Protecting Web Apps Protects the Company and Customers
Web application security refers to the measures and practices taken to protect web applications from unauthorized access, data breaches, and other malicious activities. It involves implementing relevant techniques, technologies, and best practices to ensure the confidentiality, integrity, and availability of web applications and their supporting systems.
The following factors underpin the importance of Web Application Security.
Data Protection: Web applications often handle sensitive user information such as personal details, financial data, and login credentials. Without proper security measures, this data becomes vulnerable to theft, manipulation, or destruction.
Compliance Requirements: Many industries must meet specific compliance standards and regulations, such as the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS). Non-compliance can result in severe legal consequences and financial penalties.
Protection against Attacks: Web applications are prime targets for various cyber attacks, including XSS, SQL injection, and DDoS attacks. These attacks can lead to unauthorized access, data loss, service disruption, and reputational damage.
Business Continuity: A successful cyber attack or breach can significantly impact the availability and functionality of a web application. Downtime and loss of functionality can result in financial losses, disrupted operations, and dissatisfied customers.
Competitive Advantage: Being able to demonstrate one’s security posture has become a crucial competitive differentiator. Organizations that prioritize web application security and demonstrate their commitment to protecting user data gain a competitive edge. By offering a secure and reliable application, businesses can attract more users, retain existing customers, and differentiate themselves from competitors.
Exploiting vulnerabilities to inject malicious scripts into trusted websites, allowing unauthorized code execution in browsers.
SQL injection attacks
Manipulating user input to inject malicious SQL queries into a web application’s database, potentially gaining unauthorized access or executing arbitrary commands.
Cross-Site Request Forgery (CSRF) attacks
Forcing authenticated users to unknowingly perform unwanted actions on a web application by exploiting their existing session credentials.
Session hijacking and session fixation
Unauthorized individuals gaining control over a user’s session by intercepting or manipulating session identifiers, allowing them to impersonate the user and potentially access sensitive information or perform malicious actions.
Brute-force attacks
Repeatedly attempting various combinations of usernames and passwords to gain unauthorized access, exploiting weak or easily guessable credentials.
Distributed Denial of Service (DDoS) attacks
Overwhelming a web application’s resources or infrastructure by flooding it with a massive volume of requests from multiple sources, leading to service disruption or complete unavailability for legitimate users.
Best Practices for Web Application Security
It’s never good to stick only with what could go wrong. Here are actions to take to secure web applications:
Best Practice
Description
Input validation and data sanitization
Ensuring that all user input is properly validated and sanitized to prevent malicious input that could lead to security vulnerabilities.
Implementing secure authentication and authorization mechanisms
Implementing robust authentication and authorization mechanisms to verify the identity of users and control access to resources.
Using encryption and secure communication protocols (HTTPS)
Employing encryption and secure communication protocols, such as HTTPS, to protect data transmission between the client and the server.
Regularly updating and patching software components
Keeping all software components, including frameworks, libraries, and dependencies, up to date with the latest security patches and updates.
Employing strong password policies and multifactor authentication
Enforcing strong password policies, including complexity requirements, and implementing additional authentication factors for enhanced security.
Conducting security testing, vulnerability scanning, and code reviews
Performing regular security testing, vulnerability scanning, and code reviews to identify and address any potential security weaknesses or flaws.
Implementing a Web Application Firewall (WAF)
Deploying a Web Application Firewall (WAF) to monitor and filter incoming and outgoing web traffic, protecting against common web attacks.
Emerging Trends and Technologies in Web Application Security
New technologies always bring new risks and threats, but they also bring benefits. Some new trends that do just that are:
A. Machine Learning and AI-based security solutions: Machine Learning (ML) and Artificial Intelligence (AI) are being leveraged to develop advanced security solutions that can detect and mitigate sophisticated attacks.
B. Behavior-based anomaly detection: Behavior-based anomaly detection techniques focus on monitoring and analyzing the behavior of users, systems, and applications.
C. Containerization and microservices security: Containerization and microservices architectures provide increased flexibility and scalability for web applications. From a security perspective, they offer improved isolation, making it harder for an attacker to compromise the entire system if one container or microservice is breached.
