main

Application SecurityAttack Types & VectorsSecurity

Adapting Application Security to the New World of Bots

March 7, 2019 — by Radware0

web-app-bots-960x709.jpg

In 2018, organizations reported a 10% increase in malware and bot attacks. Considering the pervasiveness (70%) of these types of attacks reported in 2017, this uptick is likely having a big impact on organizations globally. Compounding the issue is the fact that the majority of bots are actually leveraged for good intentions, not malicious ones. As a result, it is becoming increasingly difficult for organizations to identify the difference between the two, according to Radware’s Web Application Security
in a Digitally Connected World report.

Bots are automated programs that run independently to perform a series of specific tasks, for example, collecting data. Sophisticated bots can handle complicated interactive situations. More advanced programs feature self-learning capabilities that can address automated threats against traditional security models.

Positive Impact: Business Acceleration

Automated software applications can streamline processes and positively impact overall business performance. They replace tedious human tasks and speed up processes that depend on large volumes of information, thus contributing to overall business efficiency and agility.

Good bots include:

  • Crawlers — are used by search engines and contribute to SEO and SEM efforts
  • Chatbots — automate and extend customer service and first response
  • Fetchers — collect data from multiple locations (for instance, live sporting events)
  • Pricers — compare pricing information from different services
  • Traders — are used in commercial systems to find the best quote or rate for a transaction

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

Negative Impact: Security Risks

The Open Web Application Security Project (OWASP) lists 21 automated threats to applications that can be grouped together by business impacts:

  • Scraping and Data Theft — Bots try to access restricted areas in web applications to get a hold of sensitive data such as access credentials, payment information and intellectual property. One method of collecting such information is called web scraping. A common example for a web-scraping attack is against e-commerce sites where bots quickly hold or even fully clear the inventory.
  • Performance — Bots can impact the availability of a website, bringing it to a complete or partial denial-of-service state. The consumption of resources such as bandwidth or server CPU immediately leads to a deterioration in the customer experience, lower conversions and a bad image. Attacks can be large and volumetric (DDoS) or not (low and slow, buffer overflow).
  • Poisoning Analytics — When a significant portion of a website’s visitors are fictitious, expect biased figures such as fraudulent links. Compounding this issue is the fact that third-party tools designed to monitor website traffic often have difficulty filtering bot traffic.
  • Fraud and Account Takeover — With access to leaked databases such as Yahoo and LinkedIn, hackers use bots to run through usernames and passwords to gain access to accounts. Then they can access restricted files, inject scripts or make unauthorized transactions.
  • Spammers and Malware Downloaders — Malicious bots constantly target mobile and web applications. Using sophisticated techniques like spoofing their IPs, mimicking user behavior (keystrokes, mouse movements), abusing open-source tools (PhantomJS) and headless browsers, bots bypass CAPTCHA, challenges and other security heuristics.

[You may also like: The Big, Bad Bot Problem]

Blocking Automated Threats

Gawky bot attacks against websites are easy to block by IP and reputation-based signatures and rules. However, because of the increase in sophistication and frequency of attacks, it is important to be able to uniquely identify the attacking machine. This process is referred to as device fingerprinting. The process should be IP agnostic and yet unique enough to be confident to act upon. At times, resourceful attacking sources may actively try to manipulate the fingerprint extracted from the web tool, so it should also be client-side manipulation proof.

 

Web client fingerprint technology introduces significant value in the context of automated attacks, such as web scraping; Brute Force and advanced availability threats, such as HTTP Dynamic Flood; and low and slow attacks, where the correlation across multiple sessions is essential for proper detection and mitigation.

For each fingerprint-based, uniquely identified source, a historical track record is stored with all security violations, activity records and application session flows. Each abnormal behavior is registered and scored. Violation examples include SQL injection, suspicious session flow and high page access rate. Once a threshold is reached, the source with the marked fingerprint will not be allowed to access the secured application.

[You may also like: IoT Expands the Botnet Universe]

Taking the Good with the Bad

Ultimately, understanding and managing bots isn’t about crafting a strategy driven by a perceived negative attitude toward bots because, as we’ve explained, bots serve many useful purposes for propelling the business forward. Rather, it’s about equipping your organization to act as a digital detective to mitigate malicious traffic without adversely impacting legitimate traffic.

Organizations need to embrace technological advancements that yield better business performance while integrating the necessary security measures to guard their customer data and experience.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Application SecurityMobile Security

Millennials “Swipe Right” On Fintech and Security

February 6, 2019 — by Mike O'Malley0

fintech-960x576.jpg

Let me cut to the chase: The financial services industry is rapidly changing to satisfy its new best friend, millennials. There’s no getting around it; their sheer numbers necessitate attention. Millennials represent one in three Americans in the workforce, 25 percent of the global population (fun fact: there are more millennials in China than people in the United States!), and have $200 billion in buying power. They are the largest single generation in the workforce today.  And, most importantly for financial services, they are 43 percent of all mobile banking and finance usage.

Digital Trumps Traditional

Indeed, millennials don’t value traditional banking like previous generations. Born into a digitally-connected era, they heavily rely on the Internet and smartphones to conduct their business, including managing their finances. According to research from Gemalto, more than one in four (27%) millennials have never even visited a bank branch. Comparatively, 77 percent use online services every month and many consider mobile banking “essential,” with nearly 40 percent reporting that financial apps help them control their finances. This becomes critically important in maintaining trust.  Since they’ve never been to a branch, there are no people, no relationships to build loyalty.  All trust, loyalty and affinity for the brand comes 100% from experience on the web and via mobile apps. Any breach here, and trust is broken…forever.

[You may also like: Growing Your Business: Millennials and M-Commerce]

And, it’s worth noting, millennials want financial help. Millennials grew up during the global financial crisis, so managing debt responsibly and avoiding risk is very important to them.  A TD Bank survey designed to understand these young adults’ banking behaviors found that “while 59 percent of millennials reported that they are ‘extremely’ or ‘very’ knowledgeable about their day-to-day banking products like checking accounts, they still want advice on personal finance topics,” including savings, credit cards and creating a budget.

