• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Security»Why web apps are one of this year’s leading attack vectors
Security

Why web apps are one of this year’s leading attack vectors

October 7, 2022No Comments7 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Why web apps are one of this year’s leading attack vectors
Share
Facebook Twitter LinkedIn Pinterest Email

Learn how your company can create applications to automate tasks and generate further efficiencies through low-code/no-code tools on November 9 at the virtual Low-Code/No-Code Summit. Register here.


Cybercriminals’ ingenuity at bypassing the latest web application firewalls is turning internet apps into the fastest-growing attack vector this year. Public-facing web apps are now the most widely used attack vector to penetrate an organization’s perimeter. Attacks that start in web apps increased from 31.5% in 2020 to 53.6% in 2021, according to a recent report by Kaspersky’s Global Emergency Response Team. 

Protecting web apps is a moving target 

Identifying internet app intrusion attempts, attacks and breaches with automated threat detection is getting more challenging. Cybercriminals rely on stolen privileged-access credentials and use living-off-the-land (LOTL) techniques that rely on Powershell, PsExec, Windows Management Interface (WMI) and other common tools to avoid detection while launching attacks.

PsExec, Mimikatz and Cobalt Strike continued to be among the most popular attack tools in 2021. As a result, 71% of intrusion attempts are malware-free, making them more challenging to identify, much less stop. It takes a cybercriminal just one hour and 24 minutes to move laterally across a network once they’ve compromised an attack vector, according to CrowdStrike’s 2022 Falcon OverWatch Threat Hunting Report. 

API attacks are the fastest-growing attack strategy on web apps by a wide margin. There has been a 117% increase in API attack traffic over the last year, while overall API traffic grew 168%. Enterprises say stopping attacks by improving API security is their most urgent challenge, followed by identifying which APIs expose PII or sensitive data. In addition, cybercriminals look to APIs as a quick means to bypass web app security and gain access to networks, often staying there for months undetected.

Event

Low-Code/No-Code Summit

Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.

See also  Radio observatory records signals from Voyager satellite launched almost 45 years ago

Register Here

“Web application is the number one vector and, not surprisingly, is connected to the high number of DoS attacks. This pairing, along with the use of stolen credentials (commonly targeting some form of a web application), is consistent with what we’ve seen for the past few years,” according to the 2022 Verizon Data Breach Report. 80% of all breaches get started in web applications, which are getting breached with stolen access credentials, backdoor attacks, remote injection and desktop-sharing software hacks.  

Every device’s identity is a new security perimeter

Web application firewalls (WAF) and reverse proxies aren’t slowing the pace of intrusion and breach attempts on managed and unmanaged devices. One reason is that WAFs aren’t designed to enforce least-privileged access, provide granular rights and policy controls or support microsegmenting a network. In addition, because of a large number of false positives, many organizations run their WAFs in “alert” mode rather than having them block attacks. At the same time, a recent survey indicated that at least half of application layer attacks bypassed WAFs.

Complicating matters further is the new distributed work environment that most organizations need to support. Users connect from diverse and changing IP addresses and a mix of managed and unmanaged devices. The use of BYODs and unmanaged devices is particularly problematic, as evidenced by Microsoft’s recent report that 71% of ransomware cases are initiated by unmanaged internet-facing devices.

Now known as the gig economy, contractors have become vital to every organization’s workforce. They rely on unmanaged devices to get work done, creating third-party access risk. Even managed devices are a security threat, as they’re often over-configured with endpoint security agents. Absolute Software’s Endpoint Risk Report found that, on average, every endpoint has 11.7 agents installed, each creating potential software conflicts and degrading at a different rate. Absolute Software’s report also found that the majority of endpoints (52%) have three or more endpoint management clients installed, and 59% have at least one identity access management (IAM) client installed. Attempting to fortify unmanaged and managed devices by overloading them with agents isn’t working.

