STE WILLIAMS

In many ways, the era of the smartphone is defined by apps, which do everything from sending messages to tracking our exercise. New research shows how Apple iOS apps come with substantial costs to privacy and security via the data-gathering permissions users grant them.

The new research, conducted by Wandera, reviewed permissions requested by 30,000 iOS apps most commonly seen on their network of corporate devices, most of which were free apps. Wandera found there are permissions to three sources of data requested by more than half the apps: Location when the app is in use (51%); camera (55%); and the user’s photo library (62%).

Not suprisingly, social networking apps request permission for the most data, with an average of 4.96 data sources. The second “grabbiest” category though, is weather apps, asking for access to 4.73 data sources.

Why do the apps need so much user data? “[App publishers are] trying to build profiles on individual users that could yield more value to them as a development team or as a firm that made an investment in that application,” says Wandera vice president Michael Covington.

Some 95% of the apps studied by Wandera were free apps. “There’s not a ton of money in the applications themselves,” Covington says. And it’s notable that, according to the research, paid apps tend to request no device permissions far more often (more than 25% of the time) than free apps (15%). 

While users explicitly grant permission for the apps to gather this data, Covington says that there can be a dramatic difference between the access required to initially set up the app and the access required for the ongoing functioning of the app.

“Many of these apps ask for permissions that ultimately should be used once,” he says. “If you think about adding a new credit card to Apple Pay, you take a picture of the credit card and you really don’t use the camera again.”

Those ongoing permissions represent a security risk for more than just the consumer, according to Mike Fong, CEO and founder of Privoro. For enterprises and government agencies, giving apps access to smartphone sensors is risky.

Fong points out that most government offices dealing with sensitive data have long banned on-premise possession of smartphones. And beyond those specific instances, he says, “If you look at things like location trackers, think about revealing military bases and other types of facilities which shouldn’t become known. It has to become a really big part of your thinking on strategic intelligence.”

The danger from access to sensors extends beyond free apps. “It’s probably one of the least-known things, that certain browsers or Web pages that gives you access to some data, capture measurement from sensors like the location, accelerometer, or magnetometer.”

Wakeup Call

Enterprises are becoming more sensitive to the data being gathered from consumers in their roles as employees, Covington says.

“There is actually a movement towards app vetting within the enterprise,” he says. That’s where the security team vets not just the developer and where the app was downloaded, but also the information the app can collect – and how the publisher treats that information in transit and in back-end storage.

Meantime, some organizations are beginning to change their approach to apps on the devices employees bring. “Once they get this [app-vetting] workflow into place, I think you’ll find much tighter controls on the applications that enterprises are allowing to be installed,” says Covington.

Fong says the basic smartphone app hygiene that most companies require – don’t click on unknown links or attachments, and only download apps from enterprise-approved app stores – is important, but not sufficient.

Defense-in-depth is a network security model that works for devices and their apps, because, as Fong says, total security requires process and awareness as well as security systems dedicated to protecting the enterprise from users’ mobile devices.

Related Content:

• 70% of Consumers Want Biometrics in the Workplace
• Shadow IT, IaaS the Security Imperative
• Explosive IoT Growth Slowed by ‘Early Adopter Paradox’
• Security Spills: 9 Problems Causing the Most Stress

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/how-ios-app-permissions-open-holes-for-hackers-/d/d-id/1334336?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybercriminals are always works in progress. Their knowledge and ability to bypass security systems are constantly advancing. As they gain knowledge, they develop and implement sophisticated impersonation methods that are proving increasingly adept at evading detection and gaining access to secure data. This happens as many of their targets fail to adequately upgrade their security solutions to detect and protect against them. Currently, cybercriminals have many soft targets, and they know what to do to penetrate their systems. This climate that works in favor of the attacker underscores how organizations, as potential targets, need to rethink their approach to data and system security.

One of the most common approaches a cybercriminal takes is to present as an employee or friend of the organization under attack. This is the path of least resistance for introducing malicious code to a system disguised as a trusted application. In this way, and without the proper, updated security protocol in place, hackers fly under the radar to access sensitive information and even extract money. The cost can be steep for an enterprise that is breached in this way. A loss of assets can be crippling, as can the perceived loss of reputation. As these attacks become more common, organizations must prepare and have a modern, flexible security strategy in place that incorporates several layers of security.