In other words, millennials value tools and advice that give them control over debt and credit alike—which helps explain their reliance on fintech over traditional banks for financial advice and things like debt consolidation loans. In fact, millennials are driving a surge in personal loans, 36 percent of which are from fintech lenders.

Opportunity…and Risk

All these statistics converge to make one key point: While there is  a huge opportunity for fintech providers to capture market share and growth, there is also sizable risk. Why? Because data security is top of mind for these so-called “digital natives.” They understand the liabilities of trusting organizations, like financial institutions, with their online data and expect that it will be well guarded 24/7 with no lapses.

[You may also like: Millennials and Cybersecurity: Understanding the Value of Personal Data]

If it isn’t? say goodbye to your millennial customer base; millennials are 2.5 times more likely to change banks than their older counterparts if they aren’t pleased. And one surefire way to keep them happy is with a secure mobile and/or online customer experience. After all, the number one tool millennials want is better mobile security for financial transactions.

Don’t risk losing the most connected, powerful consumer demographic because of lax security. The guaranteed fallout—customer attrition, reputation loss and more—simply isn’t worth the risk. Proactively securing a secure customer experience is paramount to maintaining a competitive advantage and capturing the trust of your most important customers.

2018 Mobile Carrier Ebook

Read “The Millennial View on Data Security” today.

Download Now

Application Security

HTTPS: The Myth of Secure Encrypted Traffic Exposed

February 5, 2019 — by Ben Zilberman0

https--960x540.jpeg

The S in HTTPS is supposed to mean that encrypted traffic is secure. For attackers, it just means that they have a larger attack surface from which to launch assaults on the applications to exploit the security vulnerabilities. How should organizations respond?

Most web traffic is encrypted to provide better privacy and security. By 2018, over 70% of webpages are loaded over HTTPS. Radware expects this trend to continue until nearly all web traffic is encrypted. The major drivers pushing adoption rates are the availability of free SSL certificates and the perception that clear traffic is insecure.

While encrypting traffic is a vital practice for organizations, cyber criminals are not necessarily deterred by the practice. They are looking for ways to take advantage of encrypted traffic as a platform from which to launch attacks that can be difficult to detect and mitigate, especially at the application layer. As encrypted applications grow more complex, the potential attack surface is larger. Organizations need to incorporate protection of the application layer as part of their overall network security strategies. Results from the global industry survey revealed a 10% increase in encrypted attacks on organizations by 2018.

Encrypted Application Layers

When planning protection for encrypted applications, it is important to consider all of the layers that are involved in delivering an application. It is not uncommon for application owners to focus on protecting the encrypted application layer while overlooking the lower layers in the stack which might be vulnerable. In many cases, protection selected for the application layer may itself be vulnerable to transport-layer attacks.

To ensure applications are protected, organizations need to analyze the following Open Systems Interconnection (OSI) layers:

  • Transport — In most encrypted applications, the underlying transport is TCP. TCP attacks come in many forms, so volumes and protection must be resilient to protect
    applications from attacks on the TCP layer. Some applications now use QUIC, which uses UDP as the underlying layer and adds reflection and amplification risks to the mix.
  • Session — The SSL itself is vulnerable. Once an SSL/TLS session is created, the server invests about 15 times more compute power than the client, which makes the session layer particularly vulnerable and attractive to attackers.
  • Application — Application attacks are the most complex type of attack, and encryption only makes it harder for security solutions to detect and mitigate them.Attackers often select specific areas in applications to generate a high request-to-load ratio, may attack several resources simultaneously to make detection harder, or may mimic legitimate user behavior in various ways to bypass common application security solutions.The size of an attack surface is determined by the application design. For example, in a login attack, botnets perform multiple login attempts from different sources to try to stress the application. The application login is always encrypted and requires resources on the application side such as a database, authentication gateway or identity service invocation. The attack does not require a high volume of traffic to affect the application, making it very hard to detect.

[You may also like: SSL Attacks – When Hackers Use Security Against You]

Environmental Aspects

Organizations also need to consider the overall environment and application structure because it greatly affects the selection of the ideal security design based on a vulnerability assessment.

  • Content Delivery Network — Applications using a content delivery network (CDN) generate a challenge for security controls which are deployed at the origin. Technologies that use the source IP for analyzing client application behavior only see the source IP of the CDN. There is a risk that the solutions will either over mitigate and disrupt legitimate users or become ineffective. High rates of false positives prove that protection based on source IP addresses is pointless. Instead, when using a CDN, the selected security technology should have the right measures to analyze attacks that originate behind it, including device fingerprinting or extraction of the original source from the application headers.
  • Application Programming Interface — Application programming interface (API) usage is common in all applications. According to Radware’s The State of Web Application Security report, a third of attacks against APIs intends to yield a denial-of-service state. The security challenge here comes from the legitimate client side. Many solutions rely on various active user validation techniques to distinguish legitimate users from attackers. These techniques require that a real browser reside at the client. In the case of an API, many times a legitimate browser is not at the client side, so the behavior and legitimate response to various validation challenges is different.
  • Mobile Applications — Like APIs, the client side is not a browser for a mobile application and cannot be expected to behave and respond like one. Mobile applications pose a challenge because they rely on different operating systems and use different browsers. Many security solutions were created based on former standards and common tools and have not yet fully adapted. The fact that mobile apps process a high amount of encrypted traffic increases the capacity and security challenges.
  • Directionality — Many security solutions only inspect inbound traffic to protect against availability threats. Directionality of traffic has significant implications on the protection efficiency because attacks usually target the egress path of the application. In such cases, there might not be an observed change in the incoming traffic profile, but the application might still become unavailable. An effective security solution must process both directions of traffic to protect against sophisticated application attacks.

[You may also like: Are Your Applications Secure?]

Regulatory Limitations

Major selection criterion for security solutions is regulatory compliance. In the case of encrypted attacks, compliance requirements examine whether traffic is decrypted, what parts of traffic are decrypted and where the decryption happens. The governing paradigm has always been that the more intrusive the solution, the more effective the security, but that is not necessarily the case here. Solutions show different levels of effectiveness for the same intrusiveness.