See also  Report: SaaS app spending up, but security lags behind

Unfortunately, WAFs stop less than 50% of application layer attacks and are known for generating false positive alerts. Security teams have been known to turn alerts off, given how many are false, leaving applications and the data they contain only partially secured. 

A zero trust-based approach that tracks every device’s identity down to the browser session is needed as a suitable security perimeter for the web app age.

Running web apps more securely  

Instead of attempting to secure, control and filter the traffic flowing between each device and the app it is attempting to access, as firewalls do, browser isolation is a technique that can be used to run web apps more securely by creating a gap between networks and apps on the one hand and malware on the other. Remote browser isolation (RBI) runs all sessions in a secured, isolated cloud environment, enforcing least-privilege application access at the browser session level. This alleviates the need to install and track endpoint agents/clients across managed and unmanaged devices and enables simple, secure BYOD access and third-party contractors to work on their own devices. 

Each application access session is configurable for the specific level of security needed. For example, cybersecurity teams are using application isolation to define user-level policies that control which application a given user can access and which data-sharing actions they’re permitted to take. Common controls include DLP scanning, malware scanning and limiting cut-and-paste functions, including clipboard use, file upload/download permissions, and permissions to enter data into text fields. Vendors who have adapted their RBI solutions to support application access security include Broadcom, Ericom and Zscaler. 

See also  Nomad crypto bridge loses $200 million in ‘chaotic’ hack

In addition to the access and data sharing controls, the RBI approach also secures web apps’ exposed surfaces, protecting them from compromised devices and bad actors while ensuring legitimate users have full access. The air-gapping technique blocks the risk that hackers or infected machines pose when they attempt to probe web apps, seeking vulnerabilities to exploit, because they have no visibility on page source code, developer tools or APIs.

Ericom ZTEdge’s approach to application isolation is called Web Application Isolation (WAI), a unique approach to leveraging RBI to secure BYOD and unmanaged device access to public or private web and cloud applications.

Ericom says that its customers find that WAI is also effective in masking applications’ attack surfaces, enabling organizations to gain greater protection against the OWASP Top 10 Web Application Security Risks.

Isolating web apps by relying on Remote Browser Isolation (RBI) to create secure, isolated air gaps between apps, systems and malware attempts can secure some of the OWASP Top 10 most critical security risks for web applications. Source: OWASP Top Ten

Zero trust for secure browser sessions

Cybercriminals continue to discover new ways to bypass WAF and reverse proxies, successfully launching intrusions and breaches of web apps at a growing rate. Securing web apps is also becoming more challenging as the number of unmanaged devices continues to grow exponentially. Greater reliance on outside contractors, suppliers, sales, and distribution networks is putting a strain on IT and security teams to secure the growing base of unmanaged devices. Additionally, installing agents on third-party systems is fraught with compatibility and scale challenges. 

With security teams stretched thin already, there needs to be a more efficient way to secure every device and browser, ideally using zero trust as the framework. Securing web apps by using RBI solves that challenge at the browser and session level — and removes the need for agents on every device. What’s noteworthy is that this framework enables users of unmanaged devices to work virtually without exposing corporate applications or data to intrusion attempts or threats. This is the way forward for a zero-trust strategy for simplified clientless security that protects corporate applications and their sensitive data. 

Source link

Apps Attack leading vectors Web Years
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Threads Is Rolling Out on the Web. That Just Might Save It

August 27, 2023

25 Years Ago Steve Jobs Launched the First iMac—and the Strategy That Saved Apple

August 18, 2023

How Catherine McKenzie And Quiana Burns Are Leading The Way With Kindness And Diversity

August 8, 2023

Apps Are Rushing to Add AI. Is Any of It Useful?

August 4, 2023
Add A Comment

Comments are closed.

Editors Picks

Star Ocean: The Divine Force is getting a playable demo

September 16, 2022

Digimon Survive gets new overview trailer showcasing gameplay and mechanics

July 2, 2022

A lot of Grand Theft Auto 6 screenshots and footage appears to leak online

September 18, 2022

Street Fighter 6’s closed beta starts round one in October

September 16, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.