Web Application Security

Web Application Security

Protecting Web Apps Protects the Company and Customers

Web application security refers to the measures and practices taken to protect web applications from unauthorized access, data breaches, and other malicious activities. It involves implementing relevant techniques, technologies, and best practices to ensure the confidentiality, integrity, and availability of web applications and their supporting systems.

The following factors underpin the importance of Web Application Security.

  • Data Protection: Web applications often handle sensitive user information such as personal details, financial data, and login credentials. Without proper security measures, this data becomes vulnerable to theft, manipulation, or destruction.
  • Compliance Requirements: Many industries must meet specific compliance standards and regulations, such as the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS). Non-compliance can result in severe legal consequences and financial penalties.
  • Protection against Attacks: Web applications are prime targets for various cyber attacks, including XSS, SQL injection, and DDoS attacks. These attacks can lead to unauthorized access, data loss, service disruption, and reputational damage.
  • Business Continuity: A successful cyber attack or breach can significantly impact the availability and functionality of a web application. Downtime and loss of functionality can result in financial losses, disrupted operations, and dissatisfied customers.
  • Competitive Advantage: Being able to demonstrate one’s security posture has become a crucial competitive differentiator. Organizations that prioritize web application security and demonstrate their commitment to protecting user data gain a competitive edge. By offering a secure and reliable application, businesses can attract more users, retain existing customers, and differentiate themselves from competitors.

Common Threats to Web Applications

Here are some common web app threats (much more can be viewed at the various OWASP Projects: Top Ten Web Application Security Risks, API Security Top Ten, and the draft OWASP Top 10 for Large Language Model Applications)

ThreatDescription
Cross-Site Scripting (XSS) attacksExploiting vulnerabilities to inject malicious scripts into trusted websites, allowing unauthorized code execution in browsers.
SQL injection attacksManipulating user input to inject malicious SQL queries into a web application’s database, potentially gaining unauthorized access or executing arbitrary commands.
Cross-Site Request Forgery (CSRF) attacksForcing authenticated users to unknowingly perform unwanted actions on a web application by exploiting their existing session credentials.
Session hijacking and session fixationUnauthorized individuals gaining control over a user’s session by intercepting or manipulating session identifiers, allowing them to impersonate the user and potentially access sensitive information or perform malicious actions.
Brute-force attacksRepeatedly attempting various combinations of usernames and passwords to gain unauthorized access, exploiting weak or easily guessable credentials.
Distributed Denial of Service (DDoS) attacksOverwhelming a web application’s resources or infrastructure by flooding it with a massive volume of requests from multiple sources, leading to service disruption or complete unavailability for legitimate users.

Best Practices for Web Application Security

It’s never good to stick only with what could go wrong. Here are actions to take to secure web applications:

Best PracticeDescription
Input validation and data sanitizationEnsuring that all user input is properly validated and sanitized to prevent malicious input that could lead to security vulnerabilities.
Implementing secure authentication and authorization mechanismsImplementing robust authentication and authorization mechanisms to verify the identity of users and control access to resources.
Using encryption and secure communication protocols (HTTPS)Employing encryption and secure communication protocols, such as HTTPS, to protect data transmission between the client and the server.
Regularly updating and patching software componentsKeeping all software components, including frameworks, libraries, and dependencies, up to date with the latest security patches and updates.
Employing strong password policies and multifactor authenticationEnforcing strong password policies, including complexity requirements, and implementing additional authentication factors for enhanced security.
Conducting security testing, vulnerability scanning, and code reviewsPerforming regular security testing, vulnerability scanning, and code reviews to identify and address any potential security weaknesses or flaws.
Implementing a Web Application Firewall (WAF)Deploying a Web Application Firewall (WAF) to monitor and filter incoming and outgoing web traffic, protecting against common web attacks.

Emerging Trends and Technologies in Web Application Security

New technologies always bring new risks and threats, but they also bring benefits. Some new trends that do just that are:

A. Machine Learning and AI-based security solutions: Machine Learning (ML) and Artificial Intelligence (AI) are being leveraged to develop advanced security solutions that can detect and mitigate sophisticated attacks.

B. Behavior-based anomaly detection: Behavior-based anomaly detection techniques focus on monitoring and analyzing the behavior of users, systems, and applications.