Encryption Protocols

The encryption protocol in use has implications toward how security can be applied and what types of vulnerabilities it represents. Specifically, TLS 1.3 generates enhanced security from the data privacy perspective but is expected to generate challenges to security solutions which rely on eavesdropping on the encrypted connection. Users planning to upgrade to TLS 1.3 should consider the future resiliency of their solutions.

[You may also like: Adopt TLS 1.3 – Kill Two Birds with One Stone]

Attack Patterns

Determining attack patterns is the most important undertaking that organizations must master. Because there are so many layers that are vulnerable, attackers can easily change their tactics mid-attack. The motivation is normally twofold: first, inflicting maximum impact with minimal cost; second, making detection and mitigation difficult.

  • Distribution — The level of attack distribution is very important to the attacker. It impacts the variety of vectors that can be used and makes the job harder for the security controls. Most importantly, the more distributed the attack, the less traffic each attacking source has to generate. That way, behavior can better resemble legitimate users. Gaining control of a large botnet used to be difficult to do and extremely costly. With the growth in the IoT and corresponding IoT botnets, it is common to come across botnets consisting of hundreds of thousands of bots.
  • Overall Attack Rates — The overall attack traffic rate varies from one vector to another. Normally, the lower the layer, the higher the rate. At the application layer, attackers are able to generate low-rate attacks, which still generate significant impact. Security solutions should be able to handle both high- and low-rate attacks, without compromising user experience and SLA.
  • Rate per Attacker — Many security solutions in the availability space rely on the rate per source to detect attackers. This method is not always effective as highly distributed attacks proliferate.
  • Connection Rates — Available attack tools today can be divided into two major classes based on their connection behavior. The first class includes tools that open a single connection and generate many. The second includes tools that generate many connections with only a single request or very few requests on each connection. Security tools that can analyze connection behavior are more effective in discerning legitimate users from attackers.
  • Session Rates — SSL/TLS session behavior has various distinct behavioral characteristics in legitimate users and browsers. The major target is to optimize performance and user experience. Attack traffic does not usually fully adhere to those norms, so its SSL session behavior is different. The ability to analyze encryption session behavior contributes to protecting both the encryption layer and the underlying application layer.
  • Application Rates — Because the application is the most complex part to attack, attackers have the most degree of freedom when it comes to application behavior. Attack patterns vary greatly from one attack to another in terms of how they appear on application behavior analyses. At the same time, the rate of change in the application itself is very high, such that it cannot be followed manually. Security tools that can automatically analyze a large variety of application aspects and, at the same time, adapt to changes quickly are expected to be more effective in protecting from encrypted application attacks.

End-to-End Protection

Protection from encrypted availability attacks is becoming a mandatory requirement for organizations. At the same time, it is one of the more complex tasks to thoroughly perform without leaving blind spots. When considering a protection strategy, it is important to take into account various aspects of the risk and to make sure that, with all good intentions, the side door is not left open.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Application SecurityPhishingSecurity

How Secure Is Your Digital Super Bowl Experience?

January 30, 2019 — by Daniel Smith0

Stadium-960x640.jpg

Over the last few years I have traveled around the world, researching and watching stadiums digitally evolve from the structures I once knew as a kid. I grew up watching the San Diego Chargers play in what was then called Jack Murphy Stadium and now find myself looking at stadiums from a totally different perspective.

As Super Bowl 53 approaches, my attention, along with Radware’s ERT, turns to the crowds and the target rich environments created by high profile sporting events.  This Super Bowl, like years before, will bring large crowds once again that will demand connectivity and are expected to consume record breaking volumes this year. Extreme Networks reported that last year’s attendees at Super Bowl 52 in Minnesota transferred 16.32 Terabytes of data with a peak rate of 7.867 Gbps!  This is an enormous demand for connectivity and the technology involved could poses a security risk for event organizers, partners, sponsors and attendees as their activities in the stadium begin to produce more digital oil–data.

A Seamless Digital Game Day Experience

There are few sporting events in the world as large as the Super Bowl. Last year there was an estimated 103 million viewers. The Super Bowl generates a lot of excitement from media, fans and the public. Beyond the hype of the game itself, there is a variety of multimedia technology available to fans, providing a more immersive and interactive experience. These experiences include Super Bowl Live, a 6-day series of concerts and events in Centennial Olympic Park in Downtown Atlanta, and the Super Bowl Experience, an 8-day event full of exhibits and interactive games inside the Georgia World Congress Center. Other events also include the Verizon Experience, which will showcase how 5G wireless technology will change the fan experience in stadiums going forward (something I’m personally looking forward to seeing).

To ensure Super Bowl attendees have a seamless digital experience, the NFL, Georgia World Congress Center, AMB Sports and Entertainment Group, and leading wireless carriers have made major investments into the construction and deployment of the current networks surrounding the stadium in order to maintain a high quality of service for the attendees and vendors at the Super Bowl. The stadium provides 15,000 Ethernet ports, 1,800 access points and a Distributed Antenna System (DAS), for enhanced cellular coverage. The DAS system is owned by the stadium and rented out to the four major US cellular carries for additional coverage. The stadiums WiFi is also provided by AT&T and consists of two redundant 40gb connections. The stadium also contains 2,000 IPTV for delivering game content provide by AT&T’s DirectTV. These features and network help ensure fans can watch, eat, share, download and communicate their game day experience with others.

When it comes to planning for the future, the stadium has pulled its fiber optics as close to the access points as possible, terminating in mini intermediate distribution frames (IDF) throughout the stadium. The network gear is from Aruba and Hewlett Packard Enterprise while others involved with the network include IBM, Corning and ThinkAmp. Recently, IBM and Corning built one of the more technology advanced stadiums with a blazing fast network for Texas A&M.

Wireless Access Point Under Stadium Seating

What’s more, Mercedes-Benz Stadium also promotes a mobile app. While this app is not as cutting edge as the one for Levi Stadium, for example, it does include information about the stadium, news, scores, as well as viewing, buying and transferring tickets and parking.

