If you are a security professional, you are most definitely familiar with what vulnerability assessment and penetration testing are. These two are types of vulnerability testing in order to complete a vulnerability analysis. Both are valuable tools for information security and are integral components of the process of managing threat and vulnerability of network systems.
Your Business’s Website Just Got Hacked! Here Is What You Should Do Now
Security experts at Lean Security categorize companies in Australia into two types: those that have been hacked and know about it and those who’ve been hacked but don’t know about it. So, how will you know if your company’s website has been hacked?
Following are the ways Lean Security, the number one WAF managed service shares;
Ø Your website gets defaced
Ø The website redirects to a site that’s ‘unsavoury’ such as a porn site
Ø You get a notification that the site is compromised from either Bing or Google
Ø Your web browser (Firefox or Chrome) will indicate the compromised state of your site
Ø You notice unexplained big spikes in traffic (from other countries) and other signs of strange traffic in the web logs of your site
What Do You Do?
The first thing to do after finding out that your company’s website has been hacked is to remain calm. You won’t be able to do damage control in a frazzled and worried state. The next thing to do is:
Call In Your Support Team
If you’re a small business, chances are that you won’t have the right technical expertise on board. The best option in this case is to hire the expertise of a support team, one that’s ideally an expert in the technical aspects of internet security, as well as familiar with the configuration of your site such as your managed security service provider.
Pull Together Important Information
You’ll have to gather the information that’s helpful to support team, so be prepared to provide the following:
Ø Hosting Login Information
Ø CMS Login Information
Ø Your Site’s Web Logs
Ø FTP/ SFTP Access Credentials
Ø Backups
Take Your Website Offline
The site will have to be temporarily shut down while the support team is running a web application testing and assessment. This is normally done through the hosting control panel. You can also protect the main directory (where the website resides) with a password in order to block users from having access to the site while it’s being fixed.
Scan Local Computers for Viruses and Malware
This is a very important step which can also be carried out by your managed hosting provider. Have the support team scan all your local computers with the help of anti-virus software to make sure there isn’t any malware, spyware, or Trojans in the network. Also make sure the anti-virus software that you use is up to date before scanning the computers.
Just because there’re million others to prey on, doesn’t make your business website secure. It’s always a good idea to be prepared for the possibility of such an event.. After all, it’s better to be safe than sorry. Conduct a free assessment of your website’s security by Lean Security today.
What Measures Do You Take to Keep Your Business’s Web and Mobile Applications Secure?
If you aren’t worried about the cyber security of your business, you should be. Cyber crime has increased exponentially this year, in Australia and neighbouring New Zealand. Security experts gathered round and came up with all the security risks that businesses in the country need to look out for, as these attacks aren’t only increasing in numbers, but in sophistication as well.
This is why businesses are forever on the lookout for ways of boosting their network infrastructure security that’ll help mitigate risks and prevent the exposure and/or theft of sensitive information. The security experts at Lean Security provide the following protective measures that businesses can take to secure their networks.
Exploit the Latest Technological Innovations
Businesses need to stay informed regarding the latest internet technology related developments as well as invest in them. Such technological developments and software are quite capable of combating and preventing cybercrime, as well as protecting the privacy of users and helping secure their computers and mobile applications. The 6 D’s of Cyber Security should be used when planning defences that would fight against current and future threats.
Prepare, Implement and Communicate a Strict Security Policy
IT environments today aren’t just made of end user workstations connected to servers, as now mobile devices, BYOD, cloud storage and remote workstations are also a large part of these environments. Businesses can no longer protect their IT configurations by simple segregation of the network; hence, they should employ another way to protect it.
The same guideline should be followed as that for users working in the office environment and on the same software, devices, etc. There should be made rules for strong passwords, for e-mailing or file downloads, and for using connection methods (Bluetooth, hotspots, wireless) and peripherals so as to prevent the chaos that usually follows in managing an entire IT infrastructure.
Employ Intelligence Tools and Engage In Proactive Cyber-Security
Businesses need to be more proactive when it comes to web application security and must be able to recognize the signs even with zero indication of malfeasance.
Businesses can become more proactive by:
v Identifying the security control gaps found through self web and mobile security assessment.
v Pinpointing the exact vulnerabilities that the IT environment is plagued by.
v Examining how much prepared the company is against cyber- attacks.
v Coming up with incident response and effective threat detection methods.
v Thoroughly reviewing the cyber risk management practiced.
v Highlighting the appropriate cyber security controls.
