not hesitate to switch carriers if one provided better security than the other, as long as pricing is competitive or even for a moderate premium.

[You might also like: Protecting Sensitive Data: What a Breach Means to Your Business]

One Person Just Isn’t Enough

Many SMBs tend to prioritize their business over cybersecurity because of the false belief that attackers would go after large companies first. Research Center Ponemon Institute reports that 51% of its survey respondents say their company believes they are too small to be targeted. For businesses that do invest in cybersecurity, they narrowly focus on anti-virus solutions and neglect other types of attacks such as DDoS, malware, and system exploits that intrusion detection systems can protect from.

Auto dealerships, for example, are typically family-owned and operated businesses, valued at $4 million USD, with typically an average of 15-20 employees overall. Because of its size, of that number of employees there is typically only one employee that manages the IT responsibilities. Dealerships attempt to satisfy the need of security protection with this employee that has relevant certifications and experience; they are equipped with resources to support their day-to-day tasks, but not to manage high-level attacks and threats. Ponemon Institute’s research reports that 73% of its respondents believe they are unable to achieve full effective IT security because of insufficient personnel.

A study conducted by news publication Automotive News found that 33% of consumers lack confidence in the security protection of sensitive data at dealerships. The seriousness of cybersecurity protection, however, should not correlate to the number of employees but the amount and value of the sensitive data collected. The common error dealerships make isn’t the lack of care in their handling of sensitive data, but the underestimation of their likelihood of being attacked.

Dealerships collect valuable consumer information, both personal and financial – ranging from driver’s license information to social security numbers, to bank account information, and even past vehicle records. An insufficient budget and management of IT security make auto dealerships a prime target. In fact, software company MacKeeper in 2016 revealed a massive data breach of 120+ U.S. dealership systems made available on Shodan – a search engine for connected, but unsecured databases and devices. The source of the breach originated from backing up individual data systems to the vendor’s common central systems, without any cybersecurity protections in place.

The Answer is in the Clouds

Cybersecurity is often placed on the backburner of company priorities, perceived as an unnecessary expenditure because of the flawed perception and underestimated likelihood of being attacked. However, the level of protection over personal data is highly valued among today’s consumers and is enough to be the deciding factor for which OS or mobile app/site people would frequent, and likely which SMB they would patronize.

Witnessing the growing trend of data breaches and the rapid advancements of cyberattacks, SMBs are taking note and beginning to increase spending. It is crucial for organizations to not only increase their security budget but to spend it effectively and efficiently. Research firm Cyren and Osterman Research found that 63% of SMBs are increasing their security spending, but still experience breaches.

Internal security systems may seem more secure to smaller business owners, but SMBs lack the necessary security architecture and expertise to safeguard the data being housed. Cloud solutions offer what these businesses need: a data storage system with better security protection services. Meanwhile, in the same Cyren and Osterman Research report, only 29% of IT managers are open to utilizing cloud services. By utilizing cloud-based security as a solution, small-and medium-sized businesses no longer have to depend on one-staff IT departments, but can focus on the growth of their business. Cloud-based security solutions provide enterprise-grade protection alongside improved flexibility and agility that smaller organizations typically lack compared to their large-scale brethren.

Managed security vendors offer a range of fully-managed cloud security solutions for cyberattacks from WAF to DDoS. They are capable of providing more accurate real-time protection and coverage. Although the security is provided by an outside firm, reports and audits can be provided for a deeper analysis of not only the attacks but the company’s defenses. Outsourcing this type of security service to experts enables SMBs to continue achieving and prioritizing their business goals while protecting their work and customer data.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Application SecurityBotnetsSecurity

Don’t Let Your Data Seep Through The Cracks: Cybersecurity For the Smart Home

September 20, 2018 — by Anna Convery-Pelletier4

secure_customer_experience_smart_home_blog-960x610.jpg

Technology and wireless connectivity have forever changed households. While we don’t have the personal hovercrafts or jetpacks that we were promised as children, infinite connectivity has brought a whirlwind of “futuristic” benefits and luxuries few could have imagined even a decade ago. But more importantly, it has re-defined how the modern domicile needs to be managed.

Just as with an enterprise network, cybersecurity concerns also impact the home network. The onus is on us, the consumer, to take responsibility for home network security because device manufacturers have not and the risks associated with any data breach is hugely detrimental in the digital age we live in.

A home network is no longer just laptops, tablets, smartphones and printers. The explosion of the Internet of Things (IoT) has resulted in network connectivity to nearly everything. Everyday household items – appliances, cameras, routers, baby monitors, toys, televisions, thermostats, heating systems, etc. are now connected to each other and the internet. But with all this network connectivity comes risk. Why is that and more importantly, what should you do about it?