Assessing The Risks

There is always a potential risk at large sporting events like the Super Bowl. Even the smallest network outage could leave attendees unable to use their digital tickets to enter the game. Organizations such as the NFL, Patriots, Rams, Georgia World Congress Center, AMB Sports and Entertainment Group, wireless carriers, IBM Cloud, AT&T network or media outlets, as well as those considered partners, sponsors or supporters of Super Bowl 53, should take extra precautions and have an emergency plan in place.

For the Super Bowl, most cybercriminals will be focused on identity and financial theft in the days leading up to the game. These attacks will often be baited with promotions for Super Bowl ticket or a trip giveaway to Atlanta.

One of the other concerns at the Super Bowl will surround protecting critical applications and networks that support the events, hosted both locally and in the cloud. Broadcast networks, industrial control systems, civil-service networks and other related systems are all at risk as well. While there hasn’t been a recent attack of scale reported against the Super Bowl, last year we did witness a piece of malware named Olympic Destroyer that targeted and disrupted the opening ceremonies and entry into the 2018 Winter Olympics.

Indeed, major sporting events create a platform for cybercrime, though recently most cybercriminals have been focused on identity theft by spreading malicious software in a number of ways that’s designed to harvest and steal personal information. Today’s High Density (HD) Stadiums, theaters, arenas and amphitheaters require small cells, WIFI and DAS deployments to serve their demanding environment. Often, the technologies designed to enhance the spectators’ experience, such as Wi-Fi, Bluetooth and other digital services, are easily exploited to harvest information from attendees.

Protect Yourself

Technology can provide a more immersive and rewarding experience for fans, but it also create problems and security risks for those managing the event. Here are a few tips to consider if you’ll be joining me in the chaos next weekend in Atlanta for Super Bowl 53.

  • Charge your phone; you’re going to need that power to capture the experience
  • Ensure your phone is updated with the latest operating system
  • Disable Bluetooth when not in use
  • Disable Wi-Fi when not in use
  • Use the official event Wi-Fi when device is in use ‘attwifi’ (there will be no portal or advertisements. Join to Connect.)
  • Always use a VPN when using public Wi-Fi
  • Be careful when using ATMs – Understand how to spot and avoid card skimmers gathering card data.
  • Exercise caution when presented with pop-ups while browsing
  • Avoid NFL-related scams delivered via email.

Application SecurityAttack MitigationAttack Types & Vectors

How Cyberattacks Directly Impact Your Brand: New Radware Report

January 15, 2019 — by Ben Zilberman0

BinaryCodeEncryption-002-960x600.jpg

Whether you’re an executive or practitioner, brimming with business acumen or tech savviness, your job is to preserve and grow your company’s brand. Brand equity relies heavily on customer trust, which can take years to build and only moments to demolish. 2018’s cyber threat landscape demonstrates this clearly; the delicate relationship between organizations and their customers is in hackers’ cross hairs and suffers during a successful cyberattack. Make no mistake: Leaders who undervalue customer trust–who do not secure an optimized customer experience or adequately safeguard sensitive data–will feel the sting in their balance sheet, brand reputation and even their job security.

Radware’s 2018-2019 Global Application and Network Security report builds upon a worldwide industry survey encompassing 790 business and security executives and professionals from different countries, industries and company sizes. It also features original Radware threat research, including an analysis of emerging trends in both defensive and offensive technologies. Here, I discuss key takeaways.

Repercussions of Compromising Customer Trust

Without question, cyberattacks are a viable threat to operating expenditures (OPEX). This past year alone, the average estimated cost of an attack grew by 52% and now exceeds $1 million (the number of estimations above $1 million increased 60%). For those organizations that formalized a real calculation process rather than merely estimate the cost, that number is even higher, averaging $1.67 million.

Despite these mounting costs, three in four have no formalized procedure to assess the business impact of a cyberattack against their organization. This becomes particularly troubling when you consider that most organizations have experienced some type of attack within the course of a year (only 7% of respondents claim not to have experienced an attack at all), with 21% reporting daily attacks, a significant rise from 13% last year.

There is quite a range in cost evaluation across different verticals. Those who report the highest damage are retail and high-tech, while education stands out with its extremely low financial impact estimation:

Repercussions can vary: 43% report a negative customer experience, 37% suffered brand reputation loss and one in four lost customers. The most common consequence was loss of productivity, reported by 54% of survey respondents. For small-to-medium sized businesses, the outcome can be particularly severe, as these organizations typically lack sufficient protection measures and know-how.

It would behoove all businesses, regardless of size, to consider the following:

  • Direct costs: Extended labor, investigations, audits, software patches development, etc.
  • Indirect costs: Crisis management, fines, customer compensation, legal expenses, share value
  • Prevention: Emergency response and disaster recovery plans, hardening endpoints, servers and cloud workloads

Risk Exposure Grows with Multi-Dimensional Complexity

As the cost of cyberattacks grow, so does the complexity. Information networks today are amorphic. In public clouds, they undergo a constant metamorphose, where instances of software entities and components are created, run and disappear. We are marching towards the no-visibility era, and as complexity grows it will become harder for business executives to analyze potential risks.

The increase in complexity immediately translates to a larger attack surface, or in other words, a greater risk exposure. DevOps organizations benefit from advanced automation tools that set up environments in seconds, allocate necessary resources, provision and integrate with each other through REST APIs, providing a faster time to market for application services at a minimal human intervention. However, these tools are processing sensitive data and cannot defend themselves from attacks.

Protect your Customer Experience

The report found that the primary goal of cyber-attacks is service disruption, followed by data theft. Cyber criminals understand that service disruptions result in a negative customer experience, and to this end, they utilize a broad set of techniques. Common methods include bursts of high traffic volume, usage of encrypted traffic to overwhelm security solutions’ resource consumption, and crypto-jacking that reduces the productivity of servers and endpoints by enslaving their CPUs for the sake of mining cryptocurrencies. Indeed, 44% of organizations surveyed suffered either ransom attacks or crypto-mining by cyber criminals looking for easy profits.