Of course, today small to mid ranged businesses and even enterprises don’t place their entire focus on the working IT department (and sometimes don’t even have one in place). For them, a much better and less costly option is to hire professional managed security services as they have the latest software and tools necessary to implement any security measure within web applications. Take a free assessment of your web applications by Lean Security today!
Cyber-scammers Confess: Every Trick in the Book That Hurts Our Internet Security (Part 2)
Cyber-scammers and hackers are the ones equipped with the ability to bring about a downfall to online shopping as we have come to know it. Retailers and other businesses that depend on secure internet network battle it out by bringing in help from Lean Security, the number one professional managed security service provider in Australia. This blog is a follow-up of our Cyber-scammers Confess: Every Trick in the Book That Hurts Our Internet Security (Part 1). Take a look at what these cyber scammers have up their sleeves, and how you can outsmart them at their own game!
Trick #1: We Lure You with “Shocking” Videos on Facebook
Interesting videos and other content tends to circulate on social media, posted and shared by millions of people. You may have come across videos posted by friends on Facebook with words like ‘shocking’, ‘incredible’, and ‘must see’ etc, strategically titled so as to grab your attention. Such video links, when clicked, ask you to take a survey or download a media player that, in reality, will install malware on the computer.
How to Outsmart Them: To see whether the video is legitimate and on YouTube, type the title (of the video) on Google. It’ll be already reported if the video is actually a scam.
Trick #2: We Can Break Into Routers That Use WEP Encryption
In fact, scammers and computer hackers do this very easily! How do they do this? There’re many old modelled routers that still rely on Wired Equivalent Privacy (WEP) encryption which, when compared to the newer routers, is much easier to crack. This is done with the help of a software program that’s widely available and can be downloaded by anyone.
How to Outsmart Them: Make sure to use the most secure type of encryption for your router, which is WPA2 (WIFI Protected Access 2) or WPA. If your router doesn’t provide either one of the encryptions, give a call to its manufacturer or managed security service provider and see what needs to be done. Always remember to change the Wi-Fi password of a new router from its preset settings.
Trick #3: We Impersonate Trustworthy Companies
Cyber-scammers and hackers are often masters of disguise, fooling users into believing something that isn’t true. They may send a fake financial warning your way from the bank or credit card company you have your accounts in; or may send an order confirmation from a well known retailer; or perhaps a social networking invitation from someone in your network etc.
How to Outsmart Them: Internet users forget that most companies will never ask you outright for account or other financial information. This type of scam can almost always be spotted if you hover the mouse over address in the ‘From’ field or simply by clicking on the ‘Reply All’ button. If the message is indeed a scam, you’ll notice a lot of misspellings or strange email addresses. Another helpful tip is to call the company (not on the number given in the email!) when in doubt.
The security experts at Lean Security always emphasize on taking caution when surfing the net, conducting an online transaction from the bank, or making a purchase from an online store. The same goes for businesses that must also employ security measures like web application testing and scanning, amongst others from Lean Security.
Cyber-Scammers Confess: Every Trick In The Book That Hurts Our Internet Security
The number one threat when it comes to our internet security are computer hackers, who have numerous tools and complex software at their disposal to wreak havoc on our internet systems, web applications and online security. Following are some tips that Lean Security gleaned from the experts themselves on how to better protect your privacy while online:
Trick #1: We Send You Personal Emails
The spear phishing method, i.e. when cyber-scammers and hackers send targeted emails with the purpose of stealing sensitive information (in form of financial details or passwords) has become incredibly sophisticated. Previously, Internet users could easily spot dubious emails. This was due to the common tell-tale signs of punctuation and spelling errors; today, however, such emails may address the user by name, professional title and even mention a project that they’ve been working on!
How to Outsmart them: You can easily spot phishing emails by keeping an eye out for unusual or incorrect URLs, requests for money or your personal information, suspicious attachments, or a message that’s actually an image. Opening attachments or clicking on links is a bad idea if you aren’t 100% certain of the sender’s identity.
Trick #2: We Crack Simple Passwords…In No Time!
Even amateur hackers have access to complex programs that work in a systematic and constant manner, testing millions upon millions of possible password combinations. Their schedule isn’t hampered by the program, in fact they could fall asleep and the program will still be working next morning, attempting to gain access to your information!
How to Outsmart Them: The experts that provide security testing services at Lean Security recommend creating an iron-clad password for your email and other important accounts. Choose a phrase, use characters and letters from it as well add numbers and upper or lowercase letters (e.g. Jack and Jill went up the hill could become J@jwnPThl). A password manager that spurts out and remembers random and difficult to figure passwords can also be used.