How Do Hackers Introduce Malicious Code?
Common and widely used applications such as Microsoft Word and Adobe Reader are trusted, seemingly secure, and able to run code on an individual’s computer. This makes these applications popular and effective entry points for hackers to introduce malicious code onto targeted systems.

Hackers are exploiting inherent vulnerabilities within these applications. Typically, the hacker uses a specifically designed link or document that presents itself as legitimate activity, and is sent to the recipient. Once the file or link is clicked, the weakness within the commandeered application allows the attack strain (ransomware, advanced persistent threats, spyware, or any other type of malware) to gain access to the host system.

Once the code penetrates the system, it can be difficult, even impossible, to detect. Remediating malicious code and removing it from an infected system is a difficult process. It is imperative that enterprises deploy security software that protects its data centers and valuable, sensitive information.

Identifying Malicious Code
The typical hacker has been at his or her craft for some time and understands how to exploit a host of security protocols in use today. For example, the traditional signature-based solutions rely on what they have learned from previous attacks to protect networks and systems from inbound threats, but they have little to recommend them in detecting and protecting against evolving and new threats.

Microsoft’s Windows Malicious Software Removal Tool was developed to protect the Windows operating system. It looks at a computer, searches for malware, and eliminates it upon discovery. However, its soft spot is that it reacts to an attack after it has happened rather than providing proactive protection. Once a virus has gained access to a data center or network, it is more difficult to detect and remove, especially as it is likely it has already caused damage.

Machine learning solutions, which are considered more advanced, also rely on what has happened in the past to identify malicious code. Machine learning solutions have higher detection rates, but they cannot anticipate a cyberattack until one has already occurred from which it can learn. This is not an effective method against any new or emerging threats.

The Path to Cybersecurity
New cyber threats are emerging regularly and the solution to them lies in an aggressive, pre-emptive, proactive posture. Successful and secure organizations must begin to think this way if they want true data security.

To do this, organizations must pivot in their security mindset and begin to implement solutions that take a comprehensive look and map all legitimate executions of an application based on the codes written by its creators, such as Microsoft and Adobe. With that map, they can identify any inconsistencies or deviation from their source code. Recognized patterns and actions can then be confirmed in real time, while unidentified activities are reviewed and blocked instantaneously.

A proactive approach is a critical mindset change and an imperative if companies want to ensure they are in control of their network security. If organizations remain reactive, they will continue to consume valuable resources and risk their reputations as they chase after and remediate the mess left after the cyberattack has happened.

Related Content:

• 7 Low-Cost Security Tools
• FIN7 Cybercrime Gang Rises Again
• Under Attack: Over Half of SMBs Breached Last Year
• Cybercriminals Think Small to Earn Big

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Liron Barak, CEO and Co-Founder of BitDam, has over 10 years of experience dealing with the most sophisticated cyber threats and exploitation techniques. Prior to founding BitDam, Liron served in Unit 8200 of the Israeli Intelligence Corps, where she managed teams of highly … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/true-cybersecurity-means-a-proactive-response/a/d-id/1334276?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fifth in a continuing series about the human element in cybersecurity.

Programmers are responsible for developing and releasing new systems and applications, and subsequently announcing vulnerabilities and developing updates and patches as vulnerabilities and bugs are discovered. It can take organizations months to apply patches which creates a window of opportunity for hackers. What steps can programmers take to minimize security flaws, reduce impediments to the patching process, and shrink this window? 

Programmers — sometimes called software engineers, software developers, or coders — are the individuals who write code to build operating systems, applications, and software. They are also responsible for debugging programs and releasing patches to address code vulnerabilities after initial release. In this column, we consider programmers at commercial manufacturers and application/software providers, such as Microsoft or Adobe, and programmers responsible for custom internal applications.

Common Mistakes
Programmers frequently operate under tight deadlines. This pressure to perform on schedule can lead to the neglect of security issues. While they may try to follow best practices to avoid functional bugs and prevent exploitation, programmers may not have time to test all the possible attack scenarios before their deadline, thinking that a patch or security update can be released to address the problem at a later date. But this leaves organizations vulnerable until patch deployment.

