Study: Third-Party Apps Pose Risks for Enterprises

Since mobile computing put an end to the good old days when IT departments had absolute control over software deployed in the enterprise, there’s been a rise in employees’ use of third-party applications — a rise that poses security risks to corporate environments.

That is one of the findings in a report CloudLock released last week.

The number of third-party apps connected to corporate environments increased by 30 fold over the last two years, the firm reported, from 5,500 to 150,000 apps.

CloudLock ranked more than a quarter of the apps found in business environments (27 percent) as “high risk,” which means they were more likely than other apps to open pathways into an organization for cybercriminals.

Companies have not ignored that danger, CloudMark’s researchers also found. More than half of third-party apps were banned in many workplaces due to security-related concerns.

Dangerous Permissions

All third-party apps pose a risk to the enterprise, but a specific subset of apps are particularly risky, according to Ayse Kaya-Firat, director of customer insights and analytics at CloudLock.

“The apps that touch the corporate backbone are the riskiest of all shadow applications,” she told TechNewsWorld.

Problems arise from the kinds of access the apps request from users, Kaya-Firat noted. “When you want to use them, some of them ask you to authorize them to use your corporate credentials. When you do that you give those apps — and by extension their vendors — access to your corporate network.”

The apps can pose a risk not only when they’re being used, but also when they’re not.

“I may enable an app’s access and two years later, I may not even remember I have the app on my phone, but the app continues to have programmatic access to all my data,” Kaya-Firat said.

Because of the size of the challenge, organizations need to develop a high-level strategy to address the shadow app problem.

“They just can’t go over each application one-by-one, because of the growth rate. They need specific application-use policies. They need to decide how they will whitelist or ban applications,” Kaya-Firat suggested.

“They need to share those decisions with their end users,” she added. “It can’t be a secret thing, because end users are taking action on these things on a day-to-day basis.”

Loose Lips Sink Hackers

It’s no secret that the information underworld often adopts techniques, processes and models from the legitimate world for criminal purposes. Such is the case with Operations Security, or Opsec.

The idea behind Opsec is an old one: Deny your adversaries information they can use to harm you. For hackers, that means denying authorities intelligence that can lead to detection of their activities, dismantling of their attack infrastructure, and exposure of their compromised environments.

Cybercriminals exercise Opsec in a number of ways, noted Rick Holland, vice president of strategy at Digital Shadows.

For example, they create “legends” about themselves — that is, false identities to prevent law enforcement or even other hackers from tracking them.

“The ones that have mature Opsec will not use anything that ties their personal life to the legend they’ve created,” Holland told TechNewsWorld.

They’ll also try to mask the identity of the workstations they use.

“They’ll use specialized operating systems designed to preserve anonymity,” Holland explained.

They’ll try to obfuscate network connections, too.

“They’ll do their evil from public hotspots and spoof their MAC address so they can’t be traced from the logs for the hotspot,” Holland said.

As some of the means for maintaining Opsec become more vulnerable to compromise — as has happened with Tor and bitcoin — hackers will need to adopt another legitimate technique to preserve their security.

“Cybercriminals will need to adopt a ‘defense in depth’ strategy,” said Holland. “It’s something they’ll need to do across their spectrum of people, process and technology.”

Rewriting the Hacker Handbook

Ransomware not only has attracted many practitioners in the information underworld, but also has changed long-held expectations about garnering profit from online scams.

“Ransomware has changed the entire model of how these criminal enterprises make money,” said Ed Cabrera, vice president of cybersecurity strategy at Trend Micro.

“If you look at the criminal handbook on how to make money, the first chapter is targeting, the second chapter is the attack — but there’s multiple chapters on how to monetize the data that is stolen,” he told TechNewsWorld.