Trick #3: We Sneak While You Surf
A new method of attack is used by a growing number of cyber-scammers and hackers, which is the ‘drive-by download’. The user isn’t able to tell the difference between a malicious website and a perfectly harmless one; but once clicked, users are redirected to several other sites running in the background, one of which launches an attack. Often, the owner of the website won’t even know his/her site has been compromised.
How to Outsmart Them: Make sure all available updates are already installed to your browser. You may also consider using Firefox that automatically updates whenever one is available. Out of all the browsers, users of Internet Explorer are the ones most at risk of these attacks according security experts.
We at Lean Security understand how much important internet security is for businesses, which is why our security experts provide the best managed security services as well as mobile and web application security assessments to small, medium and enterprise businesses. Get a free assessment of your website today!
Security Risks That Small Businesses Should Know About
There has been a significant increase in high profile data breach cases over the past two years involving major corporations. This doesn’t mean that small business aren’t safe from hackers and thieves however, as small business don’t even have the necessary resources or know-how by which their important data can be protected.
Does this mean that small businesses are doomed? Lean Security doesn’t think so, as there’s absolutely no need to spend an exorbitant amount of money or resources to safeguard their network against threats prevailing and attacking businesses today. In addition to having a simple cyber plan, the Australian based managed security services reckons knowing about the threats is the first step to fighting against them.
#1: Malicious Code
You don’t want this to occur, what happened to a manufacturing firm where all the company code generators and programs were destroyed by a software bomb, subsequently causing the company to lose millions of dollars. As a result, the company was unceremoniously thrown out from its previous position in the industry and had to lay off 80 workers!
How Can This Not Happen To You: Install anti-virus, anti-spyware programs and firewalls on all computers that are being used in your business and make sure that the computer software is up-to-date and contain only the most recent patches.
#2: Stolen/Lost Laptop or Mobile Device
There have been occurrences of laptops being stolen from government officials’ homes, containing sensitive information that could have been and in most cases was used for illegal or devious purposes. In one instance, the affected department had to notify 26.5 million people of the incident, resulting in public scrutiny and hearings into the matter.
How Can This Not Happen To You: Have all the data of your customers encrypted when travelling and taking it anywhere on a portable device which will make the data unreadable to outsides until a password or encryption key is entered.
#3: Spear Phishing
This threat is prevalent for those businesses that rely heavily on e-mail as a mode to conduct business. Imagine if your company received as many as 50,000 spam and phishing emails in the course of a normal business day. Do you your employees know the difference between a regular email and a spam one? If not, then your business runs the risk of accidentally opening a spear phishing email which can either bring a virus into the system’s network or steal important info such as the administrator password.
How Can This Not Happen To You: If such an email is received, it’s recommended that employees either contact their manager or simply pick up the phone and get in touch with the one who supposedly emailed it.
The above threats and more can be aptly addressed by Lean Security, the only managed security services in Australia that offer a free security assessment of your company’s website. So what are you waiting for?
Here Is How You Can Prevent Data Breaches in Your Company
Data breaches will occur whether you run a small scale business or a fully fledged enterprise. It’s understandable that you would want the best for your business but when it comes to data breaches, being aware of the potential threat is often the first step that’s taken to mitigate this security threat as best as possible. Lean Security, your neighborhood penetration testing service provides the following tips that can be used to safeguard against security and data breaches.
Institute End User Awareness
This training when carried out provides a definite advantage to the business, but only when end user awareness changes the very culture of the company and makes it more security minded. Moreover, this training if carried out properly can help to eliminate mistakes that typically lead to a security breach as well as help the concerned notice odd behavior or fraudulent activity inside the company.
Deploy Intrusion Detection and Prevention
This should be used for all mission critical systems, as well as those that can be accessed via the internet, i.e. through web servers, e-mail systems, servers housing customer or employee data, active directory server, and/or any other system that’s considered mission critical.
Stop drive-by Downloads
Or in other words, implement content filtering tactics. A number of breaches that occur due to drive-by downloading which open up your machine by a malicious or compromised website, making it easy to exploit and access any information. The ability to block where insiders go is an important component to a good security policy.
Perform Regular Vulnerability Assessments
Conducting regular vulnerability assessments lets organizations know where there security systems stand and what more has to be done to ensure no security breaches takes place. Companies typically perform vulnerability scans once a quarter, but these should be carried out week according to Leak Security. In addition, scans should be performed against every system in the network be it internal or external.
Implement Insider Behavior Monitoring
The system monitoring program will be one where the HR person in your company or any compliance officer has the resources to view and replay behavior of employees can prove to be invaluable to ensuring data security. There are programs and software that can be made use of where you can combine that with data loss prevention technology and come up with rules that block sensitive content from leaving the network.
