Forget Angry Birds. What About Angry Users?

While doing some research I came across the following factoid regarding the overall size of the application software market:

“… the global app market topped $2 billion last year. Astonishingly, Gartner, Inc. expects the market to generate $15.1 billion in revenue in 2011… $27 billion by 2013… and north of $35 billion by 2014, according to International Data Corporation.”

Even if these projections are off by as much as 50 percent, the applications spend is growing at an incredible rate.  While much of this growth is represented by consumer-driven consumption for applications such as “Angry Birds,” a significant portion of these dollars will drive adoption of application solutions in the enterprise.  With the introduction of these new applications and application platforms such as the iPad and other mobile devices, organizations need to be prepared to address threats that stem from vulnerable software packages

Strangely, there are still a number of organizations in the market that fail to grasp the magnitude of the application security problem.  A recently disclosed compromise puts context around this topic.

In February, Nasdaq released a public statement that its online web application, “Directors Desk,” had been hacked. The attackers were able to leverage vulnerabilities in the site and directly insert drive-by-download malware onto the site and insert references to malware hosted elsewhere on the Internet.  The intent of this malware was to infect the users of the site with malicious software, such as key-loggers.  If not detected, over time, this malware would allow the attackers to obtain login information, credentials, and other highly sensitive information from the site’s 10,000 executive users.

This event is a great example of why application security in the enterprise is so important. There are several points to take away from this event and to keep in mind when talking to customers:

  1. Network controls did not prevent the incident and application security, the organization’s final defense, also failed.
  2. Application-layer flaws allowed the attackers to target Nasdaq’s customers/site users.  By installing spyware, key-loggers, and other malware on users’ machines, attackers could potentially gain information such as IDs, passwords, account numbers, and sensitive data that could be sold or otherwise disclosed (think Wikileaks).
  3. Given Nasdaq’s target user base, it’s highly likely the attack was financially motivated.
  4. Because the application that contained the malware, or reference to it, came from the Nasdaq site, the attack exploited the presumption of trust between Nasdaq and its users.

Aside from the technical fallout, victims of such compromises tend to experience negative impacts to the following aspects of their business:

  • Productivity: Working with law enforcement, recovering systems, and investigating the depth of the compromise all require time and resources.
  • Image: Security events undermine consumer confidence in the victim’s brand. Public and individual notifications prompted by compliance and notification requirements further impact the organization’s image was well as its productivity.
  • Security: Not only can determining the level of invasiveness and the duration of the compromise require a significant amount of time and resources, it undermines confidence in the security around other operational areas of the business.
  • Efficiency: The recovery effort due to compromises such as these is not part of normal operations and therefore detracts from other initiatives, making the organization less efficient—not only in terms of technology, but also in non-technical areas, such as public relations and marketing.
  • Expenses: The cost of recovery represents additional, unplanned expenditures for the enterprise in both soft and hard dollar terms.

Through application testing, code review, and application security program management consulting, AT&T Consulting’s Application Security Services assists clients in minimizing these risks to their enterprise operations.  Like it or not, applications are ever-increasingly being targeted by attackers, and as a result, application security review, hardening, and testing is a critical layer to a well-architected, defense-in-depth strategy for security.

Mike Klepper Consulting Application Security Practice Director AT&T About Mike