D. Serverless architecture and security implications: Serverless architecture (where applications run on third-party infrastructure without the need for managing servers) can positively impact web application security. The cloud provider handles infrastructure security, including updates and patching. This allows developers to focus more on application-level security.
Security Awareness and Training
Security Awareness and Training extends well beyond having every employee watch a 15-minute video once a year. Those developing the applications need to be aware of these items to properly create a secure web app ecosystem:
Growing Threat Landscape: By staying aware of the latest security threats and trends, organizations can proactively adapt their security measures to mitigate new risks and vulnerabilities.
Rapid Technological Advancements: New features, APIs, and architectural approaches introduce both opportunities and risks. Ongoing security awareness ensures that developers and security teams stay updated on best practices and techniques to secure the latest technologies, preventing security gaps in newly implemented features.
Compliance and Regulatory Requirements: Compliance standards and regulations related to web application security are subject to updates and revisions. Ongoing security awareness ensures that organizations stay informed about any changes in compliance requirements, enabling them to adapt their security practices and maintain compliance with industry regulations.
Continuous Improvement and Adaptation: The security landscape is a dynamic environment, requiring a proactive and iterative approach. Ongoing security training promotes a culture of continuous improvement, encouraging organizations to regularly evaluate and enhance their security practices, perform security testing and audits, and adopt emerging security technologies and methodologies.
User Trust and Reputation: Web application security directly impacts user trust and an organization’s reputation. Users expect their data to be protected, and any security incidents or breaches can significantly damage trust in the application and the organization behind it.
Earning Trust
Having a third-party test your web applications, whether upon major releases or on a regular schedule, is important to gaining and maintaining customer trust in the security of your applications. Contact us today to find out how Cybersecurity Crusaders can algin with you and your business in your journey to trust and security.
It’s well known that a vulnerability assessment is not a penetration test. This is often said to point to the superiority of a penetration test (pentest). Pentests are definitely superior in that they recreate what a threat actor could potentially do.
A couple potential drawbacks to pentests compared to vulnerability assessments are that pentests a) have a higher cost, and b) take much longer than vulnerability assessments.
A couple steps down from pentests is the simple vulnerability scan. These can easily be performed by software (paid or free) and are good at pinpointing security vulnerabilities. Vuln scans are the easiest to perform – pick a scanner, and run it – and that’s something anyone can do.
What’s missing in vuln scans is the ability to properly determine false positives, and they can even present false readings. Adequately discerning the real threats requires a vulnerability assessment.
Vulnerability assessments are a good step up from vuln scans, taking more time because they require analyzing the validity of the finding and assigning the real applicability of the risk and the remediation. Good assessments categorize security risks, assign risk levels, and offer remediation suggestions.
What does an assessment look like?
Here are a couple examples of findings that have to be determined and ranked:
A) The scan finds a vulnerability and rates it as High, e.g., a scan detects SharePoint 2010 running. SP 2010 is end-of-life (though one could have paid for extended support). Best practice is to have it on the latest version – if there was a compromise due to the known out-of-date software, a vendor might not offer support during a breach, and cyber insurance probably will not cover it. But this finding may actually be SharePoint 2013 running in backward compatibility mode. In that case (as of this writing) the software is still under support. The scan found something that only a proper assessment could determine was false, avoiding potential panic (though it does need to be upgraded soon).
B) If the finding is a true positive – e.g., Windows XP is discovered and the box is truly WinXP – then the next step is to determine if the finding is relevant. If that resource truly has an important role in the company, then it should be updated. But if it’s a test computer – maybe around for purposes of testing legacy software to ensure backward compatibility for an Operational Technology (OT) machine– is not internet-facing, and does not hold critical data, then it may be OK to keep around.
The recommendation will probably include the need to ensure that this old machine is not accessible from the rest of the network and is tightly controlled. The scan picked up a true risk, but properly assessing the criticality required extra time, perhaps in the form of interviews and fact-finding. In general, a resource is considered critical to operations if it 1) has important data (e.g., PII, corporate, confidential) and 2) faces the internet (not necessarily just having a webpage). Not only do these devices need to be scanned, but they need proper assessment.
What Are the Benefits?
Vulnerability assessments require expertise and dedicated time to decipher and investigate the results properly, and not all companies have the right in-house resources to take care of scanning, assessing, testing, patching, and re-scanning.
