Security Lesson #5: How to Think about Your Application Security Strategy

This is the latest post in our Security Lessons series.

In my last two posts, I explained what data security is and outlined data security best practices. In this post, I turn to the next layer of security – application security – to do the same.

Application security: Protecting critical software & applications

In our layered security model, Application Security focuses on protecting access to critical software and applications hosted in the environment. These security measures prevent data or code within an application from being stolen, hijacked, or inappropriately accessed. It may include hardware, software, and procedures that reduce or identify security vulnerabilities. An application firewall that defines allowed and prohibited activities is an example of a software security measure. Testing, monitoring, and training are all examples of procedures that can improve application security.

Why application security is important

Today, applications are often available over different networks and connected to the cloud, which increases your organization’s vulnerability to security threats and data breaches. As we’ve outlined in previous articles, a strong security posture depends on a multi-layered approach rooted in core security principles.

Cybercriminals increasingly target multiple avenues for their attacks, and applications (and the data they hold) are frequent exploitation targets.

Basics of application security

We use applications today at home and work, for communicating with one another, for news and entertainment, and for doing our job. Software is embedded in our cars, homes, and even wearables like watches and other devices. Almost all of it is connected to the internet, increasing the ability of attackers to find and exploit vulnerabilities. Disrupting the application layer can wreak significant disruption to your company’s operations, as well as provide clear access to sensitive data. Many experts consider the application layer the area that presents the most risk, and every firm and practice must have the most significant controls to protect this layer.

To manage these issues, there are five basic types of application security features:

1. Application Security Testing — for accounting firms and healthcare organizations, this section is about ensuring that your security controls and tools (like those listed below) are working as intended. It’s also about ensuring that your software vendors – the organizations that build and deploy applications – have established and verified processes for testing and securing applications. An easy way to determine that is to ask about your vendor’s compliance with recognized security frameworks such as SSAE 18-SOC 2, NIST SSDF, or a global standard like ISO 27034.
2. Authentication — procedures that ensure users are whom they say they are, often requiring a username and password to log into an application. Multi-factor authentication (MFA) requires more than one form of authentication, so in addition to a password, you might need a code sent to a mobile device or verified via an authentication app or a fingerprint or facial recognition match.
3. Authorization — the system can validate whether a user has permission to access the application – and what level of access they should have – based on an authorized user list.
4. Encryption (both at rest and in transmission) — tools or applications that encrypt the data as it’s sitting on the server, as well as protecting sensitive data from being seen or used by an unauthorized party when it moves between end-users and the cloud
5. Logging — identify who accessed data and provide a time-stamped record of the parts of the application that were accessed and who accessed them. When analyzed and correlated, logging information allows you to see what’s happening in and across your systems.

The most focus tends to be on the authorization aspect, using the least privileged approach to the application, which allows only enough access to perform the required job or task. In addition, many organizations have taken a structured approach to limit or eliminate the use of shadow IT, which is when users install applications without IT knowledge. That approach reduces the risk that attackers could gain access to critical systems by compromising unapproved (and therefore unmanaged) applications. Virtual desktops are one way to help lock down and isolate your environment from Shadow IT.

Another way to resolve the issues resulting from shadow IT is to change the ability of your users to install applications. Instead, whitelist applications that your users can run, and if other unlisted applications try to run, stop that at the system level. Whitelisting can help you balance your goal of enabling employees to work successfully yet controlling the changes allowed in your system. This is important because every time there’s a change, even if it’s an application update, there’s a risk that something won’t work the way it should, or the system will not respond as expected. During tax season, almost every accounting firm will see dramatic changes to their applications, so it’s imperative to be aware of those changes, what impacts they may have, and decide when and what you need to back up in case there’s a problem.