Implementing this and more will make the difference between a good and secure network that can be achieved by one of many penetration testing services by Lean Security. After all, why do it yourself when the same can be done for you in a much better manner?
3 Reasons Why Your Business Would Benefit From a Mobile Application
Are you deciding to build a mobile application for your business? Well, there are certain advantages of doing so but it’s extremely important to be fully clear as to what your objectives are from the very start. Following are some reasons and popular routes of having a mobile application as shared by Lean Security.
Active Customer Engagement
The best thing perhaps that businesses can take advantage from going mobile is the increased potential that doing so will provide when it comes with customer interaction. Not only this but companies will be able to interact with their clients in real-time, by location and profile information complete that will also let them know of the demographics that visit the application.
Increased Customer Service and Support
People look for simple interfaces when online shopping, which helps them to navigate easily throughout the site. Many businesses are making mobile applications for their websites just because of this, because their clients now prefer to use their mobiles to do online shopping. Not only this but such mobile applications also offer tools that make the experience even simpler and effective, making their lives easier with 24/7 customer support and service on board.
Promotion of Brand
Having a mobile application provides businesses the advantage of 24/7 promotion and marketing of their products and offers, as they can showcase whatever is new straight in the mobile application making everyone view it. One effective way of using this to the utmost is by offering coupons, which will help increase sales as people are more likely to visit your apparel store for example, after being notified on their mobile phones regarding an offer that they can miss out on.
Moreover, developing a mobile application is a very good idea especially if you sell services or products online as this will provide your customers with the one thing that will make all the difference, i.e. mobility. This will not only increase your sales but your clients’ base as well.
The end result that you should be working on is how to capture the attention of existing or potential customers, increase your product range and offerings, entice people to buy from you etc which will only be possible with a web and mobile application that runs without any hitch. Learn more about the web and mobile assessment solutions that Lean Security offers here.
Analysing vulnerability scanning reports
The success of an enterprise wide vulnerability assessment program depends on many factors such as planning, budgeting, resources, technical solution and others, but the most important is the ability to analyse vulnerability scanning reports. Properly identified and categorised vulnerabilities will help organisations to get the most benefit from the program and achieve more Return on Investment. This article will cover some of the points to consider when analysing network and web application reports.
What is Source Code Analysis?
Source code analysis is basically the automated testing of a program’s source code. The main purpose of source code analysis is finding faults and fixing them before the application is deemed ready to be distributed or sold.
Basically, source code analysis could be compared to static code analysis. During static code analysis, the original source code is analyzed simply just as code while the program itself is not running. This way, the need for creating and using test cases is almost completely eliminated. Overall, source code analysis finds faults in the program that may prove to be damaging to its proper functionality, i.e. like crash causing lines of code.
· How Does it Work?
First things first: source code analysis is automated code debugging. Here, the main goal is to find faults and bugs that might come across as obvious to the programmer. This is done to find fault such as:
· Untidy use of pointers
· Misuse of garbage collection functions
· Possible buffer overflows
If these faults are not caught on time then there is a chance that they can be exploited by malicious entities.
Analyzers of code take the help of standard rules to tell them what to look for. Analyzers need perfect precision balance for this process to work. Too much precision and the source code analysis might take too long to finish. And if there is not enough precision, then the users might be flooded with useless warnings and a lot of false positives.
There are two types of analyzers:
· Intra-procedural: Focuses on pattern matching and relies on different kinds of patterns the user is looking for.
· Inter-procedural: Detects patterns from one function to the next. These patterns are connected so that the analyzer can generate a model and simulate execution paths.
· How Does it Strengthen the Security of Your Business?
Business security is mostly focused on application level nowadays. Since most security efforts have been successful in protecting the business perimeter, hackers have focused on enterprise applications to continue their malicious attacks. Hackers make the errors in software or embedded code to work in their favor and control company computers and access classified data and customer records.
Static Code Analysis (SCA) is a security tool which is used to verify detrimental code and flaws in applications before they are either used or distributed. Code reviewers use automated tools to determine vulnerabilities keeping the complexity of current applications in mind. The SCA tools decrease the time it takes to assess intricate codes and detect problems that need to be prioritized.
In short, source code analysis can help make your applications safe before they have the chance to do some real damage. Static Application Security Testing should be viewed as a mandatory practice for all IT organizations procuring or developing applications. Keeping that in mind, you can contact us anytime to avail our web application scanner and security testing services.