The home heating oil industry has a long and proud history, and Fuel Oil News has been there supporting it since 1935. It is an industry that has faced many challenges during that time. In its 77th year, Fuel Oil News is doing more than just holding
Issue link: https://read.dmtmag.com/i/560753
U se of mobile devices in the energy industry is on the rise. General Electric recently distributed 2,000 iPads internally and has developed a series of applications for its employees and customers. Noveda Technologies, a supplier of web-based, real-time energy and water monitoring, launched an energy and water saving iPad app, for managing renewable energy production, energy consumption and water usage in real-time. Ease of use, portability and depth of features are part of what makes mobile devices attractive. But when implementing smartphones and tablets across an enterprise, organi- zations must recognize that for all the freedom and productivity gains a BYOD (bring your own device) workplace may bring, it also presents unique security challenges. Ignoring these risks could result in loss of data, loss of client trust and ultimately loss of revenues. As CEO and co-founder of viaFo- rensics, I can attest to the seriousness of these threats for the oil and fuel industry. Having worked with many IT professionals, I have seen them struggle to put effective security measures in place. One problem is that many of them are focused on yester- day's threat—malware. Malware gets the most attention partly because it's the enemy the security community understands best as they've been bat- tling it since the rise of the PC. But while traditional computer anti-virus programs run checks against an extensive list of known security threats, mobile malware programs increasingly use code not found in established anti-virus databases. In 2013, researchers at Northwestern University concluded that the lead- ing mobile anti-virus programs were "susceptible to common evasion techniques" that rendered them ineffective. While the evolution of more robust mobile anti-malware programs would be a welcome development, it would still do nothing to mitigate the greater security threat to your work- place—unsecured or 'leaky' apps. These are outwardly benign applications with security flaws that can put your company data and that of your employees and clients at risk. LEAKY APPS Last year we examined 100 popular apps, testing them for man- in-the-middle and SSL attack vulnerabilities, whether they stored passwords and other sensitive data in their memory, and other common security concerns. Our study found that fully 60% of apps received a "High" risk rating in one or more areas. These apps were offered in Apple's App Store and Google Play and crossed a wide variety categories (games, financial apps, produc- tivity, business, utilities, etc.) None of them were apps anyone would normally perceive as 'risky'– usually, when presented with our findings, even their cre- ators were unaware of their apps' vulnerabilities. How can so many apps contain serious security issues? For one, apps are booming business with few regulatory or protective over- sights. In such an environment, speed-to-market often trumps secure design. You average con- sumer is largely unaware what their phone is really doing or what pri- vate data a given app might have access to and potentially expose. And without a watchdog organiza- tion to help make app buyers more aware about security, app developers lack incentive to ensure their products are safe before release. The big players in the mobile ecosystem are a long way from solving the problem, or even beginning to seriously address it. Leaky apps can be a gateway to stealing confidential customer data, your company's financial information and other sensitive materials. In traditional workplace networks, you can easily pre- vent employees from installing software without permission. But in a BYOD environment, you often have little control over what apps employees install on their personal devices. It's paramount to remember that whatever your employees can access from their devices is also potentially accessible by attackers. SECURE YOUR APPS All apps should undergo strict security testing, however apps that are white or blacklisted on your company policy should have been even more rigorously tested by your IT team before being allowed on your network. I recommend a few approaches. Extract data to see how sensitive information is stored. Examine an app's authentication methods and permissions, and capture and analyze network traffic to detect encryption problems. Execute multiple attacks, such as man-in-the-middle, SSL Proxy and others to test app vulnerabilities. We've developed viaLab to automate this type of security testing, but however you choose to 32 SEPTEMBER 2015 | FUEL OIL NEWS | www.fueloilnews.com BUSINESS OPERATIONS Are Your APPs Secure? Mobile device applications can have vulnerabilities BY ANDREW HOOG IMAGE ©ISTOCKPHOTO.COM/GOBY.