Threats to Data Centers - Attacking the Application Layer

Posted by Ed Adams on November 14, 2013 at 9:11 AM
Find me on:

There has been a lot written on the disruptive technology shifts to mobile and cloud platforms and the security challenges each bring; however, in the shuffle, a stalwart staple of Enterprise IT (and emerging threats to it) have been overlooked -- the datacenter.

Datacenters don't house just big iron with databases, of course; their main purpose is to serve up the applications on which the enterprise runs. These applications are a primary target for hackers, for they are the lifeblood of the enterprise, storing and managing that critical data that is typically well protected against network-based attacks. However, an increasingly popular and disturbing trend is to attack the application directly. Most of us know by now (and research supports it) that the software layer is the most vulnerable and the source of the majority of attacks. This is also true in the datacenter.

The two emerging risks many of our largest clients are worried about with respect to their datacenters include:

1. Application traversal
Datacenters don't just house mission-critical (“Tier 1”) applications; they also house less-critical (“Tier 2”) applications and often non-critical (“Tier 3”) applications that may be nothing more than a temporary marketing web site that contains no sensitive data. However, when these applications are co-located, there is a risk of an attacker exploiting a vulnerability in a Tier 3 application, escalating their privilege level to admin, and gaining access to the Tier 2 and possibly Tier 1 applications. Despite the enterprise's efforts to implement protective measures like network segmentation, intrusion detection systems, and DLP (data loss prevention), users with admin rights will slip right past these defenses unnoticed. Their activity might be logged, but there is no evidence of wrongdoing because it mimics normal admin activity. This is much more common that many think. A logical approach is to protect your mission-critical applications with stronger hardening defenses than lower-tier applications; however, without thorough threat modeling or attack simulation, application traversal risks are often overlooked.

2. Application-layer denial-of-service
Datacenters are all about efficiency: faster, cheaper, redundant, etc. A slowed down process is a business continuity risk that enterprises want to avoid; this is one of the advantages of a streamlined, high-powered datacenter. Unavailability of those business processes is a disaster scenario.

Distributed denial of service (DDoS) attacks have been acknowledged and well understood for some time, however they’ve typically occurred at the network layer. Attackers have improved their delivery method for these attacks and are now incorporating application layer DDoS attack vectors. In fact, Gartner estimates that 25% of all DDoS attacks in 2013 will be at application layer.

Application-layer DoS attacks are not nearly as well understood as their network-born relatives. Application-layer DoS attacks exploit vulnerabilities in software such as buffer overflows or null pointer references in databases and web servers. These attacks can appear to be legitimate application-layer traffic and are not easily detectable. They can also be easily scaled by leveraging cloud services - an Amazon EC2 or Microsoft Azure server farm can be spun up in minutes, giving attackers an army with which to wage war. This army of application-layer requesters on services can lead to a system freeze, reboot and/or 100% CPU utilization due to invalid and inappropriate allocation of resources. And there are also plenty of automated (often free, open-source) tools to help the hacker carry out these exact attacks.

To protect against application-layer DoS, several mitigation strategies can be considered:

  • Traffic subjected to rate limits, prioritization, and load balancing.
  • Fast-expiring session aging
  • Two-factor authentication to validate user roles, especially at admin levels.

Similar to application traversal, post-attack forensics are complicated in this scenario due to the often-elevated privilege levels the attackers are able to gain.

Topics: application security, cybersecurity news

Ed Adams

Written by Ed Adams

Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since its inception in 2002 and took over as CEO in 2003. Ed is Research Fellow at The Ponemon Institute, serves on the board of several IT security organizations, and was named a Privacy by Design Ambassador by the Information and Privacy Commissioner of Canada.