Did you know that 99.7% of applications have at least one vulnerability! Findings from Verizon’s 2020 Data Breach Investigations Report show that malicious attackers take advantage of application weaknesses and software vulnerabilities. This is to conduct data breaches against organizations. This is the ever-known most common external attack method. More cybersecurity statistics from security researchers have it that application vulnerabilities will continue to be the common attack method. Malicious attackers lurk in the digital sphere hunting for either software vulnerabilities or web applications. This is undoubtedly an eye-opener for you who is concerned about the sensitivity of the information on the applications. And also to you who develops the applications of your organization, right? I have to admit, that as a security practitioner, I’m not at all surprised at that number. Applications bear low-hanging fruits that attract attackers According to the Cybersecurity threat landscape survey that we conducted in June-July 2021. We note that the common threats that organizations encounter, software vulnerabilities and web application threats most. According to the research made by Ponemon Institute, about The Increasing Risk to Enterprise Applications, “They denote that the investment on application security is not commensurate with the risk.” The report denotes a significant gap between the level of application risk and what companies are spending on to protect their applications,” while “the level of risk to other assets like networks is much lower than the investment on network security.” But most applications are made by big vendors, could they also be malicious? Amazon, Microsoft and Google have much bigger security budgets than you do. They have hundreds of people all over the world ensuring that their infrastructure is secure. Their teams are constantly reviewing their code, looking for flaws, vulnerabilities and potential exploits. They monitor hacking forums and run attractive bug-bounty programs to remain proactive. Only a few years ago, kernel errors were prevalent. Now, Microsoft’s and Linux’ teams have nearly eliminated kernel vulnerabilities. For example, according to the CVE database, in 2017 Linux kernel had 169 code execution vulnerabilities, in 2018 only three and 2019 just five. Are cloud applications safer? In most of our field security endeavours. We exchange thoughts with many leaders of various organizations about securing the evolving technology. Organizations seemingly compare their infrastructure to the cloud. But when it comes to cloud platforms. The cloud host or providers take as many precautions and invest greatly in securing the cloud. The only defect is the clients on the cloud are duly responsible for the security of their applications in the cloud. This is where the danger lasts. Very many organizations have developers for their applications and or which outsource their application requirements to external software vendors. In most cases, the developers utilize software architectures and or templates distributed across the public cloud. They use these to develop the applications that organizations use to handle sensitive information. The pieces of code or templates of applications that developers use for customization into whatever applications that organizations use. Contain their developed pieces from scratch, open-source codes and third-party products, over which developers have no control. So there are so many weaknesses and or threats that come along with these pieces of software. These weaknesses are not addressed which may lead to security compromises. Attackers are much aware that developers don’t prioritise security aspects in the software development life cycle. Or miss out on certain aspects. This gives them chance to alter existing applications or inject additional code and turn legitimate software into malicious ones. This kind of vulnerability is listed in the “code execution” category, noted as the biggest group in the CVE database. “Research has it that on average, organizations need more than 50days to patch known vulnerabilities. But on the other hand, hacktivists just need a few minutes to locate these and exploit them to their interests. “ Applications are a potential threat to the security of critical information systems of organizations. How do we protect them? If there is going to be a secure environment where exiting software applications are at manageable risk. Organizations need to make sure that their application security practices evolve beyond the traditional ways of blocking traffic. They need to understand that investing heavily in network security is not enough. There is a need to focus the application security in various ways. This will involve investing in application security testing tools during the entire software development lifecycle. The Security scanning tools identify areas of weakness and malicious codes and remediate the likelihood during development. Runtime protection works when applications are in production. It’s important to remember that runtime protection tools provide an extra layer of protection. But these are not an alternative to scanning. The security scanning tools are not entirely the solution to the problem and their goal is prevention. The tools detect and remediate vulnerabilities in applications before running applications in a production environment. In most of our security assessments at Summit Consulting Ltd, we have conducted vulnerability assessments on thousands of applications over these years. But what worries, we haven’t encountered a single application that did not have a vulnerability! Conclusion If you’ve not done a security audit (VAPT) for your application until now. Get up to speed and conduct one right away. And if you’ve been there before, I’m pretty confident you know the power of regular audits by now. Ready for your first VAPT? Have questions? Contact +256782610333 or strategy@summitcl.com
Technology Intertwined with Human Behaviour; What are the Implications?