What’s more, attack tools became more effective in the past year; the number of outages grew by 15% and more than half saw slowdowns in productivity. Application layer attacks—which cause the most harm—continue to be the preferred vector for DDoSers over the network layer. It naturally follows, then, that 34% view application vulnerabilities as the biggest threat in 2019.

Essential Protection Strategies

Businesses understand the seriousness of the changing threat landscape and are taking steps to protect their digital assets. However, some tasks – such as protecting a growing number of cloud workloads, or discerning a malicious bot from a legitimate one – require leveling the defense up. Security solutions must support and enable the business processes, and as such, should be dynamic, elastic and automated.

Analyzing the 2018 threat landscape, Radware recommends the following essential security solution capabilities:

  1. Machine Learning: As hackers leverage advanced tools, organizations must minimize false positive calls in order to optimize the customer experience. This can be achieved by machine-learning capabilities that analyze big data samples for maximum accuracy (nearly half of survey respondents point at security as the driver to explore machine-learning based technologies).
  2. Automation: When so many processes are automated, the protected objects constantly change, and attackers quickly change lanes trying different vectors every time. As such, a security solution must be able to immediately detect and mitigate a threat. Solutions based on machine learning should be able to auto tune security policies.
  3. Real Time Intelligence: Cyber delinquents can disguise themselves in many forms. Compromised devices sometimes make legitimate requests, while other times they are malicious. Machines coming behind CDN or NAT can not be blocked based on IP reputation and generally, static heuristics are becoming useless. Instead, actionable, accurate real time information can reveal malicious activity as it emerges and protect businesses and their customers – especially when relying on analysis and qualifications of events from multiple sources.
  4. Security Experts: Keep human supervision for the moments when the pain is real. Human intervention is required in advanced attacks or when the learning process requires tuning. Because not every organization can maintain the know-how in-house at all times, having an expert from a trusted partner or a security vendor on-call is a good idea.

It is critical for organizations to incorporate cybersecurity into their long-term growth plans. Securing digital assets can no longer be delegated solely to the IT department. Rather, security planning needs to be infused into new product and service offerings, security, development plans and new business initiatives. CEOs and executive teams must lead the way in setting the tone and invest in securing their customers’ experience and trust.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Application SecurityAttack MitigationAttack Types & VectorsSecurity

10 Most Popular Blogs of 2018

December 27, 2018 — by Radware1

blog-960x480.jpg

Between large scale cyberattacks, the implementation of GDPR and increasing popularity of smart home technologies (and their associated vulnerabilities), we had a lot to write about this year. Of the hundreds of blogs we published in 2018, several floated to the top in terms of readership. Below, we recap the ten most popular blogs of 2018.

Consumer Sentiments About Cybersecurity and What It Means for Your Organization

Over the past six months, the data breaches against companies such as Panera BreadDelta Airlines and Sears, and Saks have proven we live in an age where cyberattacks and data breaches are now commonplace. The result? Cybersecurity is no longer just the topic of conversation of tech gurus and IT personnel. It has transitioned into the mainstream conversation and has become a concern of the masses. Consumers are now concerned that the organizations they are conducting business with are proactive about safeguarding their information and how they will fix it if a breach does occur. Read more…

New Threat Landscape Gives Birth to New Way of Handling Cyber Security

With the growing online availability of attack tools and services, the pool of possible attacks is larger than ever. Let’s face it, getting ready for the next cyber-attack is the new normal! This ‘readiness’ is a new organizational tax on nearly every employed individual throughout the world. Amazingly enough, attackers have reached a level of maturity and efficiency – taking advantage of the increased value and vulnerability of online targets, and resulting in a dramatic increase in attack frequency, complexity and size. Read more…

The Evolution of IoT Attacks

IoT devices are nothing new, but the attacks against them are. They are evolving at a rapid rate as growth in connected devices continues to rise and shows no sign of letting up. One of the reasons why IoT devices have become so popular in recent years is because of the evolution of cloud and data processing which provides manufacturers cheaper solutions to create even more ‘things’. Before this evolution, there weren’t many options for manufacturers to cost-effectively store and process data from devices in a cloud or data center.  Older IoT devices would have to store and process data locally in some situations. Today, there are solutions for everyone and we continue to see more items that are always on and do not have to store or process data locally. Read more…

Are Your Applications Secure?

As we close out a year of headline-grabbing data breaches (British Airways, Under Armor, Panera Bread), the introduction of GDPR and the emergence of new application development architectures and frameworks, Radware examined the state of application security in its latest report. This global survey among executives and IT professionals yielded insights about threats, concerns and application security strategies. Read more…

Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards

Are you out of breath from the breakneck pace of cyberattacks since the start of 2018? Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyberattacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape.  This change hasn’t gone unnoticed with the regulators and now, depending on where your business operates, you have accrued even more work to demonstrate your diligence to these threats. Read more…

Credential Stuffing Campaign Targets Financial Services

Over the last few weeks, Radware has been tracking a significant Credential Stuffing Campaign targeting the financial industry in the United States and Europe. Credential Stuffing is an emerging threat in 2018 that continues to accelerate as more breaches occur. Today, a breach doesn’t just impact the compromised organization and its users, but it also affects every other website that the users may use. Read more…

Is My Smart Home Telling People What I Do Every Day?

