All employees in an organization use applications. Whether on a local computer, a server on site or in the cloud, as a service, on a mobile or tablet… Applications are important, and for good reason, as they allow us to work more efficiently.
But applications are synonym of threats. The software you use every day can be vulnerable to cybercriminal attacks. Security breaches can disrupt your entire information system and your business.
Application threats: Back to basics
All software and applications, regardless of distribution channel and usage patterns, are developed by cross-functional teams that work for months to create a useful tool for professionals. However, design or implementation errors can be made. These notorious flaws can be purely functional, while others can create security vulnerabilities. It is therefore common for applications to be updated to correct these flaws and vulnerabilities.
This is a classic approach in the iterative process of creating applications. Major issues appear however when publishers neglect security during the design phase, take too much time to fix a vulnerability, or decide altogether not to fix it. This is a situation that can affect any type of tool, including operating systems, as shown in this example with Windows, about a vulnerability that has been corrected… 19 years after its first identification.
Most of the time however, developers are responsive and correct vulnerabilities in a matter of days or weeks. This does not necessarily solve all of the problems, because IT departments do not always have a centralized management console to force updates, and need to rely on users. With the lack of time or interest, it is an approach that can lead to oblivion and leave a gaping digital opening available for all attackers to use.
The impact of application threats on users
There is a wide variety of application threats. For users, they are all likely to lead to the same result: alteration, theft or leak of data and confidential information.
Once a malicious individual has the means to penetrate a system through a security breach, the threat spreads very quickly. Ignoring application threats is like giving strangers the keys to a safe.
It becomes easy to steal strategic plans, sensitive information or patents, which can be passed on or sold to a competitor, or exposed on the dark web. Your employees’ personal information, which you are responsible for under the GDPR, may also be exposed, including pay slips, contracts, annual reviews, social security numbers, etc.
In addition to theft, data can also be corrupted: what if your customer database is encrypted by an attacker, or if your financial and business data are modified or deleted?
An ecosystem in full swing to ensure a timely response
Application threats are multiple and changing. This list includes, for example, “XML External Entity” in which exploitation of vulnerabilities within the code allows attackers to execute remote commands on a server, scan internal systems, and launch denial of service attacks.
Lack of logging and monitoring are also an interesting case, as they allow attackers to reinforce and extend their strategies to alter, extract, or destroy data.
As a key player in securing data and information systems, the IT department is the first line of defense against application threats. All organizations, regardless of their size, are likely to fall victim to an attack one day. But the problem is that, as the 2018 Ponemon Institute study has highlighted regarding application security, there are deep internal disagreements between IT and operational managers. For 48% of operational managers, application performance and speed must take precedence over safety. Two thirds of IT managers believe there should not be any compromise between performance and security in terms of priority.
The good news is that organizations are becoming more aware of the issues. This is the case for 64% of organizations that consider the next attack will come from an application. However, between intentions and actions, the gap is still large: only 25% of organizations have announced significant investments to bridge that gap.
Solutions to defend against application threats
Due to their vast diversity, application threats cannot be mitigated by a single solution. The best cure will always be a set of good practices and preventive actions. A few examples:
- Select all business applications with great care, and favor trusted vendors and those that incorporate a real security dimension to their strategy.
- Prohibit the installation of mobile applications outside official application stores and/or outside a white list approved and regularly updated by IT. Formidable threats can hide behind a simple game or a seemingly innocuous productivity app.
- Regularly update mobile and desktop OSes. If not in a centralized manner, take the time to perform this with each user.
- Update business applications as often as possible when a new security patch is available.
- Monitor, control and secure incoming and outgoing traffic (firewall, sandboxing, antivirus, etc.).
- Encrypt communications and data, end to end, to ensure your information cannot be deciphered, even if intercepted.
- Implement a MDM solution for all mobile devices, to facilitate and centralize smartphone and tablet management.
- Educate yourself continuously to stay on top of current threats.
Application threats are a major challenge for IT departments, sometimes underestimated by users, and must be managed strategically. This approach requires a holistic vision, as it affects all components of the business at all operational levels. Preventing threats means having the right tools at the right time on the right devices, with users trained and made aware of the realities and potential consequences.