Just Check
Cyber Security Due Diligence
I use and recommend to clients Microsoft 365 and Google Workspace and I do not run any due diligence before committing to these apps. I can think of a raft of other software (Adobe, Cisco, Apple etc) that fall into the category where their reputation validates their products.
It does not mean I do not constantly monitor these mainstream apps for patches and updates – there is a constant stream of posts on Smart Thinking Solutions alerting you to vulnerabilities, patches and updates – as software is complicated and flaws are always being discovered. That is why I led with the Bruce Schneier quote above. What we all hope for is that the software vendors – large and small – discover vulnerabilities before the threat actors do and produce security patches before the threat actors exploit those vulnerabilities and attack us whilst we have no defences.
This is the classic zero-day attack which unfortunately cannot be avoided (Abrams, 2022), but the big companies can (and should) respond quickly.
You should check that any vendor you use – but especially the smaller independents – can meet these challenges.
App stores and software repositories
Here are a couple of questions you should ask yourself:
- What happens when someone in the office discovers that useful online app, the Google Chrome extension or WordPress plug-in?
- Does someone run due diligence over an app before you allow that Android app to be installed on all the company devices?
Just today I read about a Google Chrome extension that says it is one thing – Google Sheets 2.1 – but turns out to be data stealer malware (Toulas, 2022a) and useful website software that has been installed over 3,000,000 times but which leaks sensitive information (Toulas, 2022b). And let’s not get started on the number of Android apps that leak data either by accident because of poor coding or deliberately for often malicious but sometimes commercial reasons. No citation here just check any cyber security news feed to understand the scale of that issue – here is mine on Smart Thinking – Google Play Store and Android Apps.
The National Cyber Security Centre has issued advice when it comes to software sourced from app stores or software repositories – Threat report on application stores – NCSC.GOV.UK – it is worth reading.
Just Check
So you can see, you, a designated person in your office, your IT support or cyber security consultant should check before you use software that does not carry a cast iron reputation.
What’s next?
Next week I am going to look at this subject from the point of view of your WordPress website. (Gall, 2022)
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Abrams, L. (2022,November). New attacks use windows security bypass zero-day to drop malware. BleepingComputer. Retrieved November 22, 2022, from https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware/
Gall, R. (2022, September). PSA: Zero-day vulnerability in WPGATEWAY actively exploited in the wild. Wordfence. Retrieved November 22, 2022, from https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/
Toulas, B. (2022a, November). Google chrome extension used to steal cryptocurrency, passwords. BleepingComputer. Retrieved November 22, 2022, from https://www.bleepingcomputer.com/news/security/google-chrome-extension-used-to-steal-cryptocurrency-passwords/
Toulas, B. (2022b, November 21). Apps with over 3 million installs leak ‘admin’ search api keys. BleepingComputer. Retrieved November 22, 2022, from https://www.bleepingcomputer.com/news/security/apps-with-over-3-million-installs-leak-admin-search-api-keys/
Schneier, B. (2018). Click here to kill everybody: Security and survival in a hyper-connected world. WW Norton & Company.
Further Reading
Cryptography after the aliens land – A Bruce Schneier Story
Zero-day (computing) – Wikipedia
Schneier on Security: Click Here to Kill Everybody