While many consumers naively assume that developers behind new network-connected equipment must be thinking long and hard about security, in truth they aren’t. To be first to market, design zero-setup equipment, and to deliver a more fulfilling consumer experience, security on many IoT devices is woefully inadequate and often times an afterthought. In addition, many of these network-connected devices leverage bare bone operating systems that have neither the capacity nor processing power for sophisticated anti-virus/malware tools.

It’s common knowledge that home security such as burglar alarms and even door locks are connected to the internet. What many consumers don’t realize is that this creates a huge exposure because the Wi-Fi serves as a new vulnerability to the house’s physical security system. While useful for providing remote access to your next-door neighbors when the dog needs to be let outside, tech-savvy thieves need only to hack the Wi-Fi to gain access to security controls, monitor resident’s daily habits and gain physical access to the house.

IoT devices connected to e-commerce sites is yet another. For example, a smart fridge integrated into somebody’s Amazon Fresh or FreshDirect account (and access to banking/credit card information) allows someone to purchase groceries or other kitchen necessities right from the refrigerator door. This seamless connectivity can be a dream come true for today’s digital consumer, but can also provide a virtual playground from which hackers can gain access to digital bounties via a single vulnerability.

Smart Homes Require Smart Planning and Smart Security

Smart homes are here and are only going to get smarter. In effect, they are no different from a small corporate network, and as such, they need similar levels of planning and security, especially when considering the growing trend of working from home. However, many consumers simply don’t have the desire to run them securely. Most importantly, consumers are not reviewing and taking the necessary security precautions like they do other aspects of their life.

[You might also like: Cybersecurity & The Customer Experience: The Perfect Combination]

Just like security must become the very fabric of a business, cybersecurity planning – the act of reviewing network-connected devices, where sensitive data is stored and potential security vulnerabilities – must become a critical component of the smart home.

On a yearly basis, my family sits down and does financial planning to review everything from vacations to unexpected expenses. We’ve now included conversations about security planning and ask ourselves some questions such as:

Have I taken an inventory of and actually know all of the various network-connected devices that are in my home? Have security updates been applied to home computers and network-connected devices? Do any outdated devices, such as routers, need to be changed out by the vendor? Are my passwords secure and have I backed up any critical/sensitive information?

These types of questions are what modern-day consumers must be asking, in addition to executing the multitude of security best practices regarding password management, device protection, and backing up sensitive information. Even traditional consumer-focused antivirus software providers now offer multi-layered security devices meant specifically to safeguard home networks, routers and IoT devices.

[You might also like: Personal Security Hygiene]

To truly enjoy the promise of the smart home, it needs to be protected from cyber intruders just as vicariously as it’s protected against physical intruders. Similar to the lessons that leading organizations and name brands have learned in recent years, the best combination is taking proactive measures and leveraging consumer security tools that are easy to implement, easy to operate and does not require a great deal of expertise. It’s time for consumers to become proactive and smarter about home cybersecurity.

Read “Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty” to learn more.

Download Now

Application SecuritySecurity

Millennials and Cybersecurity: Understanding the Value of Personal Data

September 19, 2018 — by Jeff Curley2

GettyImages-546802904-960x640.jpg

From British Airways to Uber, recent data breaches have shown how valuable our data is to cybercriminals – and the lengths to which they will go to access it.

The size and impact of these breaches has meant that topics once reserved for tech experts and IT personnel have transitioned into a more mainstream conversation. Revelations about how important our data can be, such as the Cambridge Analytica scandal, have amplified these sentiments and changed the way in which many use digital services altogether.

The result is that consumers, especially millennials, are very concerned about how the organizations they are trusting with their data safeguard their information – and how they will make amends if a breach does occur.

In fact, our latest survey found that almost half of UK millennials now refuse to give up their personal data to businesses as they don’t trust them to keep that data safe.

Who Do You Trust?

Millennials are also likely to look outside the box when it comes to checking for data breaches. In our survey, almost 15% said they searched the dark web to find their data, while 13% used data breach search websites.

But while the majority are security conscious when it comes to how businesses use their personal data, many are in fact taking risks when it comes to other forms of data security, like sharing Netflix or Amazon Prime login details with friends and family.

When we consider that it has been suggested up to 80% of the population use the same password for all of their online accounts, login sharers may be inadvertently be sharing their online banking password at the same time as sharing their entertainment account login. It’s clear to see how a problem could develop.

