Four Signs your mobile app may be at risk

How can you make sure the mobile apps you access are secure?

A security profile should be at the top of the developer’s list when compiling a mobile app but that’s hardly the case. That’s a pity, because building a profile is easier to do during the dev phase. Are most mobile apps putting your data at risk? Most likely so. According to the most recent report from Lookout, the number of Android devices affected by malware is more than 6 million.

Luckily, there are telltale signs that indicate an insecure mobile app. Becoming the nose on a hound dog will let you sniff for clues of any potential harm of a data breach. Otherwise it will cost you. The Ponemon Institute’s Cost of Data Breach Study says average costs for a single breach increased by 15% last year, reaching $3.5 million.

 

Data Leaks

One obvious sign that an app might have malicious intent is a sudden, uncommon data access pattern. These patterns are concerning because some apps record your unencrypted data so it can be sent to a designated server. Once there, ruthless business rivals or cyber-criminals may collect your data. This transfer of sensitive data is very common and frequently goes unnoticed.

Excessive data usage or unexpected charges on a cell phone bill may signify the presence of malware. You need to monitor the amount of data each app uses. If you find suspicious activity, flag it. If you establish an audit trail, you will have a clear picture of data usage.

 

Inability to Encrypt Corporate Data

It is unrealistic to think that employees will voluntarily follow a mobile device management (MDM) policy that prohibits them from installing apps on their devices. This is especially true if the device belongs to the employee. You can mitigate the data leakage problem and user installed malware issues by ensuring that all your corporate data is encrypted and remains inside a secure container.

 

Insecure Transfers

Although cloud-based services are a convenient option when transferring files, if your staff is using a third-party app there is no guarantee that your files are secure. According to a new Netskope report, 88% of cloud apps being used as part of the BYOD trend are unsafe. This report also states that 15% of employees’ credentials have already been compromised.

If you do not have a system that secures the transmission and employs the encryption of your files, you may be unknowingly leaking data everywhere.

 

Unauthorized Users

This is an obvious risk to the security of your data. If you decide to allow mobile devices to access your network remotely, then you need to take the appropriate steps to authenticate the user.

 

Mobile Apps are Not Tested to Ensure Security

Enterprise app development focuses on business value, as opposed to security. For this reason, you need to consider professional penetration testing. It can uncover vulnerabilities and weaknesses you may have overlooked.

Building effective security is much less expensive and easier to do during the development of an app. You should consult with an expert to ensure that security testing remains an important portion of your software development process from the beginning.

 

This article was recently published in Dark Matter.

Image courtesy of Dark Matter.

The challenges of third-party risk management

Vendors and other third parties should be treated with the same level of intense scrutiny as your own in-house risk compliance mandates.

 

How seriously is your company treating the risk of a data breach? Have you done due diligence on all of your vendors and third-party partners? Cyberattacks can have a devastating impact in terms of reputation and customer trust. It takes time and resources to deal with the fall out. The true cost of a serious data breach is hard to calculate.

According to Verizon’s 2015 Data Breach Investigations Report, the estimated financial loss for 70 organizations in various industries around the world from 700 million compromised records was $400 million. No business can afford to ignore a threat like this.

 

Redirecting resources

There’s plenty of evidence that the enterprise takes the threat seriously. Gartnerestimates that global information security spending will hit $76.9 million this year, up 8.2% on 2014. But are companies spending that money in the right places? No matter how much internal systems are tightened and improved, companies can still be exposed by third-party vendors.

It’s not enough to ensure that your own house is in order, you have to assess every business relationship. After all, a chain is only as strong as its weakest link, and cybercriminals are adept at finding weak spots. The superintendent of the New York State Department of Financial Services, Benjamin M. Lawsky, summed it up nicely in hisFebruary speech:

“In many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.”

 

Learning from the OCC

For many industries, third-party risk management is not optional. Regulators in the U.S. and Europe are starting to bring more pressure to bear. For example, the Office of the Comptroller of the Currency (OCC) extended regulatory responsibility to senior management in financial institutions with Bulletin 2013-29.

You don’t have to be in the finance industry to learn from the main issues it highlighted:

  • Failure to properly assess, understand, and document the risk and cost of outsourcing services.
  • Failure to perform proper due diligence and ongoing monitoring.
  • Entering into contracts without a proper assessment of the third-party’s risk controls.
  • Entering into contracts that could incentivize a third party to take risks in order to maximize profit, even if those risks could be detrimental to the bank or its customers.
  • Engaging in third-party relationships without a formal contract, or with inadequate contracts.