C. Containerization and microservices security: Containerization and microservices architectures provide increased flexibility and scalability for web applications. From a security perspective, they offer improved isolation, making it harder for an attacker to compromise the entire system if one container or microservice is breached.

D. Serverless architecture and security implications: Serverless architecture (where applications run on third-party infrastructure without the need for managing servers) can positively impact web application security. The cloud provider handles infrastructure security, including updates and patching. This allows developers to focus more on application-level security.

Security Awareness and Training

Security Awareness and Training extends well beyond having every employee watch a 15-minute video once a year. Those developing the applications need to be aware of these items to properly create a secure web app ecosystem:

  • Growing Threat Landscape: By staying aware of the latest security threats and trends, organizations can proactively adapt their security measures to mitigate new risks and vulnerabilities.
  • Rapid Technological Advancements: New features, APIs, and architectural approaches introduce both opportunities and risks. Ongoing security awareness ensures that developers and security teams stay updated on best practices and techniques to secure the latest technologies, preventing security gaps in newly implemented features.
  • Compliance and Regulatory Requirements: Compliance standards and regulations related to web application security are subject to updates and revisions. Ongoing security awareness ensures that organizations stay informed about any changes in compliance requirements, enabling them to adapt their security practices and maintain compliance with industry regulations.
  • Continuous Improvement and Adaptation: The security landscape is a dynamic environment, requiring a proactive and iterative approach. Ongoing security training promotes a culture of continuous improvement, encouraging organizations to regularly evaluate and enhance their security practices, perform security testing and audits, and adopt emerging security technologies and methodologies.
  • User Trust and Reputation: Web application security directly impacts user trust and an organization’s reputation. Users expect their data to be protected, and any security incidents or breaches can significantly damage trust in the application and the organization behind it.

Earning Trust

Having a third-party test your web applications, whether upon major releases or on a regular schedule, is important to gaining and maintaining customer trust in the security of your applications. Contact us today to find out how Cybersecurity Crusaders can algin with you and your business in your journey to trust and security.

The Value of Vulnerability Assessments

The Value of Vulnerability Assessments

Vulnerability Assessments and Penetration Tests

It’s well known that a vulnerability assessment is not a penetration test. This is often said to point to the superiority of a penetration test (pentest). Pentests are definitely superior in that they recreate what a threat actor could potentially do.

A couple potential drawbacks to pentests compared to vulnerability assessments are that pentests a) have a higher cost, and b) take much longer than vulnerability assessments.

A couple steps down from pentests is the simple vulnerability scan. These can easily be performed by software (paid or free) and are good at pinpointing security vulnerabilities. Vuln scans are the easiest to perform – pick a scanner, and run it – and that’s something anyone can do.

What’s missing in vuln scans is the ability to properly determine false positives, and they can even present false readings. Adequately discerning the real threats requires a vulnerability assessment.

Vulnerability assessments are a good step up from vuln scans, taking more time because they require analyzing the validity of the finding and assigning the real applicability of the risk and the remediation. Good assessments categorize security risks, assign risk levels, and offer remediation suggestions.

What does an assessment look like?

Here are a couple examples of findings that have to be determined and ranked:

A) The scan finds a vulnerability and rates it as High, e.g., a scan detects SharePoint 2010 running. SP 2010 is end-of-life (though one could have paid for extended support). Best practice is to have it on the latest version – if there was a compromise due to the known out-of-date software, a vendor might not offer support during a breach, and cyber insurance probably will not cover it. But this finding may actually be SharePoint 2013 running in backward compatibility mode. In that case (as of this writing) the software is still under support. The scan found something that only a proper assessment could determine was false, avoiding potential panic (though it does need to be upgraded soon).

B) If the finding is a true positive – e.g., Windows XP is discovered and the box is truly WinXP – then the next step is to determine if the finding is relevant. If that resource truly has an important role in the company, then it should be updated. But if it’s a test computer – maybe around for purposes of testing legacy software to ensure backward compatibility for an Operational Technology (OT) machine– is not internet-facing, and does not hold critical data, then it may be OK to keep around.

The recommendation will probably include the need to ensure that this old machine is not accessible from the rest of the network and is tightly controlled. The scan picked up a true risk, but properly assessing the criticality required extra time, perhaps in the form of interviews and fact-finding. In general, a resource is considered critical to operations if it 1) has important data (e.g., PII, corporate, confidential) and 2) faces the internet (not necessarily just having a webpage). Not only do these devices need to be scanned, but they need proper assessment.

What Are the Benefits?

Vulnerability assessments require expertise and dedicated time to decipher and investigate the results properly, and not all companies have the right in-house resources to take care of scanning, assessing, testing, patching, and re-scanning.

A company may not need a pentest because of the industry or lack of a need to comply with certifications or regulations. Pentests may also be cost prohibitive; their greatly increased performance comes with a bigger price tag.

One may have available personnel to perform updating and upgrading, but may not have the appropriate personnel, tools, and technology to gain an accurate view of the security posture. Vulnerability assessments are a vital, though often undervalued, component of cybersecurity.

Third-party vuln scans can increase reputation. There’s the chance that customers and prospects can view internally-run scans as a conflict of interest. Third-party assessments – even performed infrequently – can boost a company’s credibility, knowing that the assessments are objective, with recurring assessments demonstrating that the company attended to the previously reported findings. Additionally, a professionally produced report builds confidence and leaves a paper trail for orgs to see their progress and hold personnel accountable.

Assessment reports can also be used to obtain proper funding for IT and Security initiatives by demonstrating more objectively what threat actors really can see from the outside; it’s not just in the imagination of internal staff. The more that vulnerabilities appear on repeated reports, especially when shared as part of security questionnaires, the better the chance that upper management will provide resources to attend to the findings. Cybersecurity Crusaders is ready to scan and assess your corporate environment.

Contact us today so we can help you discover and prioritize your security and IT resources.

SIM-Swap Fraud

SIM-Swap Fraud

Figure 1 – photo from pixabay.com

SIM-swap fraud is an increasingly widespread means for hackers to steal access to your phone number and then your identity. We will explain how SIM-swapping works and how you can keep yourself safe.

A “SIM-swap” means that a hacker has stolen access to your phone number and rerouted calls and texts to themself instead of you. This enables them to then steal your identity. But the first step is the SIM-swap.

How Does This Work?

Your smart phone has a SIM (Subscriber Information Module) card in it, which is basically a piece of plastic with a chip in it that holds the phone number and some account data. Normally, you take a SIM card out of one phone, put it in a second phone, and then all calls to the phone number will go to the second phone instead of the first.

But if your phone is stolen or lost, you can buy a new phone with a new SIM card and ask your phone service provider to use their system to switch your phone number from the old SIM card to new one. This reroutes all traffic to the new phone and SIM card.

Hackers take advantage of this system by pretending to be you and asking your phone service provider to switch your phone number from your SIM card to theirs.

The main factor in a SIM-swap is for the hacker to convince the victim’s service provider that they are the true account owner. In order to make sure that the customer representative is speaking with the supposedly true owner of the phone number, they will ask some questions that require personal knowledge of the owner.

How does this happen?

The standard security measures for email services are to offer two factor authentication (also known as 2FA) to make sure no one logs into your email. Typing your password is the first factor, and the second factor is usually that the email service sends your phone a text message with a passcode in it. Then you type in the passcode and the email service lets you change the password to your account. Email services will typically ask for your phone number when you sign up for the sake of 2FA. There are other, better forms of 2FA,  but the text message method is often the default setting. We’ll discuss better methods later.

When the hacker has your phone number THEY will receive the text message with the passcode, not you.

Therefore, because the hacker does not know your password, they can click on the “Forgot My Password” option and, as we just noted, usually the default security measure is for the email provider to send a text message to your phone with a unique code number that is needed to log in. Because the hacker SIM-swapped your phone, the security text will go to the hacker’s phone instead of yours. After logging in, the hacker can reset your password, so you are locked out of your account.

Unfortunately, this is only the beginning. The “Forgot My Password” option on the rest of your accounts (think of your credit cards, social media, bank, etc.) is usually set by default to send a link or code to your email or phone. After taking over your email, the hacker can gain access to your other accounts and lock you out.

If you are a manager or a business-owner, the threat is not just against you personally. If your employees are targeted, a hacker could use an employee’s account to potentially gain access to your business network.

Figure 2 – photo from unsplash.com

How They Do It

Consider a hypothetical hacker that only knows your phone number. Even if you never post any information about yourself on social media, a hacker is still able to find enough relevant information about you to pull off a successful SIM-swap while relying only on using publicly available sources.

To start with, the hacker needs to know which service provider to call. They can use websites like Free Carrier Lookup, that will identify any phone number’s service provider for free.

The next step is to find out enough information about you to pass the security questions.

A January 2020 study from Princeton University proved it is generally easy for someone, such as a hacker, to call an phone carrier service and pretend to be the owner of someone else’s phone number. The standard practice is for phone service representative will ask the caller, the hacker, a few questions about the phone’s true owner. The hacker just needs to do some research on the phone number, by using the methods described below, and then they will be able to correctly answer enough of those questions to “prove” that they are the true owner.

How They Find Your Personal Information

There are several free websites (truepeoplesearch.com, fastpeoplesearch.com, thatsthem.com, freepeoplesearch.com) that reveal personal information about any phone number’s user.

Figure 3 – photo from fastpeoplesearch.com

To showcase how this works, I chose a random phone number to research as an example. Below you see the initial results revealing the user’s name, month and year of birth, and address.

Figure 4 – photo from fastpeoplesearch.com (with partially redacted information)

If we scroll down, we see the user’s email address, as well as former addresses and approximate dates when they lived there. If we click on any of these data points (names, phones, addresses, email) the site will show all other data points associated with it, which enables a hacker to delve further and further into the victim’s background.

Figure 5 – photo from fastpeoplesearch.com (with partially redacted information)

The site lists “possible relatives,” which are likely identified based on whether these people were registered to the same phone or address during the user’s childhood years.

Figure 6 – photo from fastpeoplesearch.com (with partially redacted information)

Finally, in the screenshot below you see how one site explains why it believes it has identified the phone owner’s spouse.

Figure 7 – photo from fastpeoplesearch.com (with partially redacted information)

How to Stay Secure?

The best measure you can take to stay safe is to obtain quality security education for you and your colleagues to be aware of the tactics that are out there. You should consider making your business networks more secure by reaching out to Cyber Security Crusaders for assessment services with actionable steps. Just go to cybersecuritycrusaders.io to contact us or learn more.

The following steps are affective against these threats. If you own a company, you can start by educating your work force on the risks and the set up the following safety measures for your employees.

1 – Most phone service providers will let you set up a password to use in case your phone is lost or stolen. If you choose to use this method, consider getting a password manager (such as Bitwarden, NordPass, or Dashlane).

2 – Start using an authenticator as your 2FA instead of text messages. If you have an authenticator app, it will stay on your physical phone even if your phone number transferred to another phone. If your physical phone is stolen, you can reset the authenticator on a new phone by using a pre-set password (which is one more reason to get a password manager).

3 – Sign up for a free account on a data breach website like HaveIBeenPwned.com that will notify you as soon as your phone number or other information appears in a data breach so that you know to change your password.

These safety measures are straight-forward and convenient. This article might be frightening, but you can stay safe with good security education and some simple measures.

T-Mobile Breach

T-Mobile Breach

Image from depositphotos.com

The T-Mobile data breach is scary because so much is unknown, but what little information is available tells us that the worst kind of personal data has been leaked for a lot of people. What’s more, it is difficult to know if your data was in the breach. But you do not need to panic.

You can gain piece of mind by taking a few safety measures that will be effective regardless of how bad this situation becomes.

What Do We Know So Far?

A quick review of the situation is as follows: T-Mobile suffered a massive breach but tried to keep it quite until it was revealed by an article from VICE. T-Mobile acknowledge the breach but the extent of it is not certain, the company has not been forthcoming with its information. However, it is estimated that millions of people’s data has been exposed and it is some of the worst kinds of personal information to lose. This data reportedly includes social security numbers, phone numbers, names, physical addresses, and driver license information.

There are many articles that will give you a litany of security measures that you can take (signing up for an account with the social security administration, changing the two-factor authentication on all of your accounts, etc.). But there are a couple of comparatively quick actions specific to this breach that you can take right now that will address the heart of the problem.

What To Do?

Secure your T-Mobile account, put a freeze on your credit (even if you don’t have an account with T-Mobile, you are in danger if you ever let them run a credit check on you), and then seek out good security education.

Right now would be a good time to get one of the many free password managers, but if you are not interested you can skip to the next paragraph. Bitwarden is widely considered the most convenient while still very secure. A password manager will automatically (no effort on your part) log your credentials whenever you log into an account and save them locally. This last part is important because it means that the company does not have its clients’ credentials in a central database and therefore if the company Bitwarden were breached, your credentials would still be safe. Finally, and most importantly for our purposes here, Bitwarden will suggest and save passwords that are random and unique. You will see why that is so important in a moment.

Your T-Mobile Account

You want to secure your T-Mobile account if you have one by changing your password and added in a passcode (or changing that too if you have one). Log into your T-Mobile account before a hacker can and change the password to something unique.

While you are logged into your account, take advantage of a special function in T-Mobile that lets you set up a unique passcode. If you want to reset your password in the future, you will need to passcode, so make sure you save it to your password manager. This simple act will prevent many of the most widespread scams, which often rely on people pretending to be you and trying to reset your password. But that is beyond the scope of this article.

Your Credit

Next, put a freeze on your credit. When someone steals your identity, you can eventually get your money and accounts back, but your credit can be irreparably damaged. A freeze on your credit will keep it safe and prevent hackers from opening new lines of credit in your name. Go to the three big credit agencies (Experian, Equifax, and TransUnion) and there is an option on each of their websites to freeze your credit. And of course, you could just call them too.

Your Education

The best measure you can take to stay safe is to obtain quality security education for you and your colleagues to be aware of the tactics that are out there. You should consider making your business networks more secure by reaching out to Cyber Security Crusaders for assessment services with actionable steps. Just go to cybersecuritycrusaders.io to contact us or learn more.

Bonus Suggestion

If you feel like putting in a little extra effort, you can also change the password on any other accounts where you used that same password. If you don’t want to try to remember each of those accounts, you can just look up which of those other accounts (where you used the same password) were also exposed in data breaches. Find those accounts by searching your password on data breach websites like Leakpeek.com and Dehashed.com. The results will show any accounts that were exposed in a data breach that used that same password. Look in those results for your accounts and go change your password (preferably choose a unique password so you don’t have to do this step again if those sites get breached again).

The D.A.E.R. Penetration Testing Methodology

The D.A.E.R. Penetration Testing Methodology

“… cloud assets deserve a seat at the grown-up security table and a piece of your budget pie.”

According to Verizon’s 2021 DBIR, web applications are such a common target that they deserve as much attention, if not more, than on-prem assets. And the continued high number of publicized breaches of web resources such as databases and web applications make a great case for making security for your web-facing assets a top priority.

Do you know how many web-facing assets you really have? Are you able to objectively validate the security of each of those assets? When was the last time you had someone test for vulnerabilities?

While many cyberattacks are motivated by financial gain, espionage, or even FIGs (fun, ideology, grudges), the steps for prevention are the same: know what you have, update, or upgrade your items, and test your publicly viewable assets against real-world threats.

To secure against these threats, businesses need to have someone on their team who thinks like an attacker – What’s the path of least resistance? What path would they not expect someone to take? Are there any times when the potential victim is not aware?

With our experience in securing information systems by thinking like the attacker, we help you in the following ways:

  • Identify IT vulnerabilities that expose your critical business assets to cyber criminals.
  • Identify your IT vulnerabilities and proactively shore up weaknesses before an attack.
  • Expose holes in your security before an attacker does, helping you address them before they become critical liabilities.

It’s easy to think, “It can’t happen to us – we’re too small/unimportant/under the radar.” Sadly, readily available technology allows cyber criminals to scan systems all around the world from anywhere in the world, and at any time. The bad guys have automated systems ready to scan the internet, they press “Go,” go to bed, then wake up to see what they found. They could have found you. And that’s why we’re here to help.

