PreEmptive logo

Technology Trust Issues When Running in Untrusted Environments? Try Application Shielding

“Software is eating the world.” The now-famous quote by technology expert Marc Andreessen was relevant in 2011. Still, it seemed downright prophetic in 2018—the rise of web-based, mobile, and IoT applications has created a massive and ever-changing market. Companies know that staying competitive requires cutting-edge apps that streamline the user experience and provide a steady flow of actionable data. But malicious actors also recognize the value of applications—and will do anything they can to compromise, infiltrate, or damage business app networks.

It gets worse: According to the Center for Internet Security, “malspam” threats—unsolicited emails that contain malicious links or attachments—remain the number one attack vector for cybercriminals. Why? Because despite their simplicity, these attacks succeed. As noted by SC Magazine, 80% of IoT applications still aren’t tested for security vulnerabilities.

As a result, technology trust issues are on the rise. How can organizations and end-users remain confident in mission-critical app security? Start with application shielding.

Surface Tension

Applications don’t exist in a vacuum. The SANS Technology Institute notes that apps are one of three key “attack surfaces.” All three are growing, and thanks to anywhere, anytime access provided by cloud computing and IoT devices, they are now interconnected. Here’s what you need to know:

  • Software Attack Surface: The growing number of mission-critical apps increases the risk that malicious actors will compromise software to gain admin-level functionality.
  • Network Attack Surface: IPv4. IPv6. SSL. UDP. VPNs. The sheer number of network protocols, overlays, and handshake points provides cybercriminals with ample attack surface. Once they have access to your network, it’s often possible to compromise applications from the inside out, leaving infosec pros in the dark.
  • Human Attack Surface: From phishing attacks to poor passwords and accessing insecure WiFi networks, humans remain a critical flaw in the cybersecurity chain. Armed with stolen credentials or persistent back-door access, attackers can wreak havoc on networks and applications—for example, running PowerShell scripts to download malware or leveraging user devices as unwitting “bots” to infect other machines.

The challenge? Companies are often willing to spend time and money shoring up network security with active monitoring and remediation controls. Now that staff education in basic IT hygiene is more readily recognized as a critical facet of overall infosec strategy, apps are often left in the cold. Sometimes, it is the pressure of market forces driving apps to market before they’re ready or the (mistaken) sense that small-scale applications aren’t “important” enough for hackers to bother. Whatever the reason, it opens a hole for hackers. And, as noted by Deloitte, this risk is no longer confined to file encryption or system damage. Attackers are now eschewing dime-a-dozen personally identifiable information (PII) thefts for large-scale intellectual property (IP) heists.

The App Issue

The biggest issue with app security? Vulnerability to simple, straightforward attacks.

Consider the massively popular application Microsoft Word. For years, companies struggled to mitigate “macro-based” attacks that leveraged the existing capability of Word to run code scripts called macros, in turn allowing malicious payloads to gain a foothold. According to Help Net Security, a new version of “macro-less” attacks has emerged, leveraging the Dynamic Data Exchange (DDE) protocol, a built-in way to share data between applications. And while DDE requires user permission, the tiny grey boxes asking, “Do you want to update this document with the data from the linked file?” are hardly a deterrent.

But simple attack vectors are only half the problem. The other half? Untrusted environments. As noted by Tech Target, IoT exploit activity has quadrupled during the last year—and most are related to basic (or absent) security controls. The bigger issue? These apps run everywhere, from secure corporate networks to insecure WiFi to potentially compromised home networks. Combined with the success rate of straightforward attacks, apps in untrusted environments represent massive risks. The result is an increasing need for application shielding—a way to protect apps running in untrusted environments and deliver actionable threat data.

Shields Up!

The rise in application security issues has prompted analyst firms like Gartner to create a Market Guide for Application Shielding. Here is the summary: “Protecting applications that run within untrusted environments is ever more crucial as mobile and IoT become ubiquitous, and as web applications modernize, bringing more intelligence to the client. Security and risk management leaders must apply shielding selectively to close security gaps.”

Industry Consensus

One hundred percent industry consensus around mobile application security and shielding is impossible, but organizations like OWASP are trying. It recently released new protection guidelines around how mobile apps handle, store, and protect sensitive information. For example, its Mobile Application Resilience Requirements now recommend that apps:

  • Detect and respond to the presence of a jailbroken device
  • Prevent or detect debugging attempts
  • Include multiple defense mechanisms
  • Leverage obfuscation and encryption

Great advice, but how do companies effectively implement these guidelines? As noted by Trip Wire, this starts with solid app development best practices such as writing secure code, only using authorized APIs, and regularly testing apps before deployment. Application shielding, meanwhile, makes your application more resistant to intrusion, inspection, tampering, and reverse engineering. In addition, it may also collect data to both identify attack vectors and help prevent future attacks. It is a critical link once applications go live in untrusted environments.

The bottom line? General app security is critical in a world consumed by software. Application security testing and vulnerability patching are well-known steps along the way. Application shielding, meanwhile, is another critical component for high-value applications that run in untrusted environments. These include any apps that access sensitive information, gate access to value, or contain intellectual property.

In This Article:

Try a Free Trial of PreEmptive Today!