The first one and the second are said to be the best allies of CISO (and in general people in charge of IT security). There are though two different tools in a security strategy. What are the different characteristics of each?
Let’s start with the vulnerability scanner.
It is a software that is programmed to run tests on your platform, on your information system – … to detect vulnerabilities. A scanner identifies vulnerabilities thanks to its database containing the known vulnerabilities and common security issues. They go through networks, services, applications, etc.
First characteristic, the tests are automated. This means they are fast and a whole system can be easily tested in some hours / days, depending on its size.
As mobile apps are more and more used by every field of activity, they become also more and more interesting for malicious attackers. Apps need therefore to have a strong security, just as websites. That’s why we do mobile apps penetration testing that takes into consideration their specificities.
Objective of a Mobile Application Penetration Testing?
Your colleagues or your boss are talking about penetration testing (or pen testing or penetration test or pen test or pentest). You’re asked to explain them what it is, how it’s done, or what is tested? (cause you’re the tech one, so you surely know that stuff, right? Especially if it’s not your field.)
So here are some key elements to answer them, clear and simple. For more details, feel free to contact us.
Objective of a Web Application Penetration Testing?
Summer time is upon us, and we are more relaxed as holidays approach… But it’s not a reason to forget good habits regarding digital security at work, as hackers don’t go on holiday!
Choose a complex password with at least 10 characters. It should ideally have four different types of characters: lowercase, uppercase, numbers and special characters (included punctuation marks). The longer and more complex the password is, the better, as the combination possibilities increase. Forget “easy” passwords like the name of your partner, of your beloved kids or of your pet.
Administration interface, back-office, dashboard, admin panel… several names for the same thing: the place where organizations manage their data, supervise the activity of a web platform, handle customer requests, activate user accounts, configure articles within an e-commerce platform…
When thinking about the security of web platform, the back-office is not necessarily the priority, for several reasons: The access to that kind of application is usually restricted, to internal services of the organization, and sometimes to third parties, supposed to be trustworthy.
Security is essential, and you agree with that. You want indeed to do a penetration test (or pen test) on your solution soon… Here are 7 questions to help you get the most out of a penetration test.
1 – Is it Better to Test the Production or Pre-production?
Running a penetration test on your production environment has a sure advantage: being conducted under actual conditions of use of your website/ web application/ API/… with the last developments set up.
“All the success of an operation lies in its preparation”, Sun Tzu. Already true in the 6th century BC, this maxim remains true in the 21st century. And malicious attackers have well integrated it to their strategy.
Before launching their attack, attackers list all information available on the internet about their target. Digital transformation brings advantages to organisations, but it also makes a lot of information visible from the outside to who knows where to search, or even just where to look. This information helps then malicious attackers to adapt their attack to the target.
Luckily, this situation is no fatality. Each company can cartography its digital footprint, in order to then control and limit visible information.
GDPR is the buzzword of the moment. There are many articles explaining-detailing-advising the new legal obligations. We noticed, however, that most articles remain broad on the new security requirements. Here is also an article dedicated to the security aspects of the GDPR.
What does GDPR Require for Security?
GDPR (General Data Protection Regulation) clearly sets personal data security as one of its main principles. Privacy by design and by default impose that personal data are protected from the conception, and in the default setting, of a product, a service. This Privacy by design and default applies to data exchange between a company and its clients as well as its suppliers. Data have to be protected from a bad utilisation (human or software error) as from a hacking (Art. 5 ; Art. 25).
After a security audit, a pentest, you have been notified flaws. Critical, important, medium: do you know how this is assessed? We describe here our methodology, based on the OWASP* one, to estimate the severity of the risks associated with the vulnerability.
1/ What Is the Level of Criticality?
Technical or logic flaws are assessed according to their severity and potential consequences. Clear and precise criteria -described below- allow us to estimate objectively the severity of vulnerabilities. Transparency in the criteria and in the assessment increase trust between security, development and managerial teams. This helps also to prioritise corrections.
In practice, a level of criticality is attributed to each vulnerability detected: low, medium, highorcritical. The level of criticality incorporates the likelihood of a vulnerability to be exploited and the potential impact. Once these two elements are rated with a score, the final criticality will be set up.
2/ Likelihood of Exploitation
It represents the possibilities that the flaw is indeed found and “used”. The exploitation of the flaw can be voluntary (attack of a malicious person) or not (incidents related to a particular use of the platform, by a person or an automated tool).
The first step is then to evaluate this actor, the potential attacker:
What are his competencies?
What are his motivations -meaning, the expected reward-?
Does he have, or can he have the necessary resources? (user account, specific privileges, financial input …)
How is he linked with his target? (anonymous outsider attacker, authenticated user, intranet attacker, partner …)
Then the vulnerability itself has to be considered:
Is it easy to discover?
Or easy to exploit?
Is it a known or unknown vulnerability?
Which mechanisms are there to potentially identify the attacker?
Phishing evolved a lot. Whereas fraudulent email was before easily detected by its obvious spelling mistakes and its exaggerated request or threats (immediate bank transfer, account completely deleted…), it uses nowadays codes of trusted institutions. Phishing email involves besides personalized demand or known contacts of the attacked person (a manager for example), which makes it hard to detect.
Phishing aims an interaction with a tricked email. It is the most used method in social engineering, a branch of cybercrime. Social engineering targets human behaviour. Its purpose is to lead a user to reveal confidential information and to realise harmful actions for themselves or for an organisation the user belongs to. You can raise awareness of your team about this risk by conducting a social engineering audit.
We will see in this article how to avoid different phishing strategies, which can be tricky even for experienced and attentive users.