 

These issues should resonate with any industry, not just financial services. We’ve seen data breaches in healthcare, hospitality, retail, entertainment, manufacturing, technology, and the list goes on. We find the same root causes every time – a failure to identify and manage third-party risk.

 

Tackling third-party risk management

There are lots of different ways you might begin to identify and address risks associated with vendors. Firstly, it’s important to plan properly. There’s no one-size-fits-all answer for third-party risk management, but you should always be asking certain questions:

  • Why are these services being outsourced in the first place?
  • Is there any possibility the third-party will subcontract?
  • Do they have data centers based overseas?
  • What data is being shared?
  • What is the plan in the event of a third-party failure or breach?
  • How often are vendors assessed?

The planning phase should produce solid documentation, including a comprehensive due diligence report, a map of third-party relationships, risk assessments, performance reports, audits, and reviews. There’s no room for trust. If you don’t ensure compliance with service-level agreements, for example, then you could be exposing your company, not just to the risk of data breach, but also to legal liability.

 

Re-imagining vendor assessments

We need a fresh approach to vendor assessment and an understanding that issues must be addressed in a timely manner. Remediation efforts need to be audited, and there must be room for companies to terminate when third parties cannot or will not comply. There are two major failings with traditional vendor assessments:

  • Rating system: Reports can produce an arbitrary score or ranking. All too often that ranking doesn’t take the bigger picture into account. The risk isn’t just about the systems that any given vendor has in place, it’s about the nature of the relationship your business has with that vendor. What is your potential exposure in the event of an incident?
  • Regular reviews: an annual snapshot of your vendor’s security is rarely enough to provide peace of mind. Where serious risks are identified, it may be necessary to institute real-time, continuous monitoring. There also needs to be follow up to confirm that action is being taken to tighten security when required.

 

In the modern climate, with cyber security growing in importance, there’s simply no room for casual business relationships based on blind trust. It’s time to take third-party risk management seriously and work out a solution that delivers the oversight your business really needs.

 

This article was recently published in Network World.

Imagery credit Thinkstock.

Sophos Launches Security Heartbeat To Bring Together Network, Endpoint Capabilities

by Sarah Kuranda

Sophos is launching a new technology Monday that synchronizes threat intelligence and automation across endpoint and network levels.

Sophos Security Heartbeat, part of the Oxford, England-based company’s new XG firewall series, links together the company’s next-generation firewall and UTM solutions with its next-generation endpoint technologies. In doing that, the company said, it is able to improve security across a company’s environment in real time, with improved context, faster detection and automated response.

Features of the new solution include a Network Security Control Center, unified policy model, user and application behavior analysis, user threat quotients, Sophos Firewall Manager, centralized cloud management, and hardware and deployment flexibility.

[Related: Symantec Takes On FireEye, Palo Alto Networks With New Advanced Threat Protection Solution]

For a long time, networks and endpoints have operated independently as point solutions, even if they were part of the same vendor’s portfolio, but in today’s world of growing and accelerating security threats, said Dan Schiappa, senior vice president of Sophos’ End User Security Group, that simply isn’t an effective approach.

Sophos Security Heartbeat is revolutionary, Schiappa said, because it moves beyond the security status quo of point solutions toward a full security system. “It’s a huge advantage,” Schiappa said. “Not only am I making my network and my endpoint smarter — now it becomes more valuable.”

According to Kendra Krause, vice president of global channels, that value is especially true for partners who want to be able to offer a complete approach to security and drive more revenue through cross-selling opportunities.

“A lot of them are selling the point product separately, … but … having those technologies talk together just makes it so much stronger around threat detection and prevention,” Krause said. “I think it will open a lot of doors for partners.”

Partners agreed, saying that the new Security Heartbeat allows them to build a sustainable story around security, instead of selling a one-time point solution.

“When they put the Heartbeat in, it’s a game changer, because you don’t have all these disparate technologies,” said Michelle Drolet, president and CEO of Framingham, Mass.-based Towerwall, a partner of Sophos’ since 1995. “This is a mature vision, a mature company, with the right team in place and the right market efforts. … It’s so much fun to be a part of it.”

Sam Heard, president of Lakeland, Fla.-based Data Integrity Services, has been testing out the solution for the past couple of months. He said Security Heartbeat has already driven some long-term conversations with clients, who might be looking to upgrade a firewall but are able to see a vision around endpoint and other areas in the years to come. That type of roadmap-based conversation will drive increased revenue for years to come, Heard said.

