Application Security Testing Checklist

16 January, 2017

Web applications have provided a convenient way for businesses to offer better services to the customers. However, security is one of the biggest concerns while developing an app as even a minute vulnerability can provide a backdoor for the hackers to initiate a malicious attack. It is important to have a strategic testing procedure throughout the app development process. The process involves an in-depth analysis to identify the technical flaws or security vulnerabilities in the app and subsequently repair them. It ensures that the app can adequately protect important data and serve its intended functionality.

Given below is a complete checklist for application security testing:

Threat Modeling

Threat modeling is the first and most crucial step in testing a web application’s security. It involves analyzing the application bit-by-bit to map down the entry points, data flow and identify the exact location of the existing vulnerabilities. Thread modeling also includes ranking the vulnerabilities in order of severity and devising suitable countermeasures for the same.

User Authentication

Proper authentication mechanism is important to eliminate the risk of a brute force attack, making sure that only the authorized users and servers can have access. It should be verified that account suspension mechanism is working accurately and triggers a lock-out after repeated failed login attempts. Testing can be done by entering wrong combinations of username password till the account gets locked.

Access To Application

After the user’s login credentials have been authenticated by the application, the next thing to determine is the type of data he can or cannot access. Superfluous elevated rights can pose a risk of data breach. You can create multiple user accounts and set different access rights for each of them. After this, login with all the accounts and try to access the modules, screens, forms as well as menus. If any security issue is found, it needs to be corrected immediately.

Session Management

Session hijacking attacks are quite common in web applications. Hackers may attempt to steal the cookies of an already authenticated session to get control of the user’s access rights. In another form of session hijacking, the hacker may also passively capture the login credentials of the user. In order to protect the app users’ information, make sure that the cookies do not contain any sensitive information. Also, the session IDs should be unique and generated randomly after authenticating the user’s identity.

Contact Centex Technologies for more information on application security testing. We can be reached at (855) 375 – 9654.

,

Security Risks Of Typosquatting

10 January, 2017

Typosquatting, also referred as URL hijacking, is a type of cybersquatting attack in which the hacker takes advantage of commonly misspelled alphabets in a website’s URL. When a user makes a typographical mistake, such as entering ‘g’ instead of ‘h’ due to the proximity of both keys on the keyboard, he may get redirected to a spam website controlled by the hacker.

Cybercriminals often create bogus websites that have similar design and layout as the target website. This is done to ensure that the visitors do not realize that they have landed on another website. At times, typosquatting attempts may be intended to promote a competitors’ product or service but, in most cases, they are initiated to serve a malicious purpose.

Typosquatting attacks may be aimed at:

  • Deceiving unsuspecting victims to reveal their personal identifiable information, such as username, password, social security number, bank account and credit card details. This may be done by compelling users to click on a pop-up advertizement that offers some sort of discount or giveaway.
  • Tricking users into downloading spyware, malware or other malicious program on the computer system. Once you install the application, it may breach your network security, steal important data or record the keystrokes.
  • Redirecting web traffic to a dating portal or competitor’s website.
  • Freezing the user’s web browser for fake tech support scams to extract money in exchange of fixing the problem.
  • Earning revenue by making users click on advertizements posted on the typosquat website.

How To Protect Against Typosquatting?

  • Be very careful while typing a website’s URL in the browser’s address bar. If you are not sure about the spelling of the website, cross check it on Google or any other search engine to avoid inadvertently landing on a fake website.
  • Do not open links sent in emails, particularly from unknown senders.
  • Bookmark the most frequently visited websites so you can easily visit them whenever required.
  • Get a comprehensive security software to protect against phishing attempts, spyware and malware attacks.
  • Do not register with the same password on all websites. This way, if you accidently reveal your credentials on one website, it won’t affect the security of other online accounts.
  • Business owners can consider purchasing multiple domain names similar to their primary URL to avoid being a victim of typosquatting.

For more details about the security risks of typosquatting and how to guard against them, feel free to contact Centex Technologies at (855) 375 – 9654.

,

Identifying An Advanced Persistent Threat

27 December, 2016

Advanced persistent threats (APTs) pose a big network security challenge for the business firms. These forms of attacks are very well-organized and involve the use of phishing techniques to trick users into downloading a malware on to their computer systems. However, the ultimate objective of an advanced persistent threat attack is far more than compromising the network security. It aims at stealing valuable intellectual data of the company, such as project details, business contracts, patent information, sales data etc.

Advanced persistent threats generally work stealthily and can go undetected for long periods of time, which makes it even more important to employ the necessary security procedures. Though these attacks are difficult to detect, there are certain signs that indicate that your network has been compromised:

Presence of widespread backdoor Trojans

In an advanced persistent threat, the hackers install various backdoor Trojans to gain access to the target computer system, even if the log in credentials are changed. These Trojans are commonly deployed through social engineering techniques, mainly through a phishing email or drive-by download.

Unexpected information flows

If you suspect unexpected and enormous flow of information from your corporate network to other internal or external computer systems, this may indicate an advanced persistent threat. As these attacks are targeted at stealing confidential information about the company, even a limited amount of unauthorized data transfer should not be overlooked.

Increase in log-in attempts during late night

If you notice a sudden and extensive number of log-in attempts on your official email accounts, it may indicate an advanced persistent threat. This may be done to compromise the security of your entire corporate network. The hackers mainly breach accounts outside the normal working hours of your employees or late at night.

Use of pass-the-hash hacking technique

Pass-the-hash is a common hacking technique in which the cybercriminals aim to remotely connect to your company’s internal network by capturing the password hash of the admin account. With this, they can gain an easy access to the entire network, without having to breach the original password.

Unexpected data bundles

Advanced persistent threats often accumulate the confidential data inside the network before transmitting them to the hacker. The data may be found in an unidentified file or folder where it should not be ideally stored. The files are most often saved in a compressed or archived format.

We, at Centex Technologies, are a leading IT security consulting firm in Central Texas. For more information and prevention tips for advanced persistent threats, you can call us at (855) 375 – 9654.

,

The Different Types Of Web-Based Attacks

20 December, 2016

With majority of the business operations being conducted online, web based attacks are continually on the rise. Cyber criminals devise innovative and more sophisticated techniques to exploit unpatched vulnerabilities in the web applications. The motive behind these attacks may be different, to steal a company’s sensitive information, display spam advertizements on the website or download malware to the user’s computer.

Discussed below are the different types of web based attacks:

Structured Query Language (SQL) Injection

SQL injection is a common technique that involves injecting a malicious code to alter the sensitive information in the website’s back-end database. It may also be performed to steal payment card details, username and password as well as insert spam links to the website. SQL attacks are quite easy to execute and can severely compromise the data security of a company.

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) can be defined as a client-side code injection attack in which the hacker injects a malicious script, predominantly JavaScript, in a legitimate website. As these scripts appear to be from a trusted source, they are often executed by the end users. This, in turn, allows the hacker to gain access to the cookies, session tokens, passwords and other sensitive information.

Drive-By Downloads

In this type of attack, the hackers tamper a web application with an HTML code that stealthily downloads a malware whenever a user visits the website. Once downloaded, the program may execute itself to record keystrokes, access important files, hijack online banking sessions or use the computer as a part of botnet.

Brute Force

Brute force attacks are mainly targeted attempts to decode a user’s login credentials. In this, the hackers use a trial and error method using different user names as well as passwords till they are able to identify the correct one. Creating strong passwords and limiting the number of invalid login attempts may help to prevent a brute force attack.

DoS And DDoS

Denial of service (DoS) and distributed denial of service (DDoS) attacks are carried out by flooding a website with traffic from multiple sources, making it unavailable for the genuine users. In a DoS attack, a single computer system may attempt to crash the target server with data packets. A DDoS attack is when multiple computers, widely distributed in a botnet, send simultaneous requests to slow down and ultimately halt the web server.

We, at Centex Technologies, can help to protect your corporate network from different web-based attacks. For more information, you can call us at (855) 375 – 9654.

,

Ways To Avoid Banking And Payment Fraud

13 December, 2016

Online banking and payment frauds are increasing at an alarming rate. Moreover, with the continuous emergence of ecommerce websites, more and more people are becoming victims of these fraudulent activities. Though online banking offers a lot of convenience, the security risks that come along with it necessitate the users to be extremely cautious while accessing their financial accounts.

Given below are a few tips that can help to avoid banking and payment fraud:

  • Enable Two Factor Authentication: The best approach is to use two factor authentication for all your online financial accounts. With this, you will have to enter your login credentials, along with the unique one time password (OTP) sent to your mobile number, to confirm any transaction. Thus, even if someone has your username and password, he would not be able to use them unless he gets the OTP.
  • Choose Strong Passwords: Create a strong and hard-to-crack password for your internet banking account. The password should ideally be 6 to 10 characters long and consist of uppercase, lowercase letters, numbers as well as symbols. Also, you should not store your password in your computer system, unless it is properly encrypted.
  • Avoid Clicking Through Emails: Be wary of phishing emails that require you to update your account information online. Also, do not click on any links embedded in such emails. They may contain a malicious code that redirects you to a fake website to record your banking credentials. It is safer to directly type in your bank website’s URL in the browser.
  • Access Your Accounts Securely: Do not access your financial accounts from open Wi-Fi hotspots. These networks do not use encryption and all the information you share can be easily viewed, accessed or modified by the hackers. Also, the website’s URL should begin with ‘HTTPS’ instead of ‘HTTP’ along with a small padlock icon in the address bar.
  • Log Out After Each Session: No matter you are using a personal/public computer system or a smartphone, it a good practice to log out after every online banking session. This will minimize the chances of becoming a victim of session hijacking and cross site scripting attacks. You should also clear the browser cache and history at the end of each session.

We, at Centex Technologies, offer comprehensive internet security solutions across Central Texas. For more tips on preventing online banking and payment fraud, you can call us at (855) 375 – 9654.

,