This advice has been collated by East Midlands Special Operations Unit (EMSOU) to raise awareness among businesses and the public.
If you require any further information, assistance or guidance please contact the EMSOU Protect Team EMSOU Protect Team or your local Force protect team.
Today’s cyber topic is OWASP Top 10
The World Wide Web is a sprawling network of computers with billions of websites advertising goods and services but websites with flawed security bring only financial loss and reputational harm.
The OWASP Top 10 identifies the ten most common threats to websites. Breaking the project down, we have:
Injection: A hacker will enter code into a website which extracts information from the database that sits behind it – including customer data or information about users sat on the internal network.
Mitigation includes:
• Turning code into text when a web page is submitted
• Using a Web Application Firewall (WAF) or a Database Activity Monitor (DAM)
• Using parametrised queries so any communication with a back-end database is
secure.
Broken Authentication: Permits a hacker to log in, masquerading as a legitimate user or take over another person’s session.
Mitigation includes:
• Offering two factor authentication.
• Encrypting all communications with TLS 1.3 (SSL is unsafe).
• Configuring websites to enforce session time outs if the visitor is no longer using the site.
• Use industry standard authentication systems: SAML, OpenID, Kerberos etc.
Sensitive Data Exposure: Any sensitive data must remain confidential.
Encourage:
• Employees to use an up-to-date browser.
• Configure servers to choose the best encryption methods for communicating with end users.
• Categorise company data based on sensitivity so that the appropriate security controls can be applied and employees limit the risk of exposure.
Insecure References: A URL link: www.emsou.com/cyber&fraud/finance/robertsmith can expose information about how internal systems and apps work, giving hackers access to them without going through proper authorisation procedures.
• Test applications for insecure references.
• Ensure every user must go through authentication and authorisation.
Broken Access Control: Is about checking the permissions a user has when they login. An online medical system should not let a student nurse change a patient’s medication, but a doctor will need these permissions.
Make sure that:
• The site checks the user is authorised to access each and every web function.
• Systems are configured to deny access by default.
• Permissions granted to different user groups are regularly audited.
Security Misconfigurations: When web apps and systems are not securely configured or maintained. For example, leaving a default account on the server, which is exploitable:
• Use vendor guidelines when hardening hardware and software.
• Have systems in place to ensure baseline compliance and the prevention of unauthorised changes.
Cross Site Scripting (XSS): A hacker will plant malicious code on a website which runs on the browser of a site visitor. The attacker can then hijack the connection, steal credentials and data and install malware.
Mitigation involves:
• Turning code into text when a web page is submitted (‘escaping’).
• Limiting the amount of text that can be entered on a site and use drop downs.
• Adding a security policy in the web page that prevents the running of ‘foreign’ scripts.
Insecure Deserialization: When files are sent over the internet, they are usually translated into a format that can be moved more easily. Once the file reaches its destination, it is translated back into its original form. In one recent example, an attacker corrupted this process by inserting crypto mining software, earning $3 million.
It is advisable to:
• Encrypt the translated data which makes tampering harder
• Use a Web Application Firewall to check packages
• Ensure that the system which translate data cannot run a dangerous payload
• Translate data only if it is ‘digitally signed’. This verifies that the package comes from
a trusted source and has not been tampered with.
Using Components with Known Vulnerabilities: Web developers sometime use software for which there are known security flaws:
• Perform periodic scans and audits to identify security issues
• Develop a program to assess and implement patches and software updates.
Insufficient Logging & Monitoring: When web systems fail to track user activity, malicious actions go unnoticed. Some companies will log these activities but then fail to protect these logs from tampering or periodically review them.
• Make sure systems securely track who, when, where and what.
• Consider SIEM technology.
Reporting
Please report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online.
Forward suspicious emails to report@phishing.gov.uk.
Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Reuseabox, a leading B Corp certified circular economy packaging company that helps businesses reuse cardboard boxes, has rec...
Read MoreOngo is continuing with ambitious development plans in the West Lindsey District, aimed at enhancing the local community and ...
Read More
Log into your account