The overall smart home market is expected to grow to over $50 billion by 2022.  Already 1 in 4 U.S. households has some kind of smart device in their home.  With all the smart thermostats, smart fridges, smart light bulbs, smart doors and windows, personal assistants, and smart home surveillance, internet-connected home devices are rapidly stacking up in U.S. households. These devices are adding convenience and efficiency, but are they safe? Read more…

Machine Learning Algorithms for Zero Time to Mitigation

Effective DDoS protection combines machine-learning algorithms with negative and positive protection models, as well as rate limiting. The combination of these techniques ensures zero time to mitigation and requires little human intervention. Read more…

Cybersecurity & The Customer Experience: The Perfect Combination

Organizations have long embraced the customer experience and declared it a competitive differentiator. Many executives are quick to focus on the benefits of a loyal-centric strategy and companies now go to great lengths to communicate their organization’s customer centricity to retain existing customers and attract new ones. But where is cybersecurity in this discussion? Read more…

Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and Steal Data

On May 3, 2018, Radware’s cloud malware protection service detected a zero-day malware threat at one of its customers, a global manufacturing firm, by using machine-learning algorithms. This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more. Read more…

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Application SecurityAttack MitigationDDoS AttacksSecurity

2018 In Review: Healthcare Under Attack

December 12, 2018 — by Daniel Smith0

Healthcare-Under-Attack-960x568.jpg

Radware’s ERT and Threat Research Center monitored an immense number of events over the last year, giving us a chance to review and analyze attack patterns to gain further insight into today’s trends and changes in the attack landscape. Here are some insights into what we have observed over the last year.

Healthcare Under Attack

Over the last decade there has been a dramatic digital transformation within healthcare; more facilities are relying on electronic forms and online processes to help improve and streamline the patient experience. As a result, the medical industry has new responsibilities and priorities to ensure client data is kept secure and available–which unfortunately aren’t always kept up with.

This year, the healthcare industry dominated news with an ever-growing list of breaches and attacks. Aetna, CarePlus, Partners Healthcare, BJC Healthcare, St. Peter’s Surgery and Endoscopy Center, ATI Physical Therapy, Inogen, UnityPoint Health, Nuance Communication, LifeBridge Health, Aultman Health Foundation, Med Associates and more recently Nashville Metro Public Health, UMC Physicians, and LabCorp Diagnostics have all disclosed or settled major breaches.

[You may also like: 2019 Predictions: Will Cyber Serenity Soon Be a Thing of the Past?]

Generally speaking, the risk of falling prey to data breaches is high, due to password sharing, outdated and unpatched software, or exposed and vulnerable servers. When you look at medical facilities in particular, other risks begin to appear, like those surrounding the number of hospital employees who have full or partial access to your health records during your stay there. The possibilities for a malicious insider or abuse of access is also very high, as is the risk of third party breaches. For example, it was recently disclosed that NHS patient records may have been exposed when passwords were stolen from Embrace Learning, a training business used by healthcare workers to learn about data protection.

Profiting From Medical Data

These recent cyber-attacks targeting the healthcare industry underscore the growing threat to hospitals, medical institutions and insurance companies around the world. So, what’s driving the trend? Profit. Personal data, specifically healthcare records, are in demand and quite valuable on today’s black market, often fetching more money per record than your financial records, and are a crucial part of today’s Fullz packages sold by cyber criminals.

Not only are criminals exfiltrating patient data and selling it for a profit, but others have opted to encrypt medical records with ransomware or hold the data hostage until their extortion demand is met. Often hospitals are quick to pay an extortionist because backups are non-existent, or it may take too long to restore services. Because of this, cyber-criminals have a focus on this industry.

[You may also like: How Secure is Your Medical Data?]

Most of the attacks targeting the medical industry are ransomware attacks, often delivered via phishing campaigns. There have also been cases where ransomware and malware have been delivered via drive-by downloads and comprised third party vendors. We have also seen criminals use SQL injections to steal data from medical applications as well as flooding those networks with DDoS attacks. More recently, we have seen large scale scanning and exploitation of internet connected devices for the purpose of crypto mining, some of which have been located inside medical networks. In addition to causing outages and encrypting data, these attacks have resulted in canceling elective cases, diverting incoming patients and rescheduling surgeries.

For-profit hackers will target and launch a number of different attacks against medical networks designed to obtain and steal your personal information from vulnerable or exposed databases. They are looking for a complete or partial set of information such as name, date of birth, Social Security numbers, diagnosis or treatment information, Medicare or Medicaid identification number, medical record number, billing/claims information, health insurance information, disability code, birth or marriage certificate information, Employer Identification Number, driver’s license numbers, passport information, banking or financial account numbers, and usernames and passwords so they can resell that information for a profit.

[You may also like: Fraud on the Darknet: How to Own Over 1 Million Usernames and Passwords]

Sometimes the data obtained by the criminal is incomplete, but that data can be leveraged as a stepping stone to gather additional information. Criminals can use partial information to create a spear-phishing kit designed to gain your trust by citing a piece of personal information as bait. And they’ll move very quickly once they gain access to PHI or payment information. Criminals will normally sell the information obtained, even if incomplete, in bulk or in packages on private forums to other criminals who have the ability to complete the Fullz package or quickly cash the accounts out. Stolen data will also find its way to public auctions and marketplaces on the dark net, where sellers try to get the highest price possible for data or gain attention and notoriety for the hack.

Don’t let healthcare data slip through the cracks; be prepared.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityMobile DataMobile SecuritySecurity

Growing Your Business: Millennials and M-Commerce

December 6, 2018 — by Mike O'Malley0

mcommerce-960x640.jpg

Millennials are the largest generation in the U.S. labor force—a position they’ve held since 2016—and they’re involved in the majority (73%) of B2B purchasing decisions. Raised in the age of the Internet, they’re digital natives and easily adopt and adapt to new technologies. And mobile apps are their lifelines.

Why does this matter? Well, when you combine Millennials’ tech savviness with their business acumen, their clout in a digital economy comes into focus. As both decision-makers and connoisseurs of mobile technology, they can make or break you in a low-growth economy if your business model doesn’t square with their preferences.

In other words, if you’re not embracing mobile commerce, you may soon be ancient history. This generation has little-to-no use for brick-and-mortar storefronts, banks, etc., instead preferring to use apps for shopping, financial transactions and more.

Of course, making m-commerce a linchpin of your business model isn’t risk free; cybersecurity concerns are of critical importance. Increasingly, personal data protection is tied directly to consumer loyalty to a particular brand, and Millennials in particular care about how their data is used and safeguarded.

You Can’t Rush Greatness

While Millennials are renowned for an “I want it fast, and I want it now” attitude (which explains why 63% of them use their smartphone to shop every day, versus trekking to a store), the biggest mistake you can make is overlooking security in a rush to roll out a mobile strategy.

