Protecting Apps Is Not Enough: Why You Need Threat Analytics
Every app downloaded via an app store is running in a zero-trust environment. When you publish an app to an app store – even with integrated protection against known threats – you create an open loop with no way for the app to communicate current threat status. With more than 5 million apps available for download, that opens up a whole host of opportunities for bad actors to reverse engineer code and execute attacks that steal sensitive data, including corporate intellectual property (IP), customer logins and personally identifiable information (PII), and backend infrastructure and application programming interfaces (APIs).
For most organizations, it’s only after the dust has settled and financial losses tallied that the process to understand the attack begins. But there is a better way to protect your apps “in the wild” and mitigate attacks from spreading to lower the risk to your bottom line.
Using Threat Analytics to Close the Loop
The most effective way to secure your apps is by closing the loop — or creating a system to receive feedback about the app’s security posture and then take action. Visibility into when, how and from where an attack is happening, and the ability to optimize your response in real time can mean the difference between stopping a threat before it spreads or picking up the pieces after the fact.
Arxan Technologies’ new Threat Analytics service does just that. Every app protected by Arxan includes the ability to “phone home” to report its status. With Threat Analytics, you can see from day one whether apps are running safely, operating in a risky environment (such as on a rooted or jailbroken device) or being attacked. Threat Analytics enables the closed loop, so you can develop, protect, deploy and observe what’s happening to your apps, and take appropriate action.
Insights that Enable Action and Reduce Risk
The potential revenue impact, brand damage or loss of customer trust because of an application attack can be devastating. With Threat Analytics as part of your security arsenal, you know:
How your app is being attacked
Who or what is putting your business at risk
And because Arxan Threat Analytics is fueled by anonymized threat data from the apps it protect, over time you gain insights that will let you configure security measures to pre-empt emerging attacks. This translates into timely, efficient threat response, and ultimately reduced risk.
Source: Arxan Technologies
One call on WhatsApp is enough to establish surveillance
A recently discovered zero-day vulnerability in the world’s most popular messenger — WhatsApp — allowed hackers to eavesdrop on users, read their encrypted chats, turn on the microphone and camera, and install spyware that allows even further surveillance, such as browsing through the victim’s photos and videos, accessing their contact list, and so on. What’s even worse, to exploit the vulnerability, all the hacker needs to do is call the victim on WhatsApp.
What is known about the new WhatsApp vulnerability
Reliable information about the situation is in somewhat short supply at this point. What is known is that a specially crafted call can trigger a buffer overflow in WhatsApp, allowing hackers to take control of the application and execute arbitrary code in it. It seems the attackers used that method not only to snoop on users’ chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. And that’s what they did, installing a spyware app.
According to Facebook, which is the owner of WhatsApp, the vulnerability is now patched. It affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15. That means only the very latest versions of the app are currently safe to use; the vulnerability was patched just a couple of days ago.
Attempts to exploit this vulnerability have already been spotted in the wild. WhatsApp’s security team had implemented some changes on the back end that allowed them to block attacks that relied on the vulnerability, but how many people were spied on and who they were have still not been disclosed.
It is also not yet fully clear which spyware app exactly was being installed in the second stage of attack, but some parties suspect that might be Pegasus, the spyware famous for its supremely flexible infection capabilities.
It’s worth mentioning that such vulnerabilities are hard to exploit and that Pegasus (assuming it was Pegasus) is expensive malware used mostly by state-sponsored actors. That means that if you’re of no interest to such high-profile spies, you’re probably safe. However there’s always a chance that the spying tools might be leaked and used by other actors, so it’s wise to protect yourself.
How to protect yourself from WhatsApp attacks
Our best suggestion at the moment is to make sure your WhatsApp is up to date. To do that, go to the Apple App Store or Google Play Store, look for WhatsApp and hit Update. If there’s no “Update” button, but you see the “Open” button instead, that means you have the latest version of WhatsApp, and it is already patched against such attacks.
We will update this post when we have more valuable information either on the attack or on other means of protection.
Why Simplified Security Awareness Training Matters for MSPs and SMBs
In a recent report by the firm 451 Research, 62% of SMBs reported having a security awareness training program in place for their employees, with half being “homegrown” training courses. The report also found that most complained their programs were difficult to implement, track, and manage.Like those weights in the garage you’ve been meaning to lift or the foreign language textbook you’ve been meaning to study, even our most well-intentioned efforts flounder if we’re not willing to put to use the tools that can help us achieve our goals.
So it goes with cybersecurity training. If it’s cumbersome to deploy and manage, or isn’t able to clearly display its benefits, it will be cast aside like so many barbells and Spanish-language dictionaries. But unfortunately, until now, centralized management and streamlined workflows across client sites have eluded the security awareness training industry.
The Importance of Effective Security Awareness Training
The effectiveness of end user cybersecurity training in preventing data breaches and downtime has been demonstrated repeatedly. Webroot’s own research found security awareness training cut clicks on phishing links by 70 percent, when delivered with regularity. And according to the 2018 Data Breach Investigation Report by Verizon, 93 percent of all breaches were the result of social engineering attacks like phishing. With the average cost of a breach at around $3.62 million, low-overhead and effective solutions should be in high demand. But while 76 percent of MSPs reported using some type of security awareness tool, many still rely on in-house solutions that are siloed from the rest of their cybersecurity monitoring and reporting. “MSPs should consider security awareness training from vendors with cybersecurity focus and expertise, and who have deep visibility and insights into the changing threat landscape,” says 451 Research Senior Analyst Aaron Sherrill.
“Ideally, training should be integrated into the overall security services delivery platform to provide a unified and cohesive approach for greater efficacy.”
Simple Security Training is Effective Security Training
Security awareness training that integrates with other cybersecurity solutions—like DNS and endpoint protection—is a good first step in making sure the material isn’t brushed aside like other implements of our best intentions.
Global management of security awareness training—the ability to initiate, monitor, and report on the effectiveness of these programs from a single pane of glass across all of your customers —is the next.
When MSPs can save time by say, rolling out a simulated phishing campaign or training course to one, many or allclient’s sites across the globe with only a few clicks, they both save time and money in management overhead, and are more likely to offer it as a service to their clients. Everyone wins.
With a console that delivers intuitive monitoring of click-through rates for phishing campaigns or completion rates for courses like compliance training, across all client sites, management is simplified. And easily exportable phishing and campaign reports help drive home a client’s progress. “Automation and orchestration are the force multipliers MSPs need to keep up with today’s threats and provide the best service possible to their clients,” says Webroot SVP of Product Strategy and Technology Alliances Chad Bacher.”
So as a growing number of MSPs begin to offer security awareness training as a part of their bundled services, and more small and medium-sized businesses are convinced of its necessity, choosing a product that’s easy to implement and manage becomes key. Otherwise, the tool that could save a business from a breach becomes just another cob-webbed weight bench waiting for its day.