Common mistakes in application security

Many small organizations are aware of the importance of application security. Still, they believe that application providers handle it or don’t know what they can do to reduce risk. They also ignore where applications come from or what’s built into them, particularly when it comes to applications on mobile devices. As organizations and individuals, you need to consider all applications and the scope of what they can do and what you want to allow. Below are a few mistakes that can harm an organization in terms of application security:

• Worst: Not keeping applications up to date and updating every desktop or laptop individually. Keeping applications up to date is one of the best ways to prevent attacks.
• Bad: Not following third-party vendor best practices for their applications. Nearly every application vendor provides instructions for running applications in the most secure manner. However, by default, many install with very little security enabled and a default password.
• Better: Have irregular third-party reviews of your environment. A third party will identify where you need to enhance your security posture, and periodic review is essential, but very few companies do it regularly.

Cybercriminals are searching for companies to attack, frequently targeting the application layer. Together with application security testing, authorization, authentication, encryption, and logging, clear policies and employee training will help you build application security strategies that protect your business and your customers.

Best practices for application security

Small organizations can provide enhanced application security for employees within their network, managing and reducing risk exposure even when working remotely. There are various frameworks for application security, including the National Institute of Standards and Technology (NIST). K2 Security provides an overview of the new NIST SP 800-53 Guidelines for Application Security, which may be helpful to review. To protect your employees and clients, follow these best practices for application security:

• Deploy endpoint protection on all systems. Endpoint protection helps protect against many issues, including computer viruses, rootkits, bots, worms, trojan horses, spyware, and even messages that contain dangerous attachments or links. Advanced endpoint protection identifies risks based on anomalies rather than simply looking for matching signatures against a known-bad list.
• Use an EDR tool like SentinelOne. ActiveEDR identifies malicious acts in real-time, automates required responses, and allows threat hunting.
• Use time-based account lockouts so users don’t stay logged into accounts indefinitely. Logging back in allows you to re-authenticate and re-authorize users to ensure that you only grant access to the right person and application.
• Lock accounts after a certain number of failed attempts. While this may feel frustrating to the user who didn’t realize they had cap locks on or remembered last month’s password, it can keep the wrong people from accessing your systems and exploiting your data.
• Monitor applications for unexpected activity. One such activity might be brute force attacks, which use trial and error to gain access to accounts by working through many possible combinations to guess passwords correctly and access your system. Technology helps hackers do this automatically, which is why you should use technology to monitor your systems to prevent them from succeeding.
• Apply security patches regularly, and follow any policies you have put in place to keep applications up to date. Cybercriminals target known vulnerabilities, so keeping up to date on patches will reduce your chances of getting hacked.
• Data Loss Prevention (DLP) are tools and processes that you can use to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Because DLP software classifies regulated, confidential, and business-critical data, it can also identify violations of policies defined by organizations, often driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR. DLP can also enforce remediation through the use of alerts, encryption tools, and other actions to help prevent users from sharing data that may put your organization at risk.
• Do a data classification exercise to know what data exists (and where), then create a map of all applications. Once you know what applications are in use, you’ll be able to determine what data they hold and how much risk they present, which will help you determine how to protect the data in that system. For example, you’ll want to put more security around patient data than you would around a system that helps with scheduling or one that tracks time clocks for employees.

Once again, training for your staff on application security and how it relates to data security is essential. The best practices outlined above, along with appropriate tools, will help you implement application security well.

How Netgain protects our clients

Netgain’s security and technology professionals understand the threats posed by malicious actors, unexpected downtime, and lack of compliance with regulations. Our team can recommend tools and best practices and help you implement security controls and other monitoring tools that can help protect your applications.

Today, we employ multi-factor authentication (MFA) using Duo for Netgain access. While some of our clients are currently using MFA, we are driving adoption and use of MFA more broadly. In addition, we are enhancing our privileged account management process and associated platform. Another way we can protect our clients is by requiring users to get approval to install new applications on their virtual desktop, which means that they can’t unintentionally install malware or ransomware, compromising both themselves and the entire network.

Stay tuned for our next post, which covers endpoint security. Endpoints are client devices, such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices. These endpoints create an attack vector for security threats, and endpoint security protects your organizations from potential threats and allows IT administrators, to monitor operation functions.