A company may not need a pentest because of the industry or lack of a need to comply with certifications or regulations. Pentests may also be cost prohibitive; their greatly increased performance comes with a bigger price tag.
One may have available personnel to perform updating and upgrading, but may not have the appropriate personnel, tools, and technology to gain an accurate view of the security posture. Vulnerability assessments are a vital, though often undervalued, component of cybersecurity.
Third-party vuln scans can increase reputation. There’s the chance that customers and prospects can view internally-run scans as a conflict of interest. Third-party assessments – even performed infrequently – can boost a company’s credibility, knowing that the assessments are objective, with recurring assessments demonstrating that the company attended to the previously reported findings. Additionally, a professionally produced report builds confidence and leaves a paper trail for orgs to see their progress and hold personnel accountable.
Assessment reports can also be used to obtain proper funding for IT and Security initiatives by demonstrating more objectively what threat actors really can see from the outside; it’s not just in the imagination of internal staff. The more that vulnerabilities appear on repeated reports, especially when shared as part of security questionnaires, the better the chance that upper management will provide resources to attend to the findings. Cybersecurity Crusaders is ready to scan and assess your corporate environment.
Contact us today so we can help you discover and prioritize your security and IT resources.
MSPs provide invaluable services to companies with minimal or no IT staff. When prospects sign on as customers, they’re expecting the experts to be ready at a moment’s notice to fix any issues based on their contract. One request that arises is the infrequent, perhaps semi-annual, request for pentesting. Perhaps the client looking to assure their customers of an advantage in the marketplace. Maybe the client is going to acquire another business and needs to verify that business’s security. Or they have a pending sale that will more than offset the cost of a pentest. Possibly, they’re looking at getting SOC 2, or some other certification, or even entering the regulatory landscape for something like HIPAA or PCI DSS.
Another inherent demand is the foundational premise that an MSP implicitly – if not explicitly in contract – makes the MSP itself responsible for securing the client’s networks and computer. Clients may focus on adding technology while reducing administration, but they may not understand that each technology opens up more attack vectors. With the increased demand for ensuring a client’s security, above and beyond providing managed services, what can an MSP provide that would create a competitive advantage against other MSPs?
Improving Client Security
For MSPs, the focus is on IT services, and adding on internal security staff will be expensive, perhaps more than is worth any benefit. Moving from being an MSP to being an MSSP may prove too much of a resource burden.
One popular and necessary information security service is a vulnerability assessment. Vuln tests and assessments are essential for an org’s security posture and could be provided by an MSP, but the assessment is not necessarily a reflection of a company’s true security stance because it’s missing manual intervention and probing of systems. Additionally, a client can potentially perform vuln testing at will, using less expensive tools, less than what an MSP can provide. Internal pentesting by a company is beneficial, but it’s not considered vendor neutral. Internal penetration testing is good for bolstering confidence in your security, but only if it’s an addition to third-party testing.
Turning One-Off Purchasers into Customers
MSPs may have many break/fix clients who only interact with them when IT problems strike. What if more of those break/fix clients could not only see the benefit of managed services, but also be shown the advantage of better securing their infrastructure? What if the MSP could prove to customers that they have improved security because of the managed services?
Third-party penetration testing could turn break/fix clients into customers. Break/fix vendors send a professional IT technician to a customer’s location to analyze and determine system issues, then provide on-prem remedies. Businesses are charged for those services rendered, and the services don’t carry contracts or subscriptions with ongoing fees built in. If those one-off clients could be provided a fuller service by an MSP, it can prove to be a competitive advantage for both the MSP and the irregular customer.
The third-party penetration testing model helps keep tests consistent because a client’s internal pentesters might tailor the methodology around what they think should be tested based on the knowledge of any recent updates or changes (not counting the possibility of a conflict of interest). Third-party testers will have a more objective view of testing, not making assumptions as to what should be tested. Third-party testing also avoids conflicts of interest. They are paid to be disinterested and impartial, so working with a provider without them being on your payroll leads to increased trust.
As an MSP, adding third-party pentesting to your repertoire can help customers create a better total security program. While you may implore your customers to implement X, they may decide against it (whether due to cost, lack of time, no interest, etc.). An independent penetration test might well bring up not only verified reasons for implementing X but could also uncover other vulnerabilities that can be solved by you as the MSP. This data will be beneficial both to the customer in their security program and to you, the MSP, as a provider of new and necessary services.
