Dangers of accidental open access to applications and databases.
Author: Keshav Kamble
Sophisticated breaches require some effort on the part of hackers. Some of the easiest breaches are actually due to unfortunate events where applications or part of applications are accidentally left open to public access. In today’s era of intense monitoring, your enterprise IT deployments are routinely scanned in real-time by the illegitimate scanners and attackers. Therefore, the smallest mistake of leaving an application or database in default configuration can expose the entire enterprise to outside attacks and breaches.
The graph above published by Verizon Enterprise Services study shows the number of breaches that occurred in 2017-18 time frame by industry sectors. Clearly not all of these attacks were due to misconfiguration or accidental exposure. What is more important is the intensity of effort undertaken by attackers to breach enterprises. The study also shows the level of difficulty to hack and the amount of time the breach went undetected.
A staggering 87 percent of the breaches took just minutes to penetrate and 68 percent of the breaches went undiscovered for months or more.
This comprehensive study points to one problem; the lack of real time threat monitoring and interception at or inside application and database levels. As all of us know, most high profile breaches occurred despite strong perimeter security.
Thoughts and analysis
As a CISO or a CIO, I am sure the Verizon Enterprise study is quite familiar to you but at the same time causes tremendous discomfort. At points, it might even create doubts regarding your own preparedness.
At Avocado Systems research labs, we performed some interesting experiments on a public cloud. The observations are equally interesting. For the experiment, the lab deployed a multi-tier application ecosystem involving Tomcat servers with Java applications and two layers of databases in clustered and single instances. All applications were completely enabled to be protected and monitored by the Avocado Security Platform. Only certain parts of select applications were monitored only and not protected by configuring micro-policy actions. The Avocado Security Orchestrator generated real time maps of this application access by nefarious clients all across the world. It also prepared real time maps of nefarious accesses and attempts to penetrate into protected applications.
So let me offer a few observations:
- Exposed part of Tomcat accessed by nefarious clients
This is a real time representation over a period of 4 days. All of these attempts were closely monitored by micro-policies applied on a part of the Tomcat application. This image clearly shows the devastating repercussions of mistakes in perimeter security as well as misconfigurations at application level.
- In every instance, protected sub-components of MySQL and MongoDB intercepted and mitigated penetration attempts.
Attacks intercepted and mitigated by MySQL Database deployed in UK –
Attacks intercepted and mitigated by MongoS shard deployed in UK –
Again a picture worth thousand words! Avocado’s innovative pico-segmentation which brings the deepest level threat monitoring and interception capabilities into applications caught every attempt on every part of the databases and applications. This despite intentional errors to allow threats an opportunity to penetrate the web layers.
Application Security and DevSecOps automation certainly provides you the capability to build real-time threat monitoring and response. It is time to reassess the security methods and practices of your organization and adopt new methods of enterprise application security. Avocado is always here to help.
Innovation is our way to bring confidence to all the hardworking security professionals, business owners and executives.