As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Alfred Chung of Akamai Technologies introduces you to the threat of upload attacks, and how edge networking can protect your business.
In case you missed it, there’s a malware threat vector that’s on the rise: file uploads to web applications. With web interactions becoming increasingly central to virtually every business, file uploads via web forms and APIs are ubiquitous. Job applicants uploading resumes to career sites, insurance claims, loan applications, mobile check deposits, wholesale orders to vendors—the list of possible file uploads is endless. And every file carries the potential risk of delivering a malware payload that can detonate within your mission-critical systems. How big a problem are file upload attacks? According to one source, an estimated 20 percent of malware exploits are dropped from a web application or API. While some exploits are caused by innocent parties unknowingly passing along malware from an infected device, others are the work of malicious actors taking advantage of this crack in the online armor.
Many businesses are taking notice of the threat. According to one report, 87 percent of organizations that use web applications for file uploads are very concerned about secure file transfers— and 82 percent report that their concern has increased over the past year. Failing to address the threat posed by file upload exploits could expose businesses to all manner of cyber-attacks, including ransomware or theft of critical consumer data. How can organizations mitigate the risk posed by malicious file uploads? There are a few possible approaches. Spoiler alert: The third option offers significant advantages both in terms of simplicity and effectiveness. But let’s review all three.
Three Options Against Upload Attacks
Option 1: ICAP virus scanning
This approach typically involves a web application firewall (WAF) communicating with a separate antivirus scanner integrated using an Internet Content Adaptation Protocol (ICAP) interface in order to scan incoming files before they reach the destination server.
This is an old-school approach with a number of drawbacks. It requires multiple pieces of technology from different vendors that must be installed, configured, integrated, and managed. To be effective, it must be set up to serve all of your applications—that’s a lot of infrastructures to deploy and maintain, including keeping virus definitions up to date. Most importantly, because this solution resides on your own network, any malware uploaded still lands on your infrastructure— a potential security weakness.
Option 2: Cloud-based scanning
This approach is a bit less labor-intensive than option 1, with less upfront capital cost. However, it requires some work to get the uploaded file to the cloud-based scanner. This likely involves writing a script that uploads files to an API for scanning, with additional scripting to dictate how suspect files are handled. More work for your application development and IT teams.
Ongoing maintenance of the scanning functionality would be provided by the cloud vendor as a service. However, uploaded files would still land on the application server prior to being forwarded to the cloud, creating a potential point of vulnerability as in option 1.
Option 3: Protection at the Edge
The third option is using an edge-based solution to block malware closer to its origin—and further from your web application. This represents a modern approach to protection, inspecting uploaded files and detecting and blocking malware at the edge before it enters your infrastructure.
Scanning functionality is hosted on the edge network, so there is nothing for you to install, and no changes to the application code are required. This makes it easier to deploy and maintain than the ICAP-based or cloud-based approaches discussed. Most importantly, it isolates threats from the targeted applications, providing greater security.
Choosing the Right Edge Network
The edge-based option offers clear advantages for mitigating the risk of malicious file uploads. But not all edge networks are optimized for this critical task. When formulating your edge security strategy, consider the following key factors:
- The risk of adding latency. Ensure the edge network has many points of presence in the regions where your end-users are located so that file scanning occurs as close to the user as possible.
- Broad file support. Ensure that the edge scanning solution provides support for a wide range of file types, able to scan .zip files, PDFs, and other file formats. It should also have the ability to validate file types to sniff out spoofed files and return a customized response to suspect files.
- Reporting and analytics. The solution should provide the information needed to help you effectively monitor activity and take action. It should provide important context about the client that uploaded the malware and the type of malware sent to help guide the security team’s response.
- SIEM integration. An edge-based scanning solution that integrates with your security information and event manager (SIEM) can provide critical information to your “single pane of glass” security tool, improving your ability to proactively spot potential vulnerabilities and threat patterns.
As web applications rapidly take a leading role in how business is done—from B2C and B2B businesses to nonprofit organizations and public institutions—the volume of file uploads will undoubtedly continue to grow. And so will the threat of malware piggybacking on some of those files. Using a modern approach to block those threats at the network edge can provide added assurance that your online assets are protected, while continuing to make it easy for your customers to do business with you.
- Focus on the Edge: Defending Against File Upload Attacks - September 2, 2022