The fact is, vulnerabilities on m-commerce platforms can result in severe financial impacts; the average cost of a corporate data breach is $3.86 million. If a mobile app or mobile responsive e-commerce site is hit by an application attack, for example, short-term profit loss (which can escalate quickly) and longer-term reputation loss are serious risks. And as we move into 2019, there are several mobile security threats that we need to take seriously.

[You may also like: Are Your Applications Secure?]

Baking cybersecurity into your mobile strategy—as a core component, not an add-on—is, without question, necessary. The reason is manifold: For one thing, mobile devices (where your app primarily lives) are more susceptible to attacks. Secondly, mobile commerce websites are often implemented with a web application firewall to protect it.  Thirdly, Millennials’ reliance on m-commerce, both as B2B and B2C consumers, means you stand to lose significant business if your app or website go “down.” And finally, Millennials are security conscious.

Securing the Secure Customer Experience

So how can you help ensure your m-commerce platform, and thereby your Millennial customer base, is secure? A number of ways:

  • Guard your app’s code from the get-go. Test the code for vulnerabilities, ensure it’s easy to patch, and protect it with encryption.
  • Consider a Web Application Firewall (WAF) to secure your APIs and your website.
  • Run real-time threat analytics.
  • Be mindful of how customer data is stored and secured. (Don’t pull an Uber and store data unencrypted!)
  • Patch often. Because security threats evolve constantly, so must your security patches! Just ask Equifax about the importance of patching…

[You may also like: Growing Your Business: Security as an Expectation]

Of course, this isn’t an exhaustive list of proactive security measures you can take, but it’s a good start. As I’ve said time and time again, in an increasingly insecure world where security and availability are the cornerstones of the digital consumer, cybersecurity should never be placed on the back burner of company priorities. Don’t wait for an attack to up your security game. At that point, trust is broken with your Millennial customer base and your business is in trouble. Be proactive. Always.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityAttack MitigationDDoS AttacksSecurityWAF

Protecting Applications in a Serverless Architecture

November 8, 2018 — by Ben Zilberman1

Serverless-960x640.jpg

Serverless architectures are revolutionizing the way organizations procure and use enterprise technology. Until recently, information security architecture was relatively simple; you built a fortress around a server containing sensitive data, and deployed security solutions to control the flow of users accessing and leaving that server.

But how do you secure a server-less environment?

The Basics of Serverless Architecture

Serverless architecture is an emerging trend in cloud-hosted environments and refers to applications that significantly depend on third-party services (known as Backend-as-a-Service or “BaaS”) or on custom code that’s run in ephemeral containers (known as Function-as-a-Service or “FaaS”). And it is significantly more cost effective than buying or renting servers.

The rapid adoption of micro-efficiency-based pricing models (a.k.a PPU, or pay-per-use) pushes public cloud providers to introduce a business model that meets this requirement. Serverless computing helps providers optimize that model by dynamically managing the allocation of machine resources. As a result, organizations pay based on the actual amount of resources their applications consume, rather than ponying up for pre-purchased units of workload capacity (which is usually higher than what they utilize in reality).

What’s more, going serverless also frees developers and operators from the burdens of provisioning the cloud workload and infrastructure. There is no need to deploy operating systems and patch them, no need to install and configure web servers, and no need to set up or tune auto-scaling policies and systems.

[You may also like: Application Delivery and Application Security Should be Combined]

Security Implications of Going Serverless

The new serverless model coerces a complete change in architecture – nano services of a lot of software ‘particles.’ The operational unit is set of function containers that execute REST API functions, which are invoked upon a relevant client-side event. These function instances are created, run and then terminated. During their run time, they receive, modify and send information that organizations want to monitor and protect. The protection should be dynamic and swift:

  • There is no perimeter or OS to secure
  • Agents and a persistent footprint become redundant.
  • To optimize the business model, the solution must be scalable and ephemeral automation is the key to success

If we break down our application into components that run in a serverless model, the server that runs the APIs uses different layers of code to parse the requests, essentially enlarging the attack surface. However, this isn’t an enterprise problem anymore; it’s the cloud provider’s. Unfortunately, even they sometimes lag in patch management and hardening workloads. Will your DevOps read all of the cloud provider documentation in details?  Most likely, they’ll go with generic permissions. If you want to do something right, you better do it yourself.

Serverless computing doesn’t eradicate all traditional security concerns. Application-level vulnerabilities can still be exploited—with attacks carried out by human hackers or bots—whether they are inherent in the FaaS infrastructure or in the developer function code.

When using a FaaS model, the lack of local persistent storage encourages data transfer between the function and the different persistent storage services (e.g., S3 and DynamoDB by AWS) instead. Additionally, each function eventually processes data received from storage, the client application or from a different function. Every time it’s moved, it becomes vulnerable to leakage or tampering.

In such an environment, it is impossible to track all potential and actual security events. One can’t follow each function’s operation to prevent it from accessing wrong resources. Visibility and forensics must be automated and perform real time contextual analysis. But the question is not whether to use serverless or not because it is more in/secure. Rather, the question is how to do it when your organization goes there.

[You may also like: Web Application Security in a Digitally Connected World]

A New Approach

Simply put, going serverless requires a completely different security approach—one that is dynamic, elastic, and real-time. The security components must be able to move around at the same pace as the applications, functions and data they protect.

First thing’s first: To help avoid code exploitation (which is what attacks boil down to), use encryption and monitor the function’s activity and data access so it has, by default, minimum permissions. Abnormal function behavior, such as expected access to data or non-reasonable traffic flow, must be analyzed.

Next, consider additional measures, like a web application firewall (WAF), to secure your APIs. While an API gateway can manage authentication and enforce JSON and XML validity checks, not all API gateways support schema and structure validation, nor do they provide full coverage of OWASP top 10 vulnerabilities like a WAF does. WAFs apply dozens of protection measures on both inbound and outbound traffic, which is parsed to detect protocol manipulations. Client-side inputs are validated and thousands of rules are applied to detect various injections attacks, XSS attacks, remote file inclusion, direct object references and many more.