“The whole synchronization … has been off the chart,” Heard said. “Sophos has always been a step ahead, in my opinion.”

That’s a very different approach than many of Sophos’ competitors, Krause said, referring to Intel Security’s sale of its McAfee NGFW and McAfee Firewall Enterprise businesses and a changing partner and product strategy at Symantec. That flux, combined with security innovation and stability at Sophos, will be a differentiator and drive recruitment, she said.

“The fact that [Sophos] has been consistent, strong, simple and channel-first will continue to drive these elements home and will resonate with existing partners,” Krause said. “It’s a stronger story, it’s a stronger partnership and we are definitely seeing a lot of partners from those legacy partners come to Sophos,” she said.

This a solution and a product vision that Sophos will be building off going forward, Schiappa said. He said partners can expect Sophos to integrate more of its leading products down the road into the Security Heartbeat system.

“We’re on a relentless path of innovation,” Schiappa said.

Cover your top 7 basic security threats first

When it comes to infosec, many of the most core basics are being overlooked. Many of the most obvious areas where security can be tightened up with little effort are being blatantly ignored. Are you doing your level best by covering the basics? Below are seven potential vulnerabilities. Most of these can be tackled without major cost or time, so there’s really no excuse not to consider these.

 

Mobile malware

If you allow people to bypass security systems by jailbreaking or rooting, and let them install apps from unknown sources, then you can bet they will. The consequences can be devastating. An infected device, unwittingly brought into the office by your own employee could effectively bypass the rest of your systems. You need to identify and remove malware, remotely wipe devices, and provide secure access to corporate servers. A solid split between personal and corporate data, with encryption and secure containers is vital.

 

Device loss or theft

Sometimes people are careless with devices. Sometimes they get stolen. More often they are left at an airport lounge or separated from their owners someplace else. The vast majority of devices have the capability to encrypt and password protect the data they hold. Take advantage of these capabilities, and you drastically decrease the risk of data breach after a loss or theft.

 

Unencrypted email

Millions of emails are being sent every day with absolutely no encryption. Malicious tools that allow criminals to collect unencrypted email are easy to find. Combine unencrypted email with open Wi-Fi, and you are asking for trouble. What most don’t realize is that it’s easy to encrypt email. Plenty of friendly, inexpensive solutions exist. Encrypting your email doesn’t just deter cyber-criminals, it also protects users from their own errors. It’s all too common that emails are sent to the wrong address, and that alone can lead to a data breach.

 

Open Wi-Fi

You simply can’t afford to use unsecured consumer routers for a business. Like a public utility such as a drinking fountain, free Wi-Fi is everywhere and most of them make it too easy for hackers to spy on your traffic. Man-in-the-middle attacks will intercept unencrypted email. Get a security policy for your network and enforce it.

 

Faulty firewalls

Unfortunately, firewalls evoke a false sense of security. Modern malware is designed to sit unnoticed and exfiltrate data silently. Without the right software and expertise, you will never know if you’re infiltrated. You need to know how your firewall should be configured. Too many IT departments are not aware of firewall features that have been paid for. It also has to provide real-time protection for all devices and locations, without affecting performance.

 

Broken web filters

Although you probably have a web filter to block porn or other non-business related content, most malware online is hosted on legitimate websites that have been compromised. Whether the entry point is a hijacked website, or a link in a malicious email, or a downloaded PDF file, the user will never know they’ve been attacked. Hackers can buy exploit packs online and use vulnerabilities in browsers and third-party software to gain a foothold. A static filter isn’t enough, you need real-time filtering to scan for dodgy URLs and web-based malware.

 

Macs do get their fair share

Macs are not immune to attacks or malware. Recall the Flashback Trojan that infected 600,000 Macs back in 2012. There have been other incidents since then. Apple’s OS X has some compelling security features, but it’s not perfect and there are always vulnerabilities in third-party software as well. Consider also the rising tide of ransomware, where data is locked and a demand for money is extorted if you want it unlocked. Lesson learned: install security software on your Macs.

 

There are lots of other things to consider when you’re addressing security. It’s an ongoing challenge to stay on top of threats. But if you begin by dealing with these seven threats, you’ll be off to a good start.

 

This article was recently published in Dark Matters.

Image courtesy of Dark Matters.