‘A majority of cyberattacks occur at the Application layer’

by | Sep 6, 2018

Security, Cybersecurity trends

Security has suddenly become a big concern for enterprises. In fact, Gartner predicts enterprise spending on information security products and services in India is on pace to reach US$1.7 billion in 2018, an increase of 12.5 percent from 2017. In 2019, the market is forecast to total US$1.9 billion.

Mohan Veloo, Vice President-Technology, Asia Pacific, F5 Networks attributes this to a shortage of security professionals, cheap devices with low security connecting to networks, buggy software and the lackadaisical approach to patching software. He worries that the number of security incidents will increase at an alarming rate as cheap devices like Web cams flood the market. The key to strengthening security now lies at the application layer, he says.

DC: Are you seeing more demand for security solutions in the Indian market? What kind of solutions in particular?

Mohan Veloo, Vice President-Technology, Asia Pacific, F5 Networks

Mohan Veloo, Vice President-Technology, Asia Pacific, F5 Networks

Mohan Veloo: Security has become very prominent now. From a vendor point of view.  India has become important for us. We have seen a huge spike in revenue. There is more awareness among our customers, whereas two years ago they would not have cared so much, and they were fine with just having a firewall with no other advanced measures.

They would be contended with their network firewall as they perceived it to be enough for their security needs. Now, they are coming back to us and they are asking for advanced security solutions. Sales for our Web Application Firewalls have gone through the roof, especially in India.

DC:  Web application security has become a very big thing. What do you think triggered it?

Mohan Veloo: Web Application Security has always been important. F5 has always championed web application security. The trigger I believe in India is directly related to the increased internet usage and mobility in India, as a result of which, our customers are seeing more threats and looking for more solutions in terms of security.

DC: Why is there a shortage of security professionals in India? And what needs to be done to address this?

Mohan Veloo: There is an acute shortage of security talent in India. A lot of companies that we talk to have just one person handling their security. These companies cannot afford to have a team of people. In India, it is common to see trained security professionals leaving to join other companies that offer higher salaries.

The universities and schools are not training people in security. How do you educate your internal people when it comes to security? And this education should start at the school level. Kids of today have access to, and have multiple accounts. There needs to be some form of simple curriculum — things like changing passwords regularly —  to generate a sense of security from a very young age.

People need to practice security and digital hygiene. Digital hygiene is simple — keep changing your password, do not click on links, update your operating systems and be aware. More businesses are going digital these days, which means practicing digital hygiene is essential now, more than ever.

A lot of security professionals are network-centric; they spent time on network protection, blocking ports etc. They worked at the network layer, which is now very well protected. But the problem is happening at the Application layer.

DC: How do you protect the applications and the Application layer?

Mohan Veloo: The Application layer is a wide-open space. There are lots of ways to attack an application. An application can be attacked if the code is bad. These days anyone can be a coder. You can even build an application without coding knowledge. You can find instructions online.

To protect applications, one needs to understand the application architecture and not many people know that. It is only in the last few years that security vendors have started realizing that applications are attacked more often than the network layer. In fact, I would say, majority of attacks are application layer attacks.

The reasons why these happen is bad coding practices and they don’t patch software. Patching is a continuous exercise as vendors are always finding vulnerabilities in software, sometimes after an attack happens. For a lot of enterprises, doing this patching becomes an operational nightmare.

DC:  Are you seeing attacks being launched from mobile devices? Which other devices are being compromised?

Mohan Veloo: One can launch an attack from a mobile phone. Security is being overlooked in cheap IP cameras. Recently in Singapore, there was a huge DDoS attack on one of the local telecom providers (StarHub). The attack was believed to have come from outside of the network, but what they found out was that, the attack came from within their own network. The attack was initiated from a hacked web camera.

These cameras are actually compromised. These are what we call IoT attacks. These devices are not well protected and they are not hardened. Companies invest a lot to secure their network from attacks that come from outside their network. But what happens within their own network with devices such as phones, web cameras etc?

I think this will become a huge issue in India. India is becoming highly connected at an extremely fast rate, with cheap connectivity. Cheap devices will flood the market. So the incidences of attacks will increase.

People know that China is a place where most attacks are launched from, but within China it is like a war zone. There are lot of internal attacks within Chinese companies.

 

Share This Article!

Brian Pereira
Brian Pereira
Brian Pereira is an Indian journalist and editor based in Mumbai. He founded Digital Creed in 2015. A technology buff, former computer instructor, and software developer, Brian has 29 years of journalism experience (since 1994). Brian is the former Editor of CHIP India, InformationWeek India and CISO Mag. He has served India's leading newspaper groups: The Times of India and The Indian Express. Presently, he serves the Information Security Media Group, as Sr. Director, Editorial. You'll find his most current work on CIO Inc. During his career he wrote (and continues to write) 5000+ technology articles. He conducted more than 450 industry interviews. Brian writes on aviation, drones, cybersecurity, tech startups, cloud, data center, AI/ML/Gen AI, IoT, Blockchain etc. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. He recently achieved a Certificate in Cybersecurity (CC) from the international certification body ISC2. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]
Recommended Posts
The First 90 Days Are Crucial for the CISO and CIO

This book arms you with insights into crafting a robust 90-day plan, and you’ll be well-equipped to catapult into CIO or CISO roles successfully. Beyond technical proficiency, the book instills survival skills, ensuring longevity and helping you prevent burnout in these pivotal positions.

Similar Articles