Technology Trust Issues When Running in Untrusted Environments? Try Application Shielding
Published on February 27, 2018 by Alexander Goodwin
“Software is eating the world.” The now-famous quote by technology expert Marc Andreessen was relevant in 2011 but seems downright prophetic in 2018 — the rise of web-based, mobile and IoT applications have created a market both massive and ever-changing. Companies know that simply staying competitive requires cutting-edge apps that both streamline the user experience and provide a steady flow of actionable data. But malicious actors also recognize the value of applications — and will do anything they can to compromise, infiltrate or damage business app networks.
It gets worse: According to the Center for Internet Security, “malspam” threats — unsolicited emails that contain malicious links or attachments — remain the number one attack vector for cybercriminals. Why? Because despite their simplicity, these attacks succeed. As noted by SC Magazine, meanwhile, 80 percent of IoT applications still aren’t tested for security vulnerabilities.
As a result, technology trust issues are on the rise — how can organizations and end-users remain confident in mission-critical app security? Start with application shielding.
Applications don’t exist in a vacuum. As noted by the SANS Technology Institute, apps are one of three key “attack surfaces” — all three are growing, and thanks to anywhere, anytime access provided by cloud computing and IoT devices are now interconnected. Here’s what you need to know:
- Software Attack Surface — The growing number of mission-critical apps increases the risk that malicious actors will gain admin-level functionality by compromising software.
- Network Attack Surface — IPv4. IPv6. SSL. UDP. VPNs. The sheer number of network protocols, overlays and handshake points provide cybercriminals ample attack surface. And once they have access to your network, it’s often possible to compromise applications from the inside-out, leaving infosec pros in the dark.
- Human Attack Surface — From phishing attacks to poor passwords and accessing insecure WiFi networks, humans remain a critical flaw in the cybersecurity chain. Armed with stolen credentials or persistent back-door access, attackers can wreak havoc on networks and applications — for example running PowerShell scripts to download malware or leveraging user devices as unwitting “bots” to infect other machines.
The challenge? While companies are often willing to spend time and money shoring up network security with active monitoring and remediation controls, and now that staff education in basic IT hygiene is more readily recognized as a critical facet of overall infosec strategy, apps are often left in the cold. Sometimes it is the pressure of market forces driving apps to market before they’re ready, or the (mistaken) sense that small-scale applications aren’t “important” enough for hackers to bother. Whatever the reason, it opens a hole for hackers — and as noted by Deloitte, this risk is no longer confined to file encryption or system damage. Attackers are now eschewing dime-a-dozen personally identifiable information (PII) thefts for large-scale intellectual property (IP) heists.
The App Issue
The biggest issue with apps security? Vulnerability to simple, straightforward attacks.
Consider the massively popular application that is Microsoft Word. For years, companies struggled to mitigate “macro-based” attacks that leveraged the existing capability of Word to run code scripts called macros, in turn allowing malicious payloads to gain a foothold. According to Help Net Security, a new version of “macro-less” attacks have now emerged leveraging the Dynamic Data Exchange (DDE) protocol, which is a built-in way to share data between applications. And while DDE requires user permission, the tiny grey boxes asking “do you want to update this document with the data from the linked file?” are hardly a deterrent.
But simple attack vectors are only half the problem. The other half? Untrusted environments. As noted by Tech Target, IoT exploit activity has quadrupled during the last year — and most are related to basic (or absent) security controls. The bigger issue? These apps run everywhere, from secure corporate networks to insecure WiFi to potentially compromised home networks. Combined with the success rate of straightforward attacks, apps in untrusted environments represent massive risk. The result is an increasing need for application shielding — a way to protect app running in untrusted environments and deliver actionable threat data.
The rise in application security issues has prompted analyst firms like Gartner to create a Market Guide for Application Shielding. Here is the summary: “Protecting applications that run within untrusted environments is ever more crucial as mobile and IoT become ubiquitous, and as web applications modernize, bringing more intelligence to the client. Security and risk management leaders must apply shielding selectively to close security gaps.”
One hundred percent industry consensus around mobile application security and shielding is impossible to achieve, but organizations like OWASP are trying. It recently released new protection guidelines around how mobile apps handle, store and protect sensitive information. For example, its Mobile Application Resilience Requirements now recommend that apps:
- Detect and respond to the presence of a jailbroken device
- Prevent or detect debugging attempts
- Include multiple defense mechanisms
- Leverage obfuscation and encryption
Great advice, but how do companies effectively implement these guidelines? As noted by Trip Wire, this starts with solid app development best practices such as writing secure code, only using authorized APIs and regularly testing apps prior to deployment. Application shielding, meanwhile, makes your application more resistant to intrusion, inspection, tampering and reverse engineering. In addition, it may also collect data to both identify attack vectors and help prevent future attacks. It is a critical link once applications go live in untrusted environments.
Bottom line? General app security is critical in a world consumed by software. Application security testing and vulnerability patching are a well-known step along the way. Application shielding, meanwhile, is another critical component for high value application that run in untrusted environments. These include any apps that access sensitive information, gate access to value, or contain intellectual property.
Learn more about shielding mobile or IOT apps here.
And, learn more about shielding desktop or server applications here.