Do your business applications open you up to security vulnerabilities?
There is no question that businesses today are relying more heavily on software solutions than ever before. From financial institutions to health care and even the mom-and-pop shop on the corner, software applications are vital to continuing our efficiency and overall business performance. But as recent news has proven, this efficiency comes at a cost - the security of our personal data.
As we continue to develop software solutions for running global businesses, we are increasingly aware of the vulnerabilities associated with application security. In fact, according to the U.S. Department of Homeland Security, 90% of data security incidents are a result of exploits against defects in software. But how do these software vulnerabilities happen?
There are a variety of different reasons behind software vulnerability, but there are four that are worth noting for anyone looking to buy off-the-shelf software or have a custom solution built.
Insecure Coding Practices:
The practices that go into writing an application's code are as important as the code itself. If a software developer is not using secure behaviors, policies and practices as they write an application's code, it can lead to vulnerabilities that may eventually result in stolen data or system corruption. The Global Information Security Workforce Study asserts that 30% of software development companies never scan for vulnerabilities during code development.
The Rapid Evolution of Security Threats:
If it seems like you're receiving news about a new security threat every day, you're not far off the mark. Hackers are hard at work finding and exploiting security vulnerabilities just as developers are working to find solutions for blocking them. And the more the threats evolve, the harder it is to protect against them if a developer doesn't have solid security practices in place.
Programming Language Vulnerabilities:
It would be nice if there was a single programming language that was invulnerable to hackers, but that's just not the case. Every programming language has its strengths and weaknesses, and protecting your application is just a matter of understanding the pros and cons of each and then implementing solutions that take these factors into account.
Re-using Vulnerable Code:
For developers, it saves time, and clients' money, if they are able to utilize pre-written code across multiple applications. That's why it's estimated that 95% of applications in use today utilize open-source or otherwise re-used code. The problem is that many companies don't run system and security checks to ensure their applications are protected against vulnerabilities in re-used code. But rather than banning developers from utilizing pre-built code, it's important instead to keep track of code versions and where and how each module is being used to protect against security vulnerabilities.
It only makes sense for companies of all sizes to be concerned with the overall security of their information systems and software applications. As developers, we make your application's security one of our highest priorities, and we're dedicated to helping companies protect their data. If you'd like to learn more about protecting your applications, join us on October 6th as we team up with VioPoint to present a Lunch & Learn panel discussion focused on application security.
When it comes to backdoor hacking, how secure is your system?
News of yet another security breach spread over the internet Monday morning. Researchers discovered that the Avast-owned security application CCleaner for Windows had been compromised by hackers who had installed a vulnerability in the malware removal tool. This vulnerability opened up millions of users to further malware downloads, including ransomware and keyloggers that could be used to hold data hostage or access sensitive information.
Since approximately August 15th, this threat has been spreading to 2.27 million computers via legitimate security software. The infected computers then send the computer's name, what software is installed and which processes are running to the hacker's server. Avast has already released an update to the CCleaner software that is meant to resolve the threat, but as cybercrime seems to be a growing threat, it leaves users, both corporate and individual, wondering if their systems are at risk.
The hackers in the CCleaner breach used a method known as backdoor hacking to gain access to millions of machines. In computing, a backdoor is an undocumented portal that allows administrators to access the system for troubleshooting or maintenance. But backdoors can also be created by hackers to gain illicit access to a server or individual computers. In the case of CCleaner, the hackers exploited backdoor access to spread malware.
Installing backdoor access to systems has been a hot debate in recent years, as some government agencies want the ability to circumvent encrypted protections and access systems and data for local or national security purposes. Software developers have been pushing back on this issue as a matter of privacy for their users. It's a battle that is likely to continue for some time as the questions of security vs. privacy, in light of the cyber warfare now taking place.
And while the debate over security and privacy is an important one, the question most companies are asking is, "Is my system safe from backdoor hacking?" To answer that, it's important to understand how hackers access your system and what you can do to guard against backdoor access.
In most cases, hackers access a backdoor by searching for network vulnerabilities such as unused accounts with easy to crack passwords. (As of 2016, the most common password was still 123456!) Once they've gained access, they change the password to something difficult to break and have open access to everything on the network. The hacker will then mask their activities by hiding files deep within the system directories,using inconspicuous file names to avoid detection. Exploiting system vulnerabilities is especially easy if the manufacturer's default passwords were still left on the network.