“It usually takes weeks or months to monetize that data,” Cabrera continued. “Ransomware is like direct sales. They go after a victim, and they can monetize in days.” [*Correction – June 24, 2016]

Breach Diary

  • June 13. T-Mobile confirms that an employee in the Czech Republic attempted to steal and sell customer marketing data for that country. News reports peg the number of affected users at 1.5 million.
  • June 14. FICO purchases QuadMetrics with an eye toward creating an “enterprise security score” that can be used by companies to gauge their online risks and manage risk from third-party contractors.
  • June 14. Hartford Steam Boiler and Inspection Company announced first cybersecurity insurance program for consumers. Program coverage includes protection against computer and home systems attacks, cyber extortion, data breach losses and online fraud.
  • June 15. Home Depot files federal lawsuit against Visa and MasterCard claiming those companies are using security measures for their payment cards that are prone to fraud and that put retailers and customers information at risk.
  • June 15. IBM and Ponemon Institute report average cost of a data breach has risen 29 percent since 2013 to US$4 million per breach.
  • June 15. City of Geneva, Switzerland, announces it has arrested a suspect connected to the data leak at the Panamanian law firm Mossack Fonseca, which led to the resignation of the Iceland’s prime minister and a number of government investigations into tax avoidance through “shell corporations.”
  • June 16. A hacker with the handle “Guccifer 2.0” claims responsibility for stealing digitial files from the Democratic National Committee and posting them online. Earlier in the week, CrowdStrike attributed the data breach to Russian hackers.
  • June 17. GitHub has begun resetting an undisclosed number of passwords on accounts where those passwords were part of data breach dumps from other websites, Infoworld reports.
  • June 17. Acer announces that personal information for an undisclosed number of users who performed transactions at its online store between May 12, 2015, and April 28, 2016, is at risk from a data breach.

Upcoming Security Events

  • June 23. Machine Learning in Security: Detecting Signal in the Vendor Noise. Noon ET. Webinar by Agari. Free with registration.
  • June 23. Stop Breaches with Holistic Security Visibility. 2 p.m. ET. Webinar sponsored by Cyphort. Free with registration.
  • June 23. Securing Agile IT: Common Pitfalls, Best Practices and Surprises. 3 p.m. ET. Webinar sponsored by 451 Research and CloudPassage. Free with registration.
  • June 25. B-Sides Athens. The Stanley Hotel, 1 Odisseos Str., Karaiskaki Square, Metaxourghio, 10436, Athens, Greece. Tickets: free, but attendance limited.
  • June 25. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio. Tickets: free, sold out; with T-shirt, $5.
  • June 27-29. Fourth annual Cyber Security for Oil & Gas. DoubleTree by Hilton, 6 Greenway Plaza East, Houston. Registration: main conference, $2,295; conference and workshops, $3,895; single workshop, $549.
  • June 27-July 1. Appsec Europe. Rome Marriott Park Hotel, Colonnello Tommaso Masala, 54 Rome, Italy. Registration: members, 599 euros; nonmember, 610 euros; student, 91.50 euros.
  • June 27-July 1. Hack in Paris. Maison de la Chimie, 28 Rue Saint-Dominique, 75007 Paris. Tickets: before April 5, 288 euros; student or unemployed, 72 euros. Before June 9, 384 euros; student or unemployed, 108 euros. After June 8, 460.80 euros.
  • June 28. AuthentiThings: The Pitfalls and Promises of Authentication in the IoT. 10 a.m. and 1 p.m. ET. Webinar by Iovation. Free with registration.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
  • June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Virginia. Registration: $250.
  • July 16. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free with advance ticket.
  • July 23. B-Sides Asheville. Mojo Coworking, 60 N. Market St, Asheville, North Carolina. Cost: $10.
  • July 30-Aug. 4. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before July 23, $2295; before Aug. 5, $2,595.
  • Aug. 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
  • Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
  • Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.

*ECT News Network editor’s note – June 24, 2016: The following text has been removed from our original published version of this story: “Although ransomware criminals typically use the bitcoin digital currency for their extortion schemes, cybercriminals concerned about anonymity have been turning to WebMoney, [Trend Micro’s Ed] Cabrera noted. ‘Even though law enforcement over the years has been able to take down other anonymous payment systems, WebMoney is a more difficult proposition because it’s hosted in Russia.'”

In fact, WebMoney has a multi-level authentication system, spokesperson Tania Milacheva told TechNewsWorld. “According to the rules of WebMoney Transfer, each system participant should have a WM-Passport. The user can fully use the system services, only after his/her personal data was checked, verified and he/she has received a higher level of WebMoney Passport.”

Further, its head office is located in Cambridge, UK. “The FCA (Financial Conduct Authority) license granted to WebMoney Europe Ltd. has secured the company’s status as an e-money issuer in all countries within the European Economic Area,” Milacheva said.

Trend Micro subsequently acknowledged Cabrera’s errors in a statement provided to TechNewsWorld by spokesperson Jerrod Resweber.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels