Small Business Attack – Type of Data: Source Code
One of the types of data that may exist on your network is that of source code. Though it’s more likely to be there if you are an I.T. company, a great many companies out there have custom written business applications. Though users will generally use the application either by clicking an icon on their desktop or accessing it via a web browser, the real “nuts and bolts” of the application likely lays in the source code.
Traditionally, the term “source code” refers to the raw code that is written by people and later compiled into another format to be used by a computer. There are other forms of code, like bytecode, interpreted code, etc. However, the point of this entry is not about the differences. For the purposes of this post, “source code” means “business logic that both humans and computers can read”. (I’m sure I just upset some tech purists that read this blog.)
The important thing to realize, as a business owner, is that the applications that you use often reveal a huge amount of data about how you do business. There are likely flowcharts and checklists out on a shared drive somewhere. There may be a technical manual or five somewhere. However, we are in a digital age, and a lot of effort is being put forth to automate repetitive tasks and use technology to accelerate the speed with which business can be done. In short, more and more of the key business activities are being move to the computer. This is great for efficiency… but it also provides a great target for an attacker.
If an attacker gets a checklist, they might learn what problems your business commonly has. They might be able to misrepresent themselves as a client and abuse the checklist to gain further information about your business. They might find their own flaws in your procedure and use it to make your competitors more efficient. But if they can get the source code to one of your systems, they gain much much more.
The code that runs your systems might contain usernames and passwords that interface with other systems. It contains detailed business logic. It might even mention identified, but not repaired problems in your business. An attacker could not only duplicate much of your business, but they might also be able to integrate with your billing and sales systems, and steal money and client lists. They might be able to access exist customer accounts and take anything they want.
In short, they’d be able to do anything that you can do, and since they don’t have the overhead to develop it in the first place, they could to it better, faster and cheaper.
How are you protecting yourself?