Because of the hidden nature of backdoor hacking, it can be difficult to protect your system from cyber criminals looking for a way in, but there are steps any business can take to help protect their data. The very first thing a network administrator should do is ensure that users are not falling back on bad password habits. The most commonly used passwords in 2016 were: 123456, 123456789, qwerty, 12345678, and 111111. The top 25 most commonly used passwords constituted 50% of the 10 million passwords analyzed in 2016. And any hacker would have no problem breaking into an account with such a simple password in seconds.
Once you've implemented secure passwords across your system it's critical to ensure that unused accounts are no longer active. As hackers often use these dormant accounts to gain initial access, you should remove these accounts as they create unnecessary vulnerabilities.
And, finally, it's important to have network administrators who will set up firewalls and monitoring to help prevent or detect unauthorized activity. A solid firewall that blocks entry points from all but authorized users will defend against the execution of a port binding backdoor attack while system monitoring allows network administrators to flag suspicious activity, stop the attack and mitigate any damage that may occur.
If the idea of protecting your systems and applications seems daunting to you, we understand. The good news is that you don't have to figure it all out for yourself. Spud Software is actively engaged in protecting our clients with system and application security solutions, and we'd love the opportunity to work with you. Give us a call or join us at our Lunch & Learn event on October 6th for more information on protecting your company and its data.
Do you know why encryption should be your first line of defense?
Encryption is one of those words we use a lot in the software industry, and for good reason. When it comes to protecting your data, it is our first, and best, security solution. But if you don't operate in a tech environment like we do, you might be wondering what encryption is, and why it's so important for your company.
Encryption is converting your sensitive data into an indecipherable code to ensure its security in transit or in storage. For someone to read an encrypted file, they need access to the secret key (or password) that allows the data to be decrypted. Without the key, the data just appears to be scrambled text - utterly useless to prying eyes.
Even knowing that encryption is a valuable tool for protecting data, some companies question whether it's the solution for them. So we want to address a few of the common misconceptions surrounding encryption.
Encryption is too costly and complicated:
Cost is one of the first concerns companies have when it comes to IT security, and understandably so. But encryption doesn't have to be costly or complicated. There are a number of solutions that streamline the process and even have transparent integration with your existing software. And when weighed against the cost of dealing with a data breach, which can result in potential fines, loss of client trust and even lawsuits, the cost is actually quite inexpensive.
Encryption is only for health care providers or other companies with government mandated compliance regulations:
By now we've all heard of compliance regulations like HIPAA which require data to be encrypted and kept private by government mandate. But while the data you collect and store may not be as sensitive as patient health information, that doesn't mean it shouldn't be encrypted. If you're collecting any data - customer names and addresses, employee data, or competitive market information, you should be utilizing encryption, even if it's not legally mandated.
Encryption will slow down your processes:
As long as the encryption of your data is implemented correctly, you can minimize its affect on system performance. Most servers do not run at full capacity to ensure that added activity doesn't cripple your applications. And most applications have been fine tuned to optimize their performance even in an encrypted environment. So encryption shouldn't significantly alter the speed at which your data is delivered and processed.
Encrypting alone is enough to secure data:
While encrypting your data is the first step to protecting your data, it's important to realize that your security is only as good as your key. If someone gets the key to a locked office building, those high-tech locks will quickly give way and allow entry. The same goes for encryption. If you're not protecting the keys used to decypher your data, there's a strong chance you'll experience a breach. Encryption keys should never be stored on the same server as the data they're protecting. It's important to have policies in place for who has access to your encryption keys and where they are stored, to ensure your data's security.
Encrypted data can't be stolen:
Recent security breaches prove that even encrypted data can be stolen. You should actually expect that at some point someone will attempt to access and steal your data. The point of encryption isn't to protect your data from being stolen, it's to protect stolen data from being read. Since encrypted data can't be read without the key, as long as your encryption keys are secure, a data breach doesn't need to be catastrophic to your company.
