Welcome to day four of our first Expert Week. We like to be in a constant state of learning here at UKFast, and there’s no better way to educate ourselves than spending time in the company of experts. With cybersecurity at the top of the agenda for every online business, it seems the perfect time to get up to speed with all the ways that an attack can strike.
Our fourth of five of experts over five days is Tanya Janca. Tanya is an application security evangelist and speaker and the OWASP Ottawa Co-Leader.
Here’s our chat with Tanya:
How can we protect ourselves from applications which are potentially threatening?
The first thing that every home consumer should do it run all of the software updates on all of their software (this means your computers and your mobile devices). When an update is released, there are often security fixes in it. If you are running old versions software or an old operating system, it’s time to upgrade. Always keep up to date on updates (which is sometimes called “patching”), and you will reduce your risk by quite a bit. The second thing everyone should do is get a password manager. This means you can 1) have a different password for every account (reset all of them now!) and 2) have a very long and random password (each extra digit or character that you add makes it exponentially more difficult to guess or brute force with a hacking tool). I have hundreds of passwords, and they are all 28 characters of randomness, that I never, ever need to remember.
Don’t install free bloatware on your computer or phone. If you are installing something new, ask yourself “What company made this? Why is this free?” and if you aren’t sure, do an internet search and see what other people think about it. When in doubt, don’t install.
What’s the worst damage that can be inflicted through an infected application?
They could steal your identity, they could spy on you for an endless amount of time, they could steal embarrassing photos (assuming you had some) and post them on the internet, they could gather information and try to blackmail you, the list is basically endless. Oh gosh, I hope I haven’t scared the reader into throwing their computer away! Please don’t give up – read the next answer!
Can infected apps do more harm to a users’ machine than standalone malware?
If a regular application that you trust has been infected then it is behind whatever firewall may have protected you and your system probably won’t detect it if you have virus detection or other host-level (on your computer) protection. However, if you are infected with malware, whether it’s in an application you already have, or your machine is infected, you’re up a creek without a paddle (but hopefully you have backups!). Honestly, malware is not my area of expertise, so I’m not 100% sure, but I would assume the exposure, risk, and harm would be similar. And both situations are definitely not good.
Are there different threats with mobile apps compared to desktop apps?
Yes. Mobile applications are on devices that are… Mobile. Which means they don’t stay put, meaning there are more chances for it to be stolen. If someone has unlimited access to your mobile device, because it is in their physical possession, they are more likely to be able to break into it. Security is also often more lax than on a desktop, because you check a mobile device more often (think of the 4 digit pin you enter on your phone, or the swiping you do that leaves a clear mark on the glass of your phone, versus a long password that you have to use on your computer). Another issue is that mobile devices often connect to many, many networks (like when you are waiting in line at a coffee shop and join their free Wi-Fi) and other protocols (like Bluetooth, 3G, 4G, Wi-Fi), and each one presents its own risks. There are many other factors, that is just the tip of the iceberg.
In what ways do potentially dangerous apps threaten users’ security?
A potentially dangerous/malicious application can hurt a user just as much as a regular application can help a user. It doesn’t always have just as much power as a regular application would (because it’s trying to hide), but in a worst-case scenario it would have just as much “power” and access as your non-malicious applications would have. For instance, if you have your bank card and password saved somewhere on your computer, if you can use regular software to access those things, a malicious application can access that information as well. If you can use your phone to buy coffee at your favorite coffee place, then a malicious app could try to steal your coffee money, or if your credit card is connected it could try to access that information and send it to the “bad guy” (usually called a malicious actor) on the internet. If you are typing emails for your business with important information in them, it could save what you typed and send it to a malicious actor.
Do you think app security gets overlooked when compared to web and firewall security?
Approximately ¼ to 1/3 of security incidents are related to application security issues, yet that same percentage of the budget is definitely not being allocated at most places to application-security-related prevention mechanisms and activities. Software ends up being left out a lot of time, and it is assumed that developers will “just handle it”. However, if you think about it, would you trust a regular network user to manage their own web filtering or firewall settings? Of course not, because they have no training. Yet most organizations (and post-secondary schools) give little-to-no specialized security training to software developers, then expect them to magically know the most secure ways to do things. I remember my last job as a developer, having the security team imply I was a terrible programmer because I had written something that was vulnerable to cross site scripting (XSS), when I had never even heard of XSS before. When I asked them for help, they shamed me and told me that I should know better. Now that I know a lot more, I am well aware that they also had no idea what it was, how it works or how to prevent it, but they weren’t about to let me know that. I think the key here is establishing an Application Security Program, which I won’t go into detail about here because it’s off topic…. In short, yes, I definitely think it is often overlooked or under-attended to.