In this digital generation, the great shift to mobile devices and technology adoption has tremendously changed our mode of interaction. How we use these devices and how we respond to some activities on the devices. The way we feed information on certain applications provides a lot more valuable information about our behaviour, what we love. Our preferences and our everyday digital life. This brings about the evolution of “ Internet of Behavior (IoB)”. According to the strategic predictions for 2020. Gartner said that the Internet of Behaviors is increasingly trending and will be known to everyone. And as digital practitioners, we may have no choice but to live with it as a society. It is also predicted that by 2023, 40% of all individual activities of the global population will be tracked digitally. This is aimed to influence the behaviours of digital users. In this article, we will focus on what the Internet of Behavior (IoB) is. How businesses benefit from it. And how enterprises can use all collected user data from users’ online activities into something profitable to the organization. We will also embark on the privacy and security concerns that come along with this emerging technology What is the Internet of Behaviours? Reference made to Internet Of Things (IoT). This is a network of interconnected physical objects that gather and exchange information over the connected network (internet) The Internet of Behavior extends from the Internet of Things (IoT). And the interconnected nature of physical devices to share information results in vast data amounts of new data sources. The data shared is data from clients provided as they interact with company applications and other users of tech. Organizations get access to this data with the help of the ‘sharing’ feature across connected devices. Let’s take an example of a smartphone, with the use of the geolocation feature on these devices. The phone can track the users’ online activities and shifts in different geographical locations. Organizations can take advantage of this possibility to link your smartphones with your laptop. Your voice assistants at home and cameras, your car cameras, and or your phone records (texts and phone calls). From this, companies can tell more about their employees, including their interests, social behaviours, their character, and their online interests. The value of the Internet of Behavior to organizations With the evolving technology, organizations have benefited in multiple ways. From positively engaging customers to understanding where their interests in a product begin, their purchase journey. And the habits exhibited during the purchase of their choices of products. The Internet of Behaviours tool to organizations utilizes customer’s behavioural analysis and psychology to study unachievable data from users previously. This data includes the likes and preferences of customers, most-visited products from platforms. And behavioural patterns exhibited during the purchase of their adorable products. Internet of Behaviours also takes note of how clients interact with their mobile devices in their daily lives. Organizations going forward can make use of the IoB as a powerful marketing and sales tool. Businesses gain a deep understanding of their customers. This will help organizations to build their product and marketing strategies to create and promote products that users will want to buy. This is to boost the development of the sales to businesses. Security and Privacy issues brought about by IoB When it comes to data in abundance, another concern about the privacy and security of this data raises. The IoB is not much regarded as problematic; many technology users have no problem syncing their devices. However, there is concern regarding the collection of data, navigation, and usage. To many of the challenges faced by this emerging technology, security and privacy of data security is a growing concern. Many users admit that considering the security complications and inadequacy might slow their adoption and use of certain IoT devices. Cybersecurity experts find IoT and IoB problematic because of the lack of a defined structure and or legality. IoB interconnects user data with their decision-making. Internet of Things (devices) does not gather user data solely from their relationship with a single company. For example, a car insurance company in Uganda can look through a summary of a user’s driving history. What’s worse is with IoB, the insurers might also have an opportunity to the users’ social media profiles and interactions. To better understand or “predict” their driving experience. This is extralegal and beyond the data privacy of users. Besides, this is not only the concern about the devices. Without the knowledge of the technology users, many companies distribute or sell user data across company lines without users’ permission. Conclusion The emerging technology proves beneficial for enterprises. Businesses can optimize their relationship with the users depending on the collected data. Just like we have witnessed the way IoT works by converting collected data about users’ behaviour into information. The question still stands, will IoB translate this attained information from our data into real wisdom?
The Incognito kids
In the good old days, before COVID19, the easiest way to keep children from online dangers was to not give them Internet access. As someone who has investigated several cases of cyberbullying, online identity theft, cyber harassment and of course cyber ransoms against kids nudity and threats, I know first-hand why irresponsible online access could lead to long term suffering to victims. However, the lockdown made online learning a must. Now, all children must access the Internet to attend virtual classes. In addition to whitelisting the acceptable sites, the kids now know about the virtual private network (VPN) thanks to the government’s OTT which help proliferate and create awareness of VPNs. When technical solutions fail, you go morally. I had to introduce family values: While online, make the right choices – the internet is like electricity. If you use it well, it will give you light and power to your life’s essentials. However, if you use it badly it will burn you, and your house. When you are online, you are like in a huge city. You must go to places you know, otherwise, you will be kidnapped and killed by strangers. The Internet is like a restaurant, with so many foods on the menu, you must choose what you love eating. Even if you see many things for download, do not click unless you know what you are downloading. Personal hygiene. Sanitation. Academic excellence and discipline are your guides. Keep your computer clean. Don’t drink or eat over the keyboard. Try to learn as much as you can online and listen to your parents, elders, and teachers. Today, one of my kids came to tell me “Daddy, I have seen someone using Incognito in Chrome.” I was surprised. Incognito. It’s something that even us the cyber security folks take time to come to grips with. And then when he also told me, that “they also downloaded TOR”, I got scared. How are the kids finding out these things? The other time when I disabled WhatsApp on the phone, the kid found a way to connect it via browser. She was so disciplined. Stopped asking for a phone for over two weeks and I was feeling so excited that my girl has overcome her weakness of the mobile phone. However, a chance encounter on her laptop, made me catch her live with WhatsApp live. “The zoom sessions are always sent via WhatsApp, and since I could not access the phone, I had to connect directly using the QR code”, she said in my face. Ok, no worries. Next time do ask. How do you parent kids that are savvier than you? These Incognito kids have challenged me. I will not tire telling them about the opportunities the Internet has to offer, and the dangers therein. I pray they chose well. Copyright Mustapha B Mugisa, 2021 Mr Strategy. All rights reserved.
