|
Overview of Web/Mobile Hacking
How web/mobile apps security flaws are discoveredClick to read 
What is a security flaw?
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and results in a security breach or a violation of the system's security policy.
Core Problems that can conduct to security flaws
|
 |
|
Users
|
|
|
• can interfere with any piece of data transmitted between the client (could be a browser on a computer or on a mobile phone) and the server
|
|
• can send requests(could be addresses in browser, or different calls from the command line) in any sequence and can submit parameters at a different stage than the application expects
|
|
• are not restricted to using only a web browser to access the application - could be native mobile applications that can communicate with the operating system or command line tools from the computer
|
| |
Common causes of security flaws
|
| |
|
• The lack of security awareness
Usually, programmers are not paying enough attention to security but more on the business functionalities and are not aware of the threats. It is the role of the CTO (Chief Technical Officer) to be the enabler of the security awareness in the software development department.
• Custom development
Secure frameworks are (insecurely) modified to comply with customer’s requirements. Programmers or software providers need to assure that they create technical tests (it will be nicely to provide reports to the client regarding the tests that were made) to ensure that the application remains secure.
• Resource constraints
Time, money (good programmers), paid (and secure) frameworks, etc.
|
Web app security testing toolsClick to read
Tools can be used for
•Guessing authentication credentials
•Access database protocols and command lines to input different texts
•Organisation Directory (LDAP) - to modify the structure directory of the organisation
•Modifying different web/mobile protocols
|
 |
Well known tools that can be used to enforce security
|
|
•Zed Attack Proxy (ZAP)
|
•SQLMap
|
|
•Wfuzz
|
•SonarQube
|
|
•Grabber
|
•Netsparker
|
|
•Arachni
|
•Acunetix
|
|
•Wapiti
|
•Intruder
|
CountermeasuresClick to read
• Requiring a secret, user-specific token in all fields that are completed and submissions to the server - the attacker's site cannot put the right token in its submissions
• Requiring the client to provide authentication data(better in conjunction with another device like a mobile phone) in the same browser request used to perform any operation with security implications (money transfer, names, secret documents, etc.)
• Limiting the lifetime of session cookies(a file containing a numerical/letter identifier that a website server sends to a browser for temporary use during a limited timeframe)
• Access websites that have a secure certificate - the browser address should start with ‘https’
• Strongly validate user input using "accept known good" as a strategy, or isolate incoming files and check them legitimacy before executing them
• Many businesses that fall victim of cyber attacks do so because they only consider the risks once the worst has happened. The truth is that it’s never too soon to protect your business and there are solutions aimed at small businesses, including cloud based solutions, which make this simple for you to do.
How much Security is Enough?
•The implementation of security is based on the analysis Cost vs. Risk
•Risk is equal with Threat * Vulnerability
•Cost is equal with the difference between Cost of Implementing Controls and Cost of not Implementing Controls
|
 |
Major security challenges facing by SMEs
Budget constraintsClick to read
Don’t become the low hanging fruit for cyber criminals
|
• Cyber threats are a significant business risk for SMEs. With practices increasingly moving towards the Internet and cloud, SMEs have a larger attack surface than ever before
• As SMEs work to protect themselves in an ever-evolving threat landscape, they find their security needs are constantly changing. While entrepreneurial attackers innovate to find new ways of breaching organisational networks, defenders too must think outside the box and beyond the perimeter
• As the cyber threat landscape continues to evolve and become more complex, SMEs are finding their budgets increasingly stretched, and are exposed to the ever-widening cyber skills gap. So the companies are exposed to malicious attacks
• Use the analysis Cost vs Risk with all the changes in the cyber-security landscape
|
 |
Employee theftClick to read
Bad actors inside a company are far more common than you think!!!
|
• Offer trainings to your employees
Education is another imported feature in protecting your business against cyber attacks.
Your employees need to know the dangers of clicking on links that are not secure or using software that has not been authenticated.
|
|
|
|
• Have a Principle of Least Privilege (POLP) Policy
Once you have a good understanding of how to prioritize your data security, you can employ a policy that limits who has access to your data depending on their role and function. This goes beyond simple authorization and authentication and instead only gives access to employees on a need-to-have basis.
This will help reduce the risk exposed to you by ensuring critical data and network access is overall limited. This also makes it easier to discover who might be behind an exposure or incident |
|
|
|
• Deploy Software to Monitor and Prevent Access
Once you’ve done the hard work of assessing your internal data security needs you can deploy software that monitors behavior and network access and limits who has access to parts of your infrastructure.
|
|
|
|
• Have an Incident Response Plan Ready
No plan or software can give you a 100% prevention guarantee so it’s important to plan and prepare for the worst-case scenarios. Using the types of insider threats listed above and the critical data assessment we outlined, you can run through various scenarios:
What if a recently laid-off employee turned off automatic updates for critical software?
What if a third-party infrastructure provider suffered a data breach?
What if an employee in the finance department clicked on a phishing email?
|
 |
|
Human ErrorClick to read
• Email Misdelivery
Email misdelivery was the fifth most common cause of cybersecurity breaches - 58% of employees admitted to emailing the wrong person at work
• Poor Password Hygiene
In many organizations, passwords are the first line of cybersecurity defence. But often, they’re also the biggest weakness - 61% of breaches are due to stolen or compromised user credentials.
• Inadequate/Incomplete/Delayed Patching
Cybercriminals exploit software vulnerabilities to gain access to enterprise networks, systems and data. When such exploits are discovered, the software developers (or vendors) fix the vulnerability and send out the patch to all users.
• Poor Access Control
Inadequate access control is another major human error in cybersecurity breaches since it allows bad actors to take control of enterprise networks.
Technical measures and best practices for SME
Become CyberwiseClick to read
Your SMEs can easily discover its cybersecurity readiness level by finding answers to these important elements described below. It will help you pinpoint security gaps in your organisation and necessary best practices such as:
|
•Office firewalls and internet gateways
•Secure configuration
•Software patching
•User and administrative accounts best practices
•Malware protection
•Awareness of password weaknesses
•Basic risk assessment
|
 |
Security ToolsClick to read
Having the right cyber security tools for a small business has become essential
• 60% of small businesses close within months of a cyber attack
Budgets are limited to so choosing the correct cyber security tools for a small business is critical into these areas
|
• Firewalls and network security
• Email Security
• Passwords
• Antivirus
|
 |
Cybersecurity practicesClick to read
Some of the practices that will help SMEs to be more protected in front of cyber threats:
|
• Avoid unknown emails, links, and pop-ups
• Be cautious with unvetted USB
• Use Multifactor Authentication (MFA)
• Keep your mobile device safe
• Use strong passwords
• Be aware of social engineering
• Using secure WI-FI
• Ensure data protection
• Install security software updates
• Use firewall protection at work or home
• Communicate with your IT department
|
 |
Less known web application vulnerabilities
Common web security mistakesClick to read
Some of the most meet mistakes that SMEs are doing and needs to be under review immediately:
|
• Permitting invalid data to enter the database
• Focusing on the system as a whole
• Establishing personally developed security methods
• Treating security to be your last step
• Developing plain text password storage
• No website security scans
• Creating weak passwords
• Storing unencrypted data in the database
• Not encrypting the sensitive data
• Having obsolete software
• Having software components with known vulnerabilities
|
 |
How web application vulnerabilities affects SMEs and preventionClick to read
This occurs when the people in charge make decisions about creating cyber security measures by over relying on their intuition and experience but not on existing statistical trends and impacts of cyber-attacks
|
AUTOMATED EXPLOIT OF A KNOWN VULNERABILITY
Compromised asset: The Operating System (OS) of the computer.
Prevention: The SME can use patch management software to scan network, identify missing patches and software updates, and distribute patches from a central console to have the entire network up to date. Also, SMEs can train the employees to comply with the up to date patches by themselves.
|
|
MALICIOUS HTML EMAIL
Compromised asset: Computer, mobile phone, tablet any equipment that can view the malicious emails.
Prevention: The SME can implement aggressive spam filtering so this kind of emails does not appear in the user’s inbox. It is also necessary to raise employee awareness about email security. Employees must be made aware of spam emails. An SME can implement periodic training for employees about recognizing spam email.
|
| |
 |
|
|
RECKLESS WEB SURFING BY EMPLOYEES
Compromised asset: Computers, tablets, mobile phones connected to the company network.
Prevention: The employees should be advised not to surf any website other than work related sites. Also the employees should be acknowledged that all the internet surfing log is monitored so they do not surf unethical websites during work. Implementing policy related to “Acceptable Use Policy” of the Internet is necessary.
|
|
DATA LOST ON A PORTABLE DEVICE
Compromised asset: Portable device and the sensitive data stored in it.
