Recent Data Breaches Underscore Application Security Needs

Corporate data breaches are expensive – especially in the US. According to Ponemon’s 2015 Cost of Data Breach Study: Global Analysis, data breaches have an average cost of $3.8 million, which is up 23 percent from 2013. The report also states:

The costs acquired from each lost record went from a consolidated average of $145 to $154, a six percent increase. Ponemon found the U.S. to have the most “costly” breaches, with each record costing an average of $217.

You don’t need Ponemon to drive these points home. Ashley Madison’s recent data breach may doom the company, and other companies such as Target have also been rocked, and these are just those making news headlines. So what can a company do?

The first thing organizations need to do is look internally. Shadow IT – or employees going around corporate IT departments to use cloud-based apps and other unauthorized technology to help them do their jobs – is a growing problem and concern in most organizations today. A recent CIO article highlighted a Cisco study that suggests that typical organizations have 15 to 22 times more cloud applications running than have been authorized by their IT department. Many of these apps touch enterprise data that may be sensitive. That’s a scary proposition – especially if these apps aren’t secure.

There are different types of application attacks that expose enterprise data. An application can be attacked at various layers, on different hardware, and with very different goals in mind, creating a very complex problem for companies who want to protect their intellectual property. Here are some common attacks on applications:

  1. Analysis. In order to understand and trace the compiled application code, hackers use various static analysis tools and debuggers that allow them to access, analyze, and reverse engineer the binary code. Such analysis enables hackers to understand how the internal algorithms work, discover sensitive information, and pinpoint vulnerabilities.
  2. Intellectual Property (IP) Theft. Some attacks are designed specifically to extract sensitive information, copyrighted material, or proprietary algorithms. If attackers can reverse engineer and analyze a program, the internal secrets are essentially exposed and vulnerable to stealing.
  3. Key Extraction. Cryptographic keys are at the very core of all security systems that deal with encrypted data. If hackers can locate keys in the code or device memory, they can completely circumvent or remove the security features and steal intellectual property.
  4. Tampering. Tampering is the process of modifying the application code with the goal to make it behave in a different way. For example, by tampering with the program code, hackers can remove license checks, copyright protection, and all other security features.
  5. Piracy. Illegal distribution of copyrighted material is one of the primary concerns of software and content publishers. Such companies suffer tremendous loss due to the fact that their content is being freely copied and transferred to unauthorized parties.
  6. Malware Injection. Today viruses, Trojans, and other harmful software cause serious problems not just on desktop computers, but also on smartphones, tablets, and embedded systems. If applications are not sufficiently protected, they can be exposed to privacy attacks, performance-loss, remote control, and unwanted behavior.

Our Cryptanium Code Protection applies integrated protection mechanisms to the entire application code at different layers. With no changes to your source code, code protection obfuscates the code base using patented obfuscation algorithms, injects hundreds of overlapping integrity checkers, and embeds platform-specific anti-debug, anti-piracy, and anti-malware code. As Cryptanium applies security features at different levels, hackers cannot easily remove applied security techniques one-by-one. In order to succeed, the entire protection must be cracked at once, which is a very difficult task when using Cryptanium.

While your IT department may not be able to control the application security features for each app in use, knowing what’s available to application developers can help spread the need for application hardening. Data breaches aren’t going away anytime soon!