• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

10 Necessary Skills For Managing The Day-To-Day Operations Of A Business

February 2, 2023

Whalesync, a Seattle startup syncing data between software apps, raises $1.8M – Startup

February 1, 2023

Panasonic LZ2000 (2022) review

February 1, 2023
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    Samsung’s One UI 5 update is largely about personalization

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Security»Why web apps are one of this year’s leading attack vectors
Security

Why web apps are one of this year’s leading attack vectors

October 7, 2022No Comments7 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Why web apps are one of this year’s leading attack vectors
Share
Facebook Twitter LinkedIn Pinterest Email

Learn how your company can create applications to automate tasks and generate further efficiencies through low-code/no-code tools on November 9 at the virtual Low-Code/No-Code Summit. Register here.


Cybercriminals’ ingenuity at bypassing the latest web application firewalls is turning internet apps into the fastest-growing attack vector this year. Public-facing web apps are now the most widely used attack vector to penetrate an organization’s perimeter. Attacks that start in web apps increased from 31.5% in 2020 to 53.6% in 2021, according to a recent report by Kaspersky’s Global Emergency Response Team. 

Protecting web apps is a moving target 

Identifying internet app intrusion attempts, attacks and breaches with automated threat detection is getting more challenging. Cybercriminals rely on stolen privileged-access credentials and use living-off-the-land (LOTL) techniques that rely on Powershell, PsExec, Windows Management Interface (WMI) and other common tools to avoid detection while launching attacks.

PsExec, Mimikatz and Cobalt Strike continued to be among the most popular attack tools in 2021. As a result, 71% of intrusion attempts are malware-free, making them more challenging to identify, much less stop. It takes a cybercriminal just one hour and 24 minutes to move laterally across a network once they’ve compromised an attack vector, according to CrowdStrike’s 2022 Falcon OverWatch Threat Hunting Report. 

API attacks are the fastest-growing attack strategy on web apps by a wide margin. There has been a 117% increase in API attack traffic over the last year, while overall API traffic grew 168%. Enterprises say stopping attacks by improving API security is their most urgent challenge, followed by identifying which APIs expose PII or sensitive data. In addition, cybercriminals look to APIs as a quick means to bypass web app security and gain access to networks, often staying there for months undetected.

Event

Low-Code/No-Code Summit

Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.

See also  Google opens the door for Android apps that work across all kinds of devices

Register Here

“Web application is the number one vector and, not surprisingly, is connected to the high number of DoS attacks. This pairing, along with the use of stolen credentials (commonly targeting some form of a web application), is consistent with what we’ve seen for the past few years,” according to the 2022 Verizon Data Breach Report. 80% of all breaches get started in web applications, which are getting breached with stolen access credentials, backdoor attacks, remote injection and desktop-sharing software hacks.  

Every device’s identity is a new security perimeter

Web application firewalls (WAF) and reverse proxies aren’t slowing the pace of intrusion and breach attempts on managed and unmanaged devices. One reason is that WAFs aren’t designed to enforce least-privileged access, provide granular rights and policy controls or support microsegmenting a network. In addition, because of a large number of false positives, many organizations run their WAFs in “alert” mode rather than having them block attacks. At the same time, a recent survey indicated that at least half of application layer attacks bypassed WAFs.

Complicating matters further is the new distributed work environment that most organizations need to support. Users connect from diverse and changing IP addresses and a mix of managed and unmanaged devices. The use of BYODs and unmanaged devices is particularly problematic, as evidenced by Microsoft’s recent report that 71% of ransomware cases are initiated by unmanaged internet-facing devices.

Now known as the gig economy, contractors have become vital to every organization’s workforce. They rely on unmanaged devices to get work done, creating third-party access risk. Even managed devices are a security threat, as they’re often over-configured with endpoint security agents. Absolute Software’s Endpoint Risk Report found that, on average, every endpoint has 11.7 agents installed, each creating potential software conflicts and degrading at a different rate. Absolute Software’s report also found that the majority of endpoints (52%) have three or more endpoint management clients installed, and 59% have at least one identity access management (IAM) client installed. Attempting to fortify unmanaged and managed devices by overloading them with agents isn’t working.