[You might also like: Consumer Sentiments About Cybersecurity and What It Means for Your Organization]

Taking Password Hygiene Seriously

There’s currently a battle going on between security and usability, with businesses and consumers both trying to find a sweet spot between a comfortable service and providing the necessary security.

For consumers, especially millennials, there are some rules of thumb that can help in this battle.

The most important rule is also the most obvious – protect your passwords! Unsecured login credentials are today’s number one tool for cybercriminals to access user information. Usernames and passwords are for sale on the dark web by the millions and, as mentioned before, hackers know people are often using the same password on different sites so they are likely to try using these credentials on other, more valuable, sites.

We all struggle to remember some of the complicated passwords we have to create in order to gain access to some websites. That’s why the temptation to replicate credentials across sites is strong. After all, humans are not meant to remember passwords, and good passwords should be hard to memorize!

One approach to deal with the issue is to use passphrases which are easier to remember. However, this approach can still lead to the temptation to use the same passphrase everywhere and often websites prompt the user to create passwords with variations in letter case, characters, and numbers that are themselves difficult to remember.

A better approach is to let your computer do the hard work and use a password manager. Using a unique random password for each site is the best way to protect yourself from data theft online as if data leaks from one site it will have no effect on the rest of the sites you visit.  Personally, since two consecutive breaches that affected me in a space of just two weeks (each coming with a sensible advisory to reset my passwords everywhere) I have taken to using Apple iCloud Keychain to take away the pain of having to generate unique passwords everywhere.

Additionally, use two-factor authentication where available. This will ensure that even if a hacker has your password, it will be very hard to break into the site. Specifically, use two-factor authentication when you log in to your password manager.

Although using a password manager might be considered a risk by itself – you’re putting all of your passwords in one place, after all – security experts believe that the risk is still lower than any other password system. Modern password managers do a great job at keeping your passwords secret. But in order to lower the risk further, never log in to your password manager on an unknown device.

2018 Mobile Carrier Ebook

Read “The Millennial View on Data Security” today.

Download Now

Application DeliveryApplication SecuritySecurity

DDoS Protection is the Foundation for Application, Site and Data Availability

September 11, 2018 — by Daniel Lakier2

ddos-primer-part-1-960x788.jpg

When we think of DDoS protection, we often think about how to keep our website up and running. While searching for a security solution, you’ll find several options that are similar on the surface. The main difference is whether your organization requires a cloud, on-premise or hybrid solution that combines the best of both worlds. Finding a DDoS mitigation/protection solution seems simple, but there are several things to consider.

[You might also like: Should Business Risk Mitigation Be A Factor When We Choose Our Suppliers and Manufacturers?]

It’s important to remember that DDoS attacks don’t just cause a website to go down. While the majority do cause a service disruption, 90 percent of the time it does not mean a website is completely unavailable, but rather there is a performance degradation. As a result, organizations need to search for a DDoS solution that can optimize application performance and protect from DDoS attacks. The two functions are natural bedfellows.

The other thing we often forget is that most traditional DDoS solutions, whether they are on-premise or in the cloud, cannot protect us from an upstream event or a downstream event.

  1. If your carrier is hit with a DDoS attack upstream, your link may be fine but your ability to do anything would be limited. You would not receive any traffic from that pipe.
  2. If your infrastructure provider goes down due to a DDoS attack on its key infrastructure, your organization’s website will go down regardless of how well your DDoS solution is working.

Many DDoS providers will tell you these are not part of a DDoS strategy. I beg to differ.

Finding the Right DDoS Solution

DDoS protection was born out of the need to improve availability and guarantee performance.  Today, this is critical. We have become an application-driven world where digital interactions dominate. A bad experience using an app is worse for customer satisfaction and loyalty than an outage.  Most companies are moving into shared infrastructure environments—otherwise known as the “cloud”— where the performance of the underlying infrastructure is no longer controlled by the end user.

Keeping the aforementioned points in mind, here are three key features to consider when looking at modern enterprise DDoS solutions:

  1. Data center or host infrastructure rerouting capabilities gives organizations the ability to reroute traffic to secondary data centers or application servers if there is a performance problem caused by something that the traditional DDoS prevention solution cannot negate. This may or may not be caused by a traditional DDoS attack, but either way, it’s important to understand how to mitigate the risk from a denial of service caused by infrastructure failure.
  2. Simple-to-use link or host availability solutions offer a unified interface for conducting WAN failover in the event that the upstream provider is compromised. Companies can use BGP, but BGP is complex and rigid. The future needs to be simple and flexible.
  3. Infrastructure and application performance optimization is critical. If we can limit the amount of compute-per-application transactions, we can reduce the likelihood that a capacity problem with the underlying architecture can cause an outage. Instead of thinking about just avoiding performance degradation, what if we actually improve the performance SLA while also limiting risk? It’s similar to making the decision to invest your money as opposed to burying it in the ground.

