Most facets of modern life—including our work—are app reliant. We depend on apps for productivity, for communication, to connect businesses with customers. Where we once relied on websites, we now turn to apps, which is why more organizations are developing their own applications for both internal and external business operational needs as well as adopting third-party apps for business use.
For all the convenience of apps, they come with a price. They offer a gateway for cybercriminals into your network infrastructure, according to Nigel Thorpe, technical director at SecureAge. The fundamental issue is that the more widely used an app is, the bigger and more attractive the target.
“The mobile device represents a nice easy way of implementing multi-factor authentication, for example. However, when an app is corrupted, taken over or otherwise abused by a cybercriminal, then trust in both the app and the organization are soon diminished,” Thorpe said. “Live and widespread communication is now natural to us, but the downside is that bad news spreads very rapidly. This can be disastrous for the organization, potentially causing long-term damage to the business.”
How Apps Offer an Open Door to Cybercrime
First, it’s important to remember that the majority of apps are fine and benign; most of them do what they are supposed to do and app stores do a good job at certifying them as safe. That, Thorpe said, is the good news. “The bad news is that even a ‘safe’ app can have vulnerabilities which can be exploited by cybercriminals. And that could mean anything from enabling the criminal to access private information right through to sneaking through a backdoor into the corporate network.”
The SolarWinds attack is an excellent example of a good application unwittingly turned malicious. Good security practices mean applying updates when required, but, as in SolarWinds, threat actors used the update itself as its attack vector.
Human nature also offers ample breach opportunities to cybercriminals. Look at the Wordle craze to see how quickly interest in new apps spread. Threat actors know this and take advantage by turning a legitimate app into something malicious, knowing that curiosity will bring downloads.
With widespread public awareness of the issues around online privacy, Thorpe pointed out, users are becoming more suspicious of an app’s use of information held and gathered by their devices.
“When an app requests access to data and services on their device that don’t seem to make any sense, then many consumers will, at best, be distrustful, or, at worst, delete the app and ditch the business service they intended to use,” Thorpe added. “People expect to be able to use the services of an organization without ‘big brother’ looking over their shoulder. Cybercriminal activities make the whole situation much worse simply through the high levels of publicity resulting from ‘successful’ attacks.”
The Vulnerabilities Threat Actors Look For
If there is a flaw or exploitable vulnerability in an app, threat actors will find it. It could be as simple as acquiring VPN credentials or as complex as adding malicious code in updates. But, Thorpe said, the human factor is the most lucrative vulnerability for cybercriminals.
“People make mistakes and can easily be fooled—even if they’re technically aware,” Thorpe added. “Weak, stolen or purchased credentials all offer an easy way in for the criminal, but unpatched or misconfigured systems are a great find for them as well. How many stories do we see about cloud storage buckets with either default or missing passwords?”
Closing the Criminal Gateway with DevSecOps
The development team can play an important role in closing the gateway for threat actors by adding stronger security into the DevOps process.
“DevSecOps needs to be sure they’ve covered the basics,” said Thorpe. “From strong authentication—preferably multi-factor—to patch management and careful control over systems and service configuration. All of these must be the fundamental steps to take.”
And don’t forget to review and confirm security on a regular basis.
“There’s a range of security layers that should be put in place, but it should always be recognized that sometime, some cybercriminal will get inside the corporate network,” said Thorpe. “So the final layer of defense should be data encryption so that even when stolen, information remains useless to cybercriminals.”