See also  Mobile payment apps: How to stay safe when paying with your phone

Unfortunately, WAFs stop less than 50% of application layer attacks and are known for generating false positive alerts. Security teams have been known to turn alerts off, given how many are false, leaving applications and the data they contain only partially secured. 

A zero trust-based approach that tracks every device’s identity down to the browser session is needed as a suitable security perimeter for the web app age.

Running web apps more securely  

Instead of attempting to secure, control and filter the traffic flowing between each device and the app it is attempting to access, as firewalls do, browser isolation is a technique that can be used to run web apps more securely by creating a gap between networks and apps on the one hand and malware on the other. Remote browser isolation (RBI) runs all sessions in a secured, isolated cloud environment, enforcing least-privilege application access at the browser session level. This alleviates the need to install and track endpoint agents/clients across managed and unmanaged devices and enables simple, secure BYOD access and third-party contractors to work on their own devices. 

Each application access session is configurable for the specific level of security needed. For example, cybersecurity teams are using application isolation to define user-level policies that control which application a given user can access and which data-sharing actions they’re permitted to take. Common controls include DLP scanning, malware scanning and limiting cut-and-paste functions, including clipboard use, file upload/download permissions, and permissions to enter data into text fields. Vendors who have adapted their RBI solutions to support application access security include Broadcom, Ericom and Zscaler. 

See also  Disney+ will reportedly launch in-app commerce features by year’s end – DailyTech

In addition to the access and data sharing controls, the RBI approach also secures web apps’ exposed surfaces, protecting them from compromised devices and bad actors while ensuring legitimate users have full access. The air-gapping technique blocks the risk that hackers or infected machines pose when they attempt to probe web apps, seeking vulnerabilities to exploit, because they have no visibility on page source code, developer tools or APIs.

Ericom ZTEdge’s approach to application isolation is called Web Application Isolation (WAI), a unique approach to leveraging RBI to secure BYOD and unmanaged device access to public or private web and cloud applications.

Ericom says that its customers find that WAI is also effective in masking applications’ attack surfaces, enabling organizations to gain greater protection against the OWASP Top 10 Web Application Security Risks.

Isolating web apps by relying on Remote Browser Isolation (RBI) to create secure, isolated air gaps between apps, systems and malware attempts can secure some of the OWASP Top 10 most critical security risks for web applications. Source: OWASP Top Ten

Zero trust for secure browser sessions

Cybercriminals continue to discover new ways to bypass WAF and reverse proxies, successfully launching intrusions and breaches of web apps at a growing rate. Securing web apps is also becoming more challenging as the number of unmanaged devices continues to grow exponentially. Greater reliance on outside contractors, suppliers, sales, and distribution networks is putting a strain on IT and security teams to secure the growing base of unmanaged devices. Additionally, installing agents on third-party systems is fraught with compatibility and scale challenges. 

With security teams stretched thin already, there needs to be a more efficient way to secure every device and browser, ideally using zero trust as the framework. Securing web apps by using RBI solves that challenge at the browser and session level — and removes the need for agents on every device. What’s noteworthy is that this framework enables users of unmanaged devices to work virtually without exposing corporate applications or data to intrusion attempts or threats. This is the way forward for a zero-trust strategy for simplified clientless security that protects corporate applications and their sensitive data. 

Source link

Apps Attack leading vectors Web Years
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Whalesync, a Seattle startup syncing data between software apps, raises $1.8M – Startup

February 1, 2023

7 New Year’s Resolutions For Future Million-Dollar Business Owners

January 2, 2023

5 New Year’s Resolutions For Startup Founders

December 30, 2022

Former Starbucks and Amazon exec leading stealthy NFT search and discovery startup – Startup

December 3, 2022
Add A Comment

Comments are closed.

Editors Picks

Report: Android apps send student data to ‘very high-risk’ third parties 8x more often than iOS

July 7, 2022

Qonto units sights on acquisition of Penta

July 23, 2022

CBDCs could boost financial stability

August 9, 2022

Cannabis startup Polite sells science-backed products to treat yourself – Startup

August 13, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

10 Necessary Skills For Managing The Day-To-Day Operations Of A Business

Whalesync, a Seattle startup syncing data between software apps, raises $1.8M – Startup

Panasonic LZ2000 (2022) review

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2023 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.