Encryption doesn't work in the cloud:
Contrary to popular belief, storing your encrypted files in the cloud can actually be safer than keeping a physical copy on your premises. Most cloud-based storage solutions include encryption options, and keeping your data off-site reduces the risk of insider access to sensitive files. But when storing your data in the cloud, it's important to be in control of your own encryption keys, rather than allowing the cloud provider to manage them.
As data is the lifeblood of most businesses, it's vital that you secure your company's and customer's sensitive information. If you have not yet explored the option of encrypting your data, or if you're looking to improve the overall security of your data, we can provide you with a solution that is tailor fit to your company's needs.
Does your company have a road map to success?
Just as the choices we make day-to-day determine our course as individuals, the processes you follow as a company determine your organization's success. And the efficiency and effectiveness of your processes will determine the direction of your business. Without a clearly defined road map, it's difficult, if not impossible, for your employees and your business to realize their full potential.
Most companies have identified a set of processes and procedures that run their day-to-day operations, but what if your team is struggling to follow the process map that you've set before them? Ineffective or cumbersome processes can result in unhappy, stressed employees, disgruntled customers, missed deadlines and increased costs across your company.
If an employee encounters a situation without a clearly defined process, most of the time they'll improvise or "wing it." Over time, this improvisation can actually become their process. But this method can compound issues and cause confusion among your staff and clients alike. That's why it's important to define and develop business processes that work for you and toward your company's goals.
With an ever-growing to-do list and clients knocking on your door with deadlines and quotas to meet, it's understandable that defining and perfecting your processes takes a back seat. You'll get to it when you have some extra time, however, there never seems to be extra time. And that is exactly why you need processes in place.
The benefits of well-defined processes are clear:
Good processes keep you consistent and competitive.
Why gamble with your client's satisfaction? Clearly defined processes allow your employees to work effectively and consistently, producing the kind of high quality work that your customers expect.
Good processes keep your company agile.
Having clearly defined processes allows your company to shift with market changes. Being able to easily identify what needs to change or how to address process issues as the market shifts gives you the advantage of quickly adapting future projects.
Good processes provide a firm foundation.
With the right processes in place, you don't have to worry about employee turn-over or business interruptions. Processes provide a core framework that minimize those interruptions and allow for easier transitions for new hires or team changes.
Defining your processes may seem like a daunting task. It's easier to do what you've always done and hope it works, but as the saying goes, if you do what you've always done, you'll get what you've always gotten. And that doesn't leave much room for growth. But there are steps you can take to begin defining processes that will help you realize your company's full potential.
Step 1: Inventory your current business workflow.
How do you do what you do? What procedures are currently in place, who uses them, and what are the goals of each?
Step 2: Rank the processes you currently use.
In order to determine the best workflow for your company, you need to know what's most important to your end goals. Then prioritize your processes accordingly.
Step 3: Break your processes down into individual steps.
Once you know what the process is, it's important to know the individual steps involved in that process. Are your employees duplicating efforts? Are they following outdated practices? This step will help you determine what should stay, what should go, and what needs improvement.
Step 4: Talk to your team.
Before you start changing processes entirely, it's important to understand why your team works as it does. Is there a process in place that doesn't fit? Are your team members using work-arounds that you know nothing about? Get this input now, and save yourself a lot of hassle implementing your processes down the road.
Step 5: Automate your workflow.
It's not enough to have processes in place, it's vital to ensure that your whole team is using the same process in their daily workflow. The best way to do this is to automate that workflow. By developing automated systems, you can streamline your systems and reduce human error.
Step 6: Refine.
Once your processes are in place and your team is working through your automated workflow, it's important to continue to refine the processes based on what's working. With an automated workflow you can also implement easy reporting features to show you what works, what needs improvement, and what should be eliminated.
We understand that the idea of defining and automating your processes can be overwhelming. But you don't have to do it alone. At Spud Software we've spent 20 years helping our clients define their processes and design solutions that work for them. We've seen how clearly defined processes and automated workflows can exponentially increase a company's efficiency and their overall profits. And we'd love the opportunity to help you build a road map to success.
Contact Spud Software for a free 1-hour exploratory meeting about how we can help you define, design, develop and deliver processes that help your company realize your full potential.