Offering pentesting services can assist an MSP if a current client needs to move from on-prem to a hosted platform. After such a major move, clients will want to ensure that their security posture has remained as effective as before, if not improved. They may also want a third-party baseline scan before moving to the cloud.
Third-party pentesting provides added insight into a customer’s network security because it performs exploitation and post-exploitation to demonstrate the impact of attacks such as numerous attempts at privilege escalation and lateral movement. Even if a pentest does not uncover blatant vulnerabilities (e.g., XSS, SQLi), this objectivity opens up other areas where the customer may be vulnerable. As an example: what if a pentester can uncover a wiki or support site that contains a login that isn’t validated, which can then lead to creating an account that allows that account to pull organizational data, however minimal (e.g., ticket number and details, names, and email addresses)? A third-party penetration testing firm can provide a wealth of actionable knowledge for both the client and the MSP.
Leveraging Teamwork
Hiring third-party testers relieves the resource burden on an MSP. Professional pentesters as on-prem staff can be expensive – not only is initial certification pricey, but ongoing training is expensive. Outsourcing this can be for the same reasons that your customers rely on you – reduction of expenses. While you may be able to afford some staff with certain certifications, your clients – for reasons such as regulations or internal policies – may require certain certifications that you don’t have. Your personnel may have OSCP or CEH, but what if DoD clients require Pentest+, or other clients require GPEN? Hiring third-party pentesters can greatly increase offerings by selecting testers who are both expert and certified according to the needs of your clientele.
It may be too expensive to move to being an MSSP, so adding penetration testing services might be the right move.
Cybersecurity Crusaders’ penetration testers have years of professional experience in uncovering areas of weakness and with the goal of simulating real-world style attacks. The findings are compiled into a management-focused report and presenting recommendations that align with your business goals.
The D.A.E.R. penetration testing methodology provides a common, understandable, and repeatable framework for both the customer and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.
In March 2021, Formal Opinion 498 was release by the Standing Committee on Ethics and Professional Responsibility of the American Bar Association. These rules guide lawyers, when conducting virtual legal practices, as follows:
“In compliance with the duty of confidentiality, lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosures of information relating to the representation and take reasonable precautions when transmitting such information.”
To make a blanket statement for the world re: most of 2020-2021: if something could be done virtually, it was done virtually.
While the pandemic response drove technology to new heights, it also drove cybercrime to new heights. Not far into the whole situation, worldwide, an exponential number of homes were both a new workplace and a new vector of attack.
“An attack on file-sharing company Accellion Inc. affected several law firms earlier this year, and clients are asking more and more questions about the security postures of the law firms they work with…Clients are getting better at managing their own risk, and with that I’m seeing a sharper and sharper look as well as greater scrutiny of providers, including law firms…Don’t just check the box…Have the lawyers and info security teams sit together and really collaborate.” (emphasis mine)
With law firms under increased security guidance and more intense scrutiny, they need to up their game in the protections they provide for the data of both their clientele and their firm.
The Importance of Trust
Trust is important. Even more so when it comes to all the confidential data that law firms must handle.
As an example: After a deponent has accepted the transcript of a deposition, that transcript is stored for permanent record. How important is it to the deponent, even to all parties involved, to keep that document secure? It may be available for distribution, but can it be changed? Part of the process is ensuring that it remains immutable. What could happen if someone was able to get in and change the deposition?
In 2016, over 2.6 terabytes of data (containing 11.5 million files) were extricated from Mossack Fonseca, a law firm headquartered in Panama. The case of the “Panama Papers” was one of the largest breaches of all time and implicated numerous world leaders who participated in forming shell companies for offshore wealth management. (for more recent coverage, research the recent news about “Pandora Papers)”
Two of the primary causes of the breach were:
1) unencrypted emails, and
2) outdated Drupal server.
Additionally, the servers and workstations were not properly segmented.
While the first issue might be more about user training (not encrypting sensitive emails when sending them), the other issue (and other related problems) is technical and just might have been discovered by having a third-party test both the external services and internal setup. The missing controls could have been discovered by internal personnel, but internal staff are prone to underestimate of tone down the severity of issues.