OUR TESTS

Web Application Testing

Web application penetration testing involves testing the security integrity of everything from APIs to websites. Web Application testing answer the following questions:

  1. What services are exposed to the internet?
  2. What ports are open that should be closed?
  3. What can researchers find out about your website simply by searching on Shodan?
  4. Does what is revealed by open-source intelligence investigation reflect what you want others to know?
  5. Is your web app vulnerable to any kind of SQLi, XSS, or other vulnerabilities noted in the OWASP Top Ten?

External Network Testing

Network Penetration Testing will uncover exactly how systems respond to an actual cybersecurity threat. These tests answer the following questions:

  1. What services do your servers expose to the internet?
  2. What firewall ports are open that should be closed?
  3. What can researchers find out about your external network simply by searching on Shodan?
  4. Using freely available research tools and techniques, what can anyone in the world see about your public-facing resources?

 Vulnerability Security Assessment

Vulnerability scanning can help by pinpointing security vulnerabilities. Good scans categorize security risks, assign risk levels, and offer remediation suggestions.

OUR METHOD

Regardless of the security assessment performed (network, penetration, vulnerability, secure code review), our method remains the same.

With our knowledge-leadership and extensive experience of information assurance and cybersecurity, Cybersecurity Crusaders has formulated our own Security Assessment methodology to identify, assess, and report on the risks faced by an organization’s critical information assets. We assess the effectiveness of your organization’s security controls by subjecting IT systems to real-world attacks. By using Cybersecurity Crusader’s D.A.E.R. methodology, your organization receives verified information tailored to your organization’s needs.

D.A.E.R.

Our Approach to Security Assessments

Each company has different security needs, so each penetration test has to be crafted each time to produce relevant results for each organization. Perhaps you have just one web application page with one database behind it that need to be tested. Or perhaps you have both web and mobile apps. Whatever the case, our testing framework allows us to customize each and every test to a company’s needs, while maintaining the methodical approach necessary for a professional and technical security test.

Here is our methodology:

DISCOVER

The Security assessment cycle begins with the DISCOVER phase. During this phase, target systems, network ranges, ports and services, and vulnerabilities in running services and configurations will be identified through a series of reconnaissance exercises. Consequently, the objective of this stage is to identify your organization’s critical assets.

ANALYZE

During the ANALYSE stage, findings from the previous stage are analyzed from a business perspective to effectively translate the vulnerabilities into business risks.

EXPLOIT

Essence of security assessment lies in its approach, i.e., testing systems against real-world threats. Consequently, during the EXPLOIT phase, techniques used by hackers and crackers shall be simulated in a controlled environment to prove and verify the identified vulnerabilities and to assess the extent of their effects.

REPORT

The success of a Security Assessment exercise depends on the actions and steps taken by the organization to mitigate the risks. To ensure success of the entire exercise, comprehensive reports are presented and submitted to the management during the final REPORT stage. Additionally, a compliance report, a risk assessment report along with a strategic risk treatment plan shall also be developed specifically for your organization!

Cybersecurity Crusaders can assess the IT infrastructure of customer by performing Security assessments of all the channels, whether human, physical, wireless, or data networks.

The final report includes all attempts (both successful and unsuccessful) by the testing team to exploit the provided scope items.

What’s included in each test?

Whatever test you select, you can expect the following:

  • On-budget
  • A talented Security professional who will be part of your team for the duration of the contract
  • Testing by certified ethical hackers
  • Continuous communication so that you always know the status of the test
  • Confidentiality throughout the entire process
  • Discovery of at-risk technologies
  • Identification of vulnerabilities
  • Adaptive testing, where you determine what vulnerabilities are true risks to your org
  • A comprehensive assessment report for management and C-suite presentations
  • Actionable mitigation plan to guide your IT and Security teams

Benefits of Third-Party Penetration Testing

Every business needs to demonstrate ROI for their security testing. Here are some benefits:

  • Increased Reputation – Customers receive confirmation that their confidence in both your security posture and your commitment to continually improving security is well placed.
  • Compliance – Our Readiness Assessment receives attestation that your technical industry, state, and federal security requirements are met.
  • Risk Remediation – The C-Suite and your Board receive objective reports regarding relevant risks and how they need to be remediated to reduce any current security vulnerabilities.
  • Verification of Current Security Controls – Your IT and Security Management will be able to validate and/or adjust security controls after testing is completed.