Prevention: Most mobile devices have the option of encrypting all user data on the devices, and/or requiring a password to access the data. There should be a policy requiring all employees to use that particular feature for the portable devices used for work. Use of Mobile Device Management (MDM) software that helps the company to manage mobile devices and wipe all data on the device in case of necessity |
| |
|
|
|
RECKLESS USE OF HOTEL NETWORKS AND KIOSKS Compromised asset: Company’s entire network and employee’s device.
Prevention: Devices like laptops, smartphone, tablets should have the updated antivirus, anti- spyware/malware, and firewall. Also policy should be implemented that employees can never turn off security defenses of the devices.
|
|
LACK OF CONTINGENCY PLANNING
Compromised asset: It can affect the entire IT infrastructure of the SME.
Prevention: Developing policy for any sort of continuity is the main solution. Although developing policy can be a hard task, an external expert can help in this case |
| |
|
|
Consequences of cyber attacks for SME
Real-life consequences of cyberattacks on SMEsClick to read
Economic impact
Cyber attacks often result in substantial financial loss arising from:
|
• theft of corporate information
• theft of financial information (eg bank details or payment card details)
• theft of money
• disruption to trading (eg inability to carry out transactions online)
• loss of business or contract
Businesses that suffered a cyber breach will also generally incur costs associated with repairing affected systems, networks and devices.
|
 |
Reputational damage
Trust is an essential element of customer relationship. Cyber attacks can damage your business' reputation and erode the trust your customers have for you. This, in turn, could potentially lead to:
• loss of customers
• loss of sales
• reduction in profits
The effect of reputational damage can even impact on your suppliers, or affect relationships you may have with partners, investors and other third parties vested in your business.
Legal implications
Data protection and privacy laws require you manage the security of all personal data you hold - whether on your staff or your customers. If this data is accidentally or deliberately compromised, and you have failed to deploy appropriate security measures, you may face fines and regulatory sanctions.
Cyber-attack and human errorClick to read
Even as SMEs accelerate their digitization efforts to contend with today’s competitive economic climate, they may find it difficult to make the necessary security investments – whether it’s through building an in-house team of specialists or enlisting a costly third-party vendor for support.
Without a ready pool of talents, it is difficult for SME owners themselves to plan, set up, and maintain the right cybersecurity infrastructure to protect against both known and unknown threats, now and into the future even if the human error is there because the lack of people skills that are part of the company.
|
The areas where that can be impacted:
• Damage to the brand
• Loss of clients
• Have lost the opportunity to attract new clients
• Have lost the opportunity to expand their activities
|
 |
Cyber risk management
Managing cybersecurity risk focusing on cyber insuranceClick to read
Cyber insurance or is a type of insurance cover that aims to protect your business from IT threats and covers you if your systems or data has been lost, damaged or stolen in the event of a cyber attack.
What does cyber insurance cover?
Most cyber insurance policies generally cover first party and third party costs relating to a cyber-attack:
• First party cyber insurance covers damage to your business such as the cost of investigating the cyber crime, restoring IT systems, recovering lost data, reputational damage, extortion payments demanded by cyber criminals and costs relating to business shut down
• Third-party cyber insurance covers the assets of others, typically your customers and any potential claims against you including damages and settlements as well as legal costs to defend your business
When assessing a client’s risk, insurers generally focus on the following main categories:
|
• Dedicated Resources
• Policies and Procedures
• Employee Awareness
• Incident Response
• Security Measures
• Vendor Management
• Board Oversight
|
 |
Does my business need cyber insurance?
If your business uses, sends or stores electronic data you could be vulnerable to cyber crime. Cyber insurance could help you with financial and reputational costs if your business is ever the victim of a cyber attack.
Cost and impact of cyber insuranceClick to read
Cyber security insurance (and cyber liability insurance) can help your business further mitigate risk exposure by offsetting some of the costs involved in cyber incident recovery.
|
These may be expenses related to:
• the management of a cyber incident
• the investigation of a breach
• data subject notification and remediation
• liability - breach of privacy or confidential data
• professional fees related to recovery actions
• business interruptions, eg from network downtime
|
|
|
 |
|
Play Audio 