[You might also like: Marrying the Business Need with the Technology Drive: Recapping It All]

Today you can look at buying separate products to accomplish these needs but you are then left with an age old problem: a disparate collection of poorly integrated best-of-breed solutions that don’t work well together.

These products should work together as part of a holistic solution where each solution can compensate and enhance the performance of the other and ultimately help improve and ensure application availability, performance and reliability. The goal should be to create a resilient architecture to prevent or limit the impact of DoS and DDoS attacks of any kind.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Application SecuritySecurity

Understanding the Power of Big Data For Your Business

September 6, 2018 — by Ashley Lipman10

protect_datasaas_it-960x640.jpg

Data might just be the biggest asset your company has. It is more than just collecting numbers. The right metrics can help you make smart decisions for your business, and anticipate customer demands early on. You can use consumer data to improve your marketing strategy, create products and services that challenge the industry, and build a robust bottom line.

But not all data is created equal. What metrics should you consider in your strategy, and how should you measure this information in the first place? How can you use data to analyze your business success and future steps?

What is Big Data?

While the term might sound like a business buzzword, it’s actually much more than that. Big data started as a conversation for technologists in big companies, but it’s now a viable resource for all business sizes. According to Oracle, big data is “data that contains greater variety arriving in increasing volumes and with ever-higher velocity.”

This definition might be confusing, but it ’s much simpler than that. It is a large amount of complex information that is constant from new sources. That means big data is always recent, and it’s always relevant. It is changing, and it can be used to address new problems in a shifting world.

[You might also like: Consumer Sentiments About Cybersecurity and What It Means for Your Organizations]

Big Data in Practice

Now that you understand how big data is a large metric of constantly evolving trends, it’s time to examine its value in business today. Whether you’re running a startup or an established organization, you need to make smart choices. If you don’t have any basis for these decisions, you’re bound to make mistakes.

Big data bridges gaps in experience. If you’re looking to expand your business into a new market or you’re launching a new product, you don’t have the experience to fall back on. You need big data. To understand why, let’s talk about how it’s used in practice.

Developing Products

If you want to stay relevant in your industry today, you need to have new products that compete with the norm. Things move quickly, and if you can’t anticipate customers’ wants and needs before they become a reality, you’ll lose out to bigger competition. By using data, you can understand what was successful about products or services in the past. More importantly, you can analyze what needs have yet to be filled.

Customer Experience

According to a survey, 88% of buyers are willing to pay more for a better experience. In the next few years, customer experience is expected to overtake other things like price or even the product itself as a way to differentiate between brands. In this race for customers, you need to make sure your customers’ needs are addressed in a timely, efficient manner. Data allows you to avoid repeating past problems and keep track of things like personalized offers and patterns.

Maintenance

Customers today have very limited patience. When things go wrong, they’re likely to run to a competitor without a second thought. It’s up to companies to create a system for maintaining their technology, quality, and services. A single failure or error will lead to damaged reputations, customer dissatisfaction, and inefficient use of time. Whether you need to look into Windows logging basics for a complex computer system or application monitoring, data is how you prevent problems before they start.

Innovation

Only the most innovative companies will succeed today. How do you innovate? By analyzing what’s been done in the past and building on this knowledge. Using big data is a smart way to gain insight into areas that need improving, and you can learn from the mistakes of other organizations to avoid repeating them yourself. Innovation depends on stats, technology, and your ability to keep moving forward.

The Future of Big Data

As more startups join the race, big data is being called upon more than ever before. There are so many ways to utilize data of the past to create smart decisions for the future. Technology is changing at a rapid pace. This gives us more insight into data and consumer decisions. How will you use this to help your business?

Another challenge regarding the development of big data in the future is how it will be secured. Any businesses that work with customer or employee data need to create systems for securing it from unwanted parties. While data is an asset, it is also a risk.

[You might also like: Cybersecurity & Customer Experience: Embrace Technology and Change to Earn A Customer’s Loyalty]

Losing customer data can be harmful to the reputation of the business which is something frequently seen in the news today. Things like firewalls, virus protection, and other protective measures will be essential as we enter this new age of cybersecurity. How will your company protect its own data moving forward? What systems are in place to protect yourself from outside threats?

It’s not enough to collect data. You need to know how to analyze it in a way that you can actually act on. You also need to protect it as though your business depends upon it. Take your data further and find new discoveries that will take your organization into a new era of customer satisfaction.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Older Posts