The reality is that every code has bugs, but management decisions made during development can significantly influence the severity of these programmer errors. Too often, secure coding is not a foundational element incorporated from the start. Instead, it is bolted on after the fact or — even worse — neglected completely. Additionally, the process for utilizing open source libraries may not be well defined or followed, so open source dependencies and vulnerabilities may not be tracked or documented, resulting in vulnerable code that is not readily identifiable. Moreover, the prioritization and speed of addressing known vulnerabilities in commercial software may not match the severity of risk to the customer.

Repercussions
Software is ripe for exploitation, and attackers can capitalize on that by creating zero-days for which there is no patch, or by taking advantage of the inefficiencies of the vulnerability discovery and patching process. The issue is exacerbated because programmers often disregard the patch deployment process. Many organizations do not apply patches without proper testing and approval or hesitate to apply patches that require a reboot that can take critical servers offline.

Potential disruptions, added complexity, and significant windows of time needed to download resources, secure approvals, and implement patches all discourage and delay organizations from applying patches, leaving systems vulnerable for longer. To avoid some of the patching work, organizations may choose to stick to older, more stable versions of the programmer’s software.

Although commercial software vendors inform their customers of existing vulnerabilities (as they should), cybercriminals only need to wait for patching announcements or vulnerability disclosures to identify their next easy target. Vulnerability disclosure of widely used commercial applications serves as a how-to for hackers, describing how the vulnerability can be exploited. Hackers often have a golden window of two to 90 days (the average time it takes companies to complete a patch) to take advantage of these vulnerabilities, a “Patch Tuesday, Exploit Wednesday” scenario. Two painful examples of the drastic consequences of delayed patching are the proliferation of WannaCry and the Equifax breach.

Minimize Mistakes
Vulnerabilities can be minimized in the development process by training programmers and teams on security, incorporating application security capabilities from the beginning, and breaking through silos to increase open communication between programmers and the security team. By detecting vulnerabilities as early as possible in the application’s development stages, the need for patching later — as well as the length of downtime and the window of vulnerability — can be reduced. Additionally, bug bounty programs that incentivize hackers with a legal way to make money from these vulnerabilities instead of exploiting them can support programmers by allowing outside individuals to proactively identify bugs and vulnerabilities.

When it comes to creating patches for known vulnerabilities, time is of the essence. The longer a patch is unavailable, the more opportunity cybercriminals have. When researchers identify vulnerabilities, vendors need to address them — and not wait until the researchers present their findings at Black Hat before taking action. Additionally, programmers can design patches to be user-friendly, easy to deploy, and compatible so that they don’t cause disruption, allowing organizations to implement them quickly and effectively, not worried that the patch will cause more harm than good.  

Change the Paradigm
Software developers and their managers need to change their perception of secure coding from being an optional feature that can be pushed to the back burner and added after release, or ignored completely (as is the case for many Internet of Things products), to being a requirement that is factored into the design from the beginning. Programmers should focus on releasing applications with security baked in rather than on pushing out the latest developments as fast as possible and relying on post-release patching.

Security is often seen as a roadblock and an expense in the development process, when in fact it enables properly functioning software. Organizations must hold vendors accountable for addressing security issues by demanding that security become required functionality and that programmers will be diligent about fixing their inevitable mistakes.

And that same accountability must be carried over to the organizationso that are responsible for patching. We know that programmers will make mistakes and have vulnerabilities in their code. As cybersecurity practitioners, we need to accept that and work with them when they correct their mistakes by promptly applying patches. Organizations that do not have efficient vulnerability and patch management programs should start by automating patching of end user systems and prioritizing patching of the “notorious five” (Windows, Office, browsers, Adobe, and Java).

Previously in our series, we covered end users, security leaders, security analysts, and IT security administrators. Coming up next:  attackers.

Related Content:

• Your Employees Want to Learn. How Should You Teach Them?
• Cybersecurity and the Human Element: We’re All Fallible
• Security Leaders Are Fallible, Too
• Security Analysts Are Only Human

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and … View Full Bio

Article source: https://www.darkreading.com/application-security/in-security-programmers-arent-perfect/a/d-id/1334293?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Chinese national Yujing Zhang was arrested for breaching the perimeter at the Mar-a-Lago golf club in Florida and telling the US Secret Service she was there to attend a nonexistent event. While the details of her presence on the grounds while President Donald Trump was also there are somewhat murky, evidence suggests her arrest might be considered an antimalware win.