This was the first class-action suit regarding law firm data security, claiming that the firm Johnson & Bell was guilty of legal malpractice because it allowed information security vulnerabilities which put client information at risk.
The suit did not end in class-action, but it was a wake-up call to law firms to protect both their data and their reputations.
Confidentiality and Integrity
You’re likely familiar with the CIA triad – Confidentiality, Integrity, and Availability. For the jurisprudence realm, Confidentiality and Integrity are of utmost importance. While there are many security components involved in ensuring that information can only be seen and changed by those with the authority to see and change it, an important factor is penetration testing.
Whether you need a penetration test for compliance, for proving to customers that you take cybersecurity seriously, or you simply want to prove to yourself, your partners, and your staff that you have a strong security posture, Cybersecurity Crusaders will help.
The D.A.E.R. penetration testing methodology provides a common, understandable, and repeatable framework for customers and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.
The T-Mobile data breach is scary because so much is unknown, but what little information is available tells us that the worst kind of personal data has been leaked for a lot of people. What’s more, it is difficult to know if your data was in the breach. But you do not need to panic.
You can gain piece of mind by taking a few safety measures that will be effective regardless of how bad this situation becomes.
What Do We Know So Far?
A quick review of the situation is as follows: T-Mobile suffered a massive breach but tried to keep it quite until it was revealed by an article from VICE. T-Mobile acknowledge the breach but the extent of it is not certain, the company has not been forthcoming with its information. However, it is estimated that millions of people’s data has been exposed and it is some of the worst kinds of personal information to lose. This data reportedly includes social security numbers, phone numbers, names, physical addresses, and driver license information.
There are many articles that will give you a litany of security measures that you can take (signing up for an account with the social security administration, changing the two-factor authentication on all of your accounts, etc.). But there are a couple of comparatively quick actions specific to this breach that you can take right now that will address the heart of the problem.
What To Do?
Secure your T-Mobile account, put a freeze on your credit (even if you don’t have an account with T-Mobile, you are in danger if you ever let them run a credit check on you), and then seek out good security education.
Right now would be a good time to get one of the many free password managers, but if you are not interested you can skip to the next paragraph. Bitwarden is widely considered the most convenient while still very secure. A password manager will automatically (no effort on your part) log your credentials whenever you log into an account and save them locally. This last part is important because it means that the company does not have its clients’ credentials in a central database and therefore if the company Bitwarden were breached, your credentials would still be safe. Finally, and most importantly for our purposes here, Bitwarden will suggest and save passwords that are random and unique. You will see why that is so important in a moment.
Your T-Mobile Account
You want to secure your T-Mobile account if you have one by changing your password and added in a passcode (or changing that too if you have one). Log into your T-Mobile account before a hacker can and change the password to something unique.
While you are logged into your account, take advantage of a special function in T-Mobile that lets you set up a unique passcode. If you want to reset your password in the future, you will need to passcode, so make sure you save it to your password manager. This simple act will prevent many of the most widespread scams, which often rely on people pretending to be you and trying to reset your password. But that is beyond the scope of this article.
Your Credit
Next, put a freeze on your credit. When someone steals your identity, you can eventually get your money and accounts back, but your credit can be irreparably damaged. A freeze on your credit will keep it safe and prevent hackers from opening new lines of credit in your name. Go to the three big credit agencies (Experian, Equifax, and TransUnion) and there is an option on each of their websites to freeze your credit. And of course, you could just call them too.
Your Education
The best measure you can take to stay safe is to obtain quality security education for you and your colleagues to be aware of the tactics that are out there. You should consider making your business networks more secure by reaching out to Cyber Security Crusaders for assessment services with actionable steps. Just go to cybersecuritycrusaders.io to contact us or learn more.
Bonus Suggestion
If you feel like putting in a little extra effort, you can also change the password on any other accounts where you used that same password. If you don’t want to try to remember each of those accounts, you can just look up which of those other accounts (where you used the same password) were also exposed in data breaches. Find those accounts by searching your password on data breach websites like Leakpeek.com and Dehashed.com. The results will show any accounts that were exposed in a data breach that used that same password. Look in those results for your accounts and go change your password (preferably choose a unique password so you don’t have to do this step again if those sites get breached again).