After nearly 20 years of selling software to the financial services industry, Baker Hill decided two years ago to become an application service provider, offering access to its programs over the Web.

To support the new offering, the company built a Web infrastructure using Microsoft technology, including the Internet Information Server (IIS) Web server, Active Directory and SQL Server 2000, says Eric Beasley, senior network administrator for Baker Hill, in Carmel, Ind. That technology choice didn't sit well with some large clients, who had read about the Nimda and Code Red attacks that targeted Microsoft platforms. "We had clients who ultimately decided they would not do business with us unless we could find a way to secure that Microsoft environment," Beasley says.

Such concerns are well founded because applications
are becoming the prime target for cyberattacks. Experts say firewalls are doing an adequate job of protecting against common network-layer attacks, and operating system vendors having cleaned up most of their well-known vulnerabilities. "The application layer is increasingly what's left," says Scott Blake, vice president of information security for BindView.

Another reason applications are an attractive target is there's no shortage of vulnerabilities to go after, and most require little expertise to exploit, says John Pescatore, an analyst at Gartner.

Since 2002, Gartner research shows that 70% of all successful attacks have exploited application vulnerabilities. "If you take into account Slammer, Blaster and others that happened last year, it's probably up to 90% now," he says. Pescatore says the problems being exploited fall into two classes: defects for which a patch has been issued (about 35%) and misconfigured applications (65%).

The hacker playbook

Common exploits look for vulnerabilities that can give the attacker root access to server platforms including Microsoft SQL Server, IIS and occasionally Apache Web servers, says Fred Avolio, president of Avolio Consulting.

Among the most dangerous forms of attack is SQL injection, where an attacker puts unexpected SQL commands into a Web application form field. This could let an attacker execute commands on the back-end database server and, potentially, gain administrator rights. Buffer overflow attacks, which simply flood an application with more data than it can handle, likewise can give an attacker the ability to execute commands on a target system.

Other common exploits include cross-site scripting, which Blake says is common in phishing attacks. Cross-site scripting can take various forms, including tricking users into connecting to what appears to be a well-known Web site to collect personal information or taking over a user's Web session.

Defensive maneuvers

One of the best forms of defense against application-layer attacks is to avoid following the crowd because attackers typically target the most commonly deployed applications. "It's simply return on investment" from the hacker's perspective, Blake says. "Deploy less commonly used technology to achieve heterogeneity and become a smaller target." Similarly, homegrown applications are less likely targets than off-the-shelf programs.

Pescatore is also a proponent of diversity in terms of operating systems and server platforms. "It raises the cost of IT management, but it greatly decreases the odds that you're going to have a catastrophic outage," he says.

Another tip is to expose to the Internet only those services that you actually need. Slammer, for example, took advantage of "a lot of SQL Server databases that didn't need to be exposed to the Internet," Pescatore says. It's also a good idea to zone off crucial applications to limit unnecessary exposure to the rest of the corporation. "If a big worm hits my office zone, that's pretty annoying," he says. "But if it spreads to the system that schedules the trains, and the trains don't leave the station, that's disastrous."