[You may also like: Taking Stock of Application-Layer Security Threats]

In addition to detecting known attacks, for the purposes of zero-day attack protection and comprehensive application security, a high-end WAF allows strict policy enforcement where each function can have its own parameters white listed—the recommended approach when deploying a function processing sensitive data or mission-critical business logic.

And—this is critical—continue to mitigate for DDoS attacks. Going serverless does not eliminate the potential for falling susceptible to these attacks, which have changed dramatically over the past few years. Make no mistake: With the growing online availability of attack tools and services, the pool of possible attacks is larger than ever.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityDDoS AttacksSecurity

The Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?

October 30, 2018 — by Radware4

balance_risk_cybersecurity_risk-960x640.jpg

Cybersecurity is often an afterthought. Executives are quick to focus on the endgame benefits of customer-centric strategies, digital transformation, mobility, IoT and cloud computing, yet cybersecurity often falls by the wayside compared to these strategic initiatives. In fact, many executives view cybersecurity strictly as a cost center.

This cost-savings, bolt-on approach to implementing cybersecurity might yield short-term financial savings that leave the finance department feeling good. But it also leaves organizations in a “pay me now, pay me later” scenario that runs the risk of significant financial loss and damage to customer satisfaction and market reputation in the long run. Resulting breaches devalue and compromise any digital transformation and/or customer-facing programs, resulting in lost time, money and, most importantly, customer faith.

In an increasingly insecure world where security and availability are the cornerstones of the digital consumer, organizations must reevaluate how they balance the investment versus risk equation and alter how and when they implement cybersecurity.

THE TRUE COST OF A CYBERATTACK/DATA BREACH

To understand just how detrimental this approach can be to the long-term health of an organization requires a grasp of the true cost of a cyberattack and any resulting data breaches. Sadly, these types of statistics are often poorly understood by organizations. According to Radware, 80 percent of organizations don’t calculate the cost of cyberattacks. You can’t manage what you don’t measure.

Ultimately, cyberattacks are far more expensive than organizations realize. Not only in monetary costs but also by damage incurred to brand reputation, operational expenses and, most importantly, the impact on the customer experience.

As a starting point, cyberattacks cost, on average, more than 1 million USD/EUR, according to 40 percent of global executives. This figure represents the actual operational costs associated with “cleaning up” an attack. Five percent of executives estimate this cost to be more than 25 million USD/EUR. But these figures only represent the tip of the iceberg.

The larger, more damaging effect is the impact on customer loyalty and trust, brand damage and a wide array of other “hidden costs.” According to executives, the top three impacts from a cyberattack are:

  • 41% Customer loss
  • 34% Brand reputation loss
  • 34% Productivity/operational loss

Specifically, there is a high price for not securing the customer experience. In today’s digitally driven world where consumers own the relationship, the foundation of the customer experience is a mix of security and availability. When an organization’s customers have their data compromised, the price is steep. Customer attrition rates can increase by as much as 30 percent following a cyberattack. Moreover, organizations that lose over four percent of their customers following a data breach suffer an average total cost of $5.1 million. In addition to these direct impacts, there are “hidden” costs associated with a data breach as well, including increased insurance premiums, a lower credit rating, devaluation of trade name and loss of intellectual property. Lastly, there are legal fees as well because today’s customers are willing to retaliate. Forty-one percent of executives report that customers have taken legal action against their companies following a data breach. Target, among many name brands such as Panera Bread, Sears, and Saks, is just one well-publicized example of both the legal and customer loyalty impact that cyberattacks have had on name brands.

Flip The Paradigm

What if organizations could flip the paradigm? What if organizations could create a secure environment for their customers and, in the process, use security as a competitive differentiator?

That opportunity now exists because 21st-century digital consumers are asking if they are conducting business with organizations that are proactive about safeguarding their information and how they will fix it if a breach does occur. For example, consumers are now more concerned about having their personal data stolen than their physical possessions such as wallets, automobiles and house keys. High-profile attacks in recent years (and the resulting fallout) mean that cybersecurity and data protection is no longer a topic just for network analysts and IT professionals. It has transitioned from the back pages of tech publications to mainstream conversation.

The impact on businesses is twofold. Whereas companies were once reticent to speak publicly about cybersecurity because it could cause consumers to question their business’s fragility, they must now embrace and communicate their ability to safeguard customer data. Forward-thinking organizations must use security and due diligence as competitive differentiators to build trust and loyalty with customers in the face of an increasingly insecure world.

It is no longer about delivering a world-class experience. It is about delivering a SECURE, world-class experience. In today’s digitally driven, social media world where consumers own the relationship, security has to become the very fabric of the business.

So how are executives expected to accomplish this facing new security threats, tight budgets, a shortfall in cybersecurity professionals and the need to safeguard increasingly diversified infrastructures? The key is creating a secure climate for customers by embracing technology and change. Corporate networks are the linchpins of interactions with customers who expect responsive apps, fast performance and, above all, protection of their data.

To create this climate, research shows that executives must be willing to accept new technologies, be open-minded to new ideologies and embrace change. Executives committed to staying on top of this ever-evolving threat must break down the silos that exist in the organization to assess the dimensions of the risks across the enterprise and address these exposures holistically. Next is balancing the aforementioned investment versus risk equation. All executives will face tough choices when deciding where to invest resources to propel their companies forward. As the threat of cyberattacks becomes a question of when not if, C-suite executives must leverage the aforementioned data points and carefully evaluate the risks associated with security vulnerabilities and the costs of implementing effective security solutions. As identified in the same report, four in 10 respondents identify increasing infrastructure complexity, digital transformation plans and integration of artificial intelligence as putting pressure on security planning and budget allocation.

The stakes are high. Security threats can seriously impact a company’s brand reputation, resulting in customer loss, reduced operational productivity, and lawsuits. C-suite executives recognize the multiple pressures on their organizations to integrate new network technologies, transform their businesses and defend against cyberattacks. Those executives who are willing to embrace technology and change and prioritize cybersecurity will be the ones to win the trust and loyalty of the 21st-century consumer.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now