The New Security Vulnerability: Third-party Apps Exposing Enterprise Data
In 2014, cyber criminals targeted thirty-party apps with the sole aim of gaining unauthorized access to consumers’ personal and private data. Third-party apps in the social and consumer services domain, with easily exploitable vulnerabilities, became a weak link in the cyber security chain. We saw hackers access Snapchat users‘ private data by exploiting vulnerabilities in a client app built by a third-party developer, for example.
Attackers have now turned their attention to the corporate crown jewels: enterprise data. Similar techniques can be used to intrude the enterprise: targeting apps developed by third-party developers and partners with access to trusted services that deal with sensitive data, including employee information, competitive intelligence, and intellectual property.
Given the explosion of mobile apps, vulnerability detection tools employed by criminals to automate the discovery of app weaknesses will likely become more advanced. These new tools could enable the exploitation of: unencrypted access to API services; unprotected mobile data caches that store sensitive data such as credit cards and protected health information (PHI); and weak protection of key and credential data by mobile apps.
Armed with these tools, cyber criminals could go after third-party apps that tap sensitive corporate data, especially if these apps are not fully vetted from a security standpoint and lack the necessary security controls that enterprises use to lock down the front door access. In other words, they lack strong application and API security. There’s also the risk that corporate users will fall victim to social engineering techniques and inadvertently installing malware-infected third-party apps that masquerade as legitimate apps.
New attack techniques are emerging, too, including:
inroads into the process of vetting developers who need access to sensitive data; for example, a brute force attack on the registration process, or account takeovers of partner admin accounts
exploitation of mobile and app vulnerabilities with insecure API access
stealing of sensitive data cached by apps that don’t follow security best practices
social engineering of developers to gain unauthorized access of developer keys and credentials.
So what can you do to protect your organization from such attacks?
First, implement a governance process that oversees the lifecycle management of third party apps—from onboarding to decommissioning the apps. Governance processes should include:
Contractual safeguards such as indemnification and liability for third-party developers, when appropriate
Conforming to strong security standards when accessing corporate services via APIs or other means; all API calls should be TLS or HTTPS, for example
Enforcing a “least-privilege” access model, in which third-party developer and partner apps are provisioned with API keys with the least privileges required for the app to access and transact via APIs
Creating policy templates for developers and partners based on their trust level; they should dictate the level of access given to the apps as well as verification requirement for their trust category
Instituting an audit process to periodically verify the security controls of apps as well as revisit the access control requirements for APIs; for example, reducing the API privileges associated with a partner who downgraded from a premium to a standard service level (any changes to the API access level will not become effective unless the current app key is decommissioned and replaced with a new key)
In summary, third-party apps are the side doors into your digital assets and can cause great damage to your organization when not properly secured. An enterprise security strategy should include the third-party app governance, an API management platform that is developer centric, and tools to enforce and verify security controls employed by the third-party apps.
Photo: Simon Cocks/Flickr