According to reports, when Zhang was stopped, she was carrying four mobile phones, one laptop computer, an external hard drive, and a thumb drive found to be housing “malicious software.” “With the advent of BYOD, everyone learned that dangerous threats can be ‘walked in’ past cybersecurity controls whether the threats are on a laptop or a USB thumb drive,” says Matt Walmsley, EMEA director at Vectra.

According to Zhang’s statement to the Secret Service, she was asked by a friend named “Charles” to travel from Shanghai to Palm Beach, Florida, to talk with a member of the president’s family about Chinese-American relations. She told officers that she had only spoken with Charles through WeChat, a messaging app popular in China.

“If someone can talk their way into Mar-a-Lago, then no location is really secure,” says David Ginsburg, vice president of marketing at Cavirin. Reports of the incident have noted that, while the “United Nations Friendship Event” Zhang claimed to be visiting did not exist, an “International Leaders Elite Forum” produced by Li “Cindy” Yang had been scheduled but cancelled after press coverage of New England Patriots owner Robert Kraft’s arrest at a massage parlor once owned by Yang.

Zhang, still in custody as of press time, is charged with making false statements to a federal officer and entering or remaining in a restricted building or grounds.

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/chinese-national-carries-malware-into-mar-a-lago/d/d-id/1334328?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Blockchain, or distributed ledger technology (DLT), is estimated by Gartner to create $3.1 trillion of business value by 2030, yet many organizations lack a clear understanding of its applications, the risks and benefits specific to their company and industry, or strategies for achieving optimal return from DLT projects.

The landscape of blockchain applications, considerations for understanding their potential benefits, and the importance of planning in enterprise DLT deployments is vast. Beyond those important aspects of adoption decisions are the specific privacy and security considerations that can arise in an enterprise blockchain implementation. Understanding these factors is critical for an organization to determine whether certain use cases make sense given its unique privacy and security risk landscape. 

Organizations must intimately understand their regulatory requirements around the use, sharing, maintenance, and upkeep of various types of data — including data that may be transferred via a blockchain. While it’s not feasible to thoroughly discuss all of the regulatory and legal governance of various types of blockchain implementations here, it’s important to call out a few to keep in mind. Most multinational corporations are now governed under the General Data Protection Regulation, which introduced strict principles for how the personal data of EU citizens is collected, processed, and stored. HIPAA is a regulatory consideration for potential blockchain implementations at healthcare organizations, and “know your customer” rules will affect the extent to which financial services institutions can use blockchain. If you’re utilizing cryptocurrency or tokens as part of your implementation, there are many tax and anti-corruption guidelines and laws to follow.

Understanding the requirements and ensuring those are baked into the workflows and technologies around blockchain use are essential best practices. Below is a checklist of considerations to review when evaluating data privacy and regulatory limitations for blockchain implementations.  

• Work closely with the legal and/or compliance team to map out which regulations govern your organization. Lean on leaders in other business units to help you understand the risk profile the organization has established with regard to these regulations.

• Ensure that the plan for any pending blockchain implementation aligns with the organization’s overall risk tolerance, which will affect decisions, workflow, and policy around the new technology and its use.

• Examine what information will be stored on or passed via the blockchain, and whether that data set includes assets that would be considered high-value or sensitive, and therefore treated with special care and attention. Similarly, consider the capability of the blockchain application to restrict access to sensitive or confidential information entirely or within a data set, based on user access and permissions. It’s also important to include the ability to identify and remove each block, often referred to as “pruning,” so that the data on it may be managed and disposed of as part of the organization’s routine data-disposal program, if applicable. 

• Leverage support from blockchain experts to guide permissions around the type of blockchain being used. Organizations can choose from public, private, or permission-based blockchains, and the various characteristics of each may either align or clash with the organization’s regulatory requirements. Among early adopters, most are using a private or permission-based blockchain; in those scenarios, the team must establish controls over who has access to the ledger, to ensure data is not transferred to unknown entities.

Like the introduction of any new technology or system, blockchain use must be vetted across key stakeholders within the organization, to ensure applications are woven into existing information governance (IG) frameworks and programs. Cross-functional collaboration is a key best practice in IG and should extend to blockchain deployments to avoid compliance and privacy pitfalls. Internal or external resources that understand IG, privacy, and security should be active participants on the DLT implementation team to ensure success.

