Businesses turn to new class of software to block intruders
Not too long ago, hackers were likely to slip into a company network by foiling a poorly configured firewall or intrusion-detection system. Sometimes, it was even easier than that: Companies simply failed to install security systems.
But businesses have gotten smarter and hardened their networks with properly installed security tools, so hackers are looking for other ways to slither inside. They're finding them in unprotected applications.
The damage can be enormous. Applications such as sophisticated supply-chain and inventory programs, price lists, account-management programs, and even shopping carts are being targeted. Databases that link to Web applications are also vulnerable. Common attacks include E-shoplifting, a process in which hackers change price information in shopping carts. Here's how it works: A hacker puts $100 worth of items in a shopping cart and then saves the Web page to a local hard drive. He or she then modifies the price to $10 and resubmits the page. If the shopping cart is improperly coded, it might not double-check the prices and allow the price change upon resubmission.
Other breaches include buffer-overflow attacks as well as tampering with CGI scripts and unencrypted cookies to gain unauthorized access and steal identities. In the latter, hackers take advantage of Web browsers or cookies that sometimes erroneously reveal customer account information because the applications don't check account-ID parameters.
"Companies have done a pretty good job installing firewalls and protecting networks," says Pete Lindstrom, director of security strategies at analyst firm Hurwitz Group. "The area with the greatest vulnerability now is in the applications themselves. It's proving to be an easier target."
Data from SecurityFocus, a San Mateo, Calif., company that provides vulnerability alerts and security advice, supports what Lindstrom says. SecurityFocus, which collects data from 9,000 sites in more than 140 countries, has found most hackers target ports in the firewall that are passageways to applications. Of the more than 10 million security incidents SecurityFocus tracked the first week of February, 64% targeted port 80, which is the application port. About 9% targeted port 139, used for Windows networking and file sharing, and 6% targeted FTP on port 21.
While many application vulnerabilities are discovered and stopped before serious damage is done--such as those affecting Oracle's 9i Application Server and Microsoft's Internet Information Services software--many, if not most, application vulnerabilities go unnoticed for years, leaving the security holes for malicious hackers to uncover first.
To help protect applications, a new class of software has hit the streets, designed to help customers secure their Web sites from dangers such as embarrassing defacements and theft of customer identities and corporate data. These so-called application firewalls sit between the public Internet and Web server and filter Web traffic for illegitimate data requests. To date, there are only three vendors in this arena: KaVaDo, Sanctum, and Stratum8 Networks. But industry experts expect more tools to emerge, and investors are interested: They've contributed some $75 million in venture capital toward the companies.
Sanctum was the first entry in the application-firewall market. Sanctum was co-founded in 1997 by Gil Raanan, who led development for communications and security projects while with the Israeli Defense Forces. So far, Sanctum has raised $54 million from investors, including Dell, EDS, Fidelity, Gemini Israel Funds, Hitachi, Mofet Tech Funds, Wachovia Strategic Ventures Group, and Walden Israel. Sanctum has more than 150 customers.
El Al Israel Airlines installed Sanctum's AppShield late last year as a complement to its existing intrusion-detection and firewall software. El Al is considered by many to be the most secure airline in the world, and it takes information security seriously, especially since Sept. 11. The airline now considers any illegal access to its Web site to be an act of terrorism, says David Yaacobi, manager of information systems security at El Al.
"In the past year, attacks on Web apps have become very popular, and they're trying more and more to attack Web sites. Hackers are trying to deface the Web site and destroy the data. Sanctum has proven to stop all of that," says Yaacobi, who runs AppShield on Windows 2000 and NT to protect the airline's Web site.
AppShield sits between the Web server and firewall and studies the application pages' CGI values, drop-down menu values, hidden field values, and the anticipated maximum size of text fields. From this real-time examination, AppShield creates a dynamically generated security policy, through which all Internet requests to the site are filtered. Any request that doesn't meet policy rules is blocked.
Dynamically created security policies benefit the security administrator in two critical ways, Hurwitz's Lindstrom says: Not all application security policies need to be defined in advance; and, more important, Web applications that contain inherent security vulnerabilities, such as buffer overflows, are protected.
KaVaDo's beginnings are tied to the Israeli military, too. The company, founded in 2000, has raised $6.7 million from Bank of America Equity Partners and 3i Technology Partners.
KaVaDo's application-layer security product, InterDo, protects Web-based applications by analyzing the applications and their business logic--that is, the way the apps are uniquely used inside a particular company. The software sits between application-and system-layer devices such as routers, firewalls, and load balancers to capture all application-related traffic. It segments each type of security threat, such as buffer-overflow attacks, hidden fields that have been manipulated, and altered cookies into what the company calls "security pipes." Each security pipe is designed to subvert Internet hack attempts. InterDo can be configured for any Web application and secures Web apps, servers, and databases from unauthorized access and manipulation, the company says.
The newest vendor, Stratum8, which last week previewed its Stratum8 APS at the 2002 RSA Conference, recently secured a $10 million round of funding led by BA Venture Partners and New Enterprise Associates.
Like the other application firewalls, Stratum8 APS sits in the middle of the data path and is designed to complement firewalls and intrusion-detection systems as it analyzes HTML traffic for malicious code and hacking activity, says CEO Bob Walters.
The software studies all HTTP and HTML traffic and performs real-time analysis on the application to protect against bogus data, as determined by the app's security policy. When the software finds suspicious traffic, it blocks the data before it reaches a Web server.
Companies that want to ensure the security of their Web applications are also turning to automated risk-assessment software, such as Sanctum's AppScan and KaVaDo's ScanDo; Stratum8 doesn't offer a risk-assessment scanning application. These applications scan and probe Web-based apps for potential breaches such as cross-site scripting, which involves dynamically created Web pages unwittingly accepting malicious code. Both products attempt to emulate how an attacker might operate by finding weaknesses and then exploiting them. But unlike hackers, these applications will generate detailed reports that show administrators where they need to shore up their apps through more secure configuration or patching.
There's no doubt that the number of security threats will increase, and applications are the newest target, especially as companies continue to leverage the Web to run more aspects of their business and Web applications become more complex and interactive. IT administrators will need new tools to protect their companies, and application firewalls hold promise. Says Hurwitz Group's Lindstrom, "We've only really just broken the surface of potential vulnerabilities."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.