Related Content:

• 7 Ways Blockchain is Being Used for Security
• The Weakest Security Links in the (Block)Chain
• Redefining Security with Blockchain
• Blockchain All the Rage but Comes with Numerous Risks

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Steve McNew is a Senior Managing Director within the Technology practice of FTI Consulting and is based in Houston. He helps clients evaluate and implement blockchain solutions, and builds cost-effective and defensible strategies to manage data for complex legal and … View Full Bio

Article source: https://www.darkreading.com/risk/privacy-and-regulatory-considerations-in-enterprise-blockchain-/a/d-id/1334277?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A high percentage of organizations are exposed to avoidable cyber-risk because of a persisting tendency to put business interests ahead of safety, a new study by Tanium shows.

The security vendor surveyed some 500 CIOs and CISOs from companies with more than 1,000 employees about the challenges and trade-offs they face in protecting their organizations against cyberthreats.

Almost all respondents (94%) admitted to making security compromises to accommodate business priorities. Eighty-one percent, for instance, said they had on at least one occasion delayed deploying a critical security update or patch because of concerns over the potential impact to business operations. Fifty-two percent admitted to doing so on more than one occasion.

“Another common area of compromise is network segmentation,” says Ryan Kazanciyan, chief technology officer at Tanium. Security practitioners often want micro-segmentation and strict device isolation to contain breach fallout, while endpoint and network teams tend to fall back to overly permissive architectures.

“As a result, the blast radius of many breaches – such as those that entail self-propagating malware – is much larger than it should be,” Kazanciyan says.

A relentless pressure to keep the lights on is the most common reason security teams make these compromises: One-third of the respondents in the Tanium survey cited this when asked to describe why they sometimes held back on needed security measures.

In addition, 31% said a focus on implementing new business systems often took precedence over protecting existing ones, and 26% said the presence of legacy systems in the environment restricted their security capabilities. Nearly one in four (23%) of respondents described internal politics as one reason why they are forced to make security compromises.

Uninterrupted operations and time-to-market considerations have almost always taken precedence over security at a high-percentage of organizations. The Tanium survey results suggest little has changed on this front despite data breaches, growing compliance requirements, and increasingly sophisticated threats.

“As leaders, CIOs and CISOs face multifaceted pressures across the business to remain resilient against disruption and cyberthreats,” Kazanciyan says. “They must maintain compliance with an evolving set of regulatory standards, track and secure sensitive data across computing devices, [and] manage a dynamic inventory of physical and cloud-based assets.”

And they need to do all of this while also fulfilling an increasingly common executive mandate to make technology an enabler for business growth, he notes.

“But balancing these priorities often causes significant challenges and trade-offs for many business and IT leaders,” Kazanciyan says. A lack of understanding about the need for resiliency among business leaders and upper management is a major factor. Nearly one in two (47%) survey respondents said they faced challenges on this front, and 40% said business units’ tendency to prioritize customer-facing issues over security was a problem.

However, Tanium’s survey shows that business priorities are not the only reason why security teams are hampered.

A lack of visibility across laptops, servers, virtual machines, and cloud infrastructure is also hampering the ability of security teams to make confident decisions and from operating efficiently.

Thirty-two percent of the respondents said the siloed manner in which their business units operated provided them with little of the visibility and control needed for effective security. For example, 80% admitted to occasions where a critical patch or security update that they thought had been deployed had, in fact, not been deployed across all impacted systems.

“CIOs and CISOs broadly understand how important these efforts are but run up against two key limitations: reliance on inaccurate data about the state of their systems and an inability to enact critical changes with the confidence that they can quickly identify and recover from unexpected failures,” Kazanciyan says.

Many CISOs and CIOs are acutely aware of the dangers of compromising on security. Thirty-five percent expressed concern about data loss, 33% worried about a loss of customer trust, and 25% said they were worried that the security compromises they were making would make it harder for them to comply with regulatory requirements.

Related Content:

• What Your SecOps Team Can (and Should) Do
• Tackling Cybersecurity from the Inside Out
• A Shift from Cybersecurity to Cyber Resilience: 6 Steps
• 5 Expert Tips for Complying with the New PCI Software Security Framework

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/focus-on-business-priorities-exposing-companies-to-avoidable-cyber-risk/d/d-id/1334331?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple