The internet has created unlimited opportunities for organizations and companies when it comes to conducting important business transactions and sharing information on a global scale. New levels of security concerns have been brought in the forefront. This is because of the evolving nature of data and information. The sensitive nature of information, critical business applications and client’s private information (financial and otherwise) has come to be in even more risk than before.

Web application security testing ( for mobile apps as well) is therefore an essential requisite for businesses in order to give their clients and customers the peace of mind that only a secure and risk free software can provide. The experts at Lean Security provide the following areas that shouldn’t be over-looked when testing web and mobile applications for vulnerabilities.

Authentication

This is the first entry point that comes when accessing any application - web or mobile based. For effective operation of the application, the authentication should be spot-on. The application should be able to verify incorrect or changed passwords, have the ability to ‘lock up’ if user enters the wrong password a number of times, verify the password rules which are to be implemented on all authentication pages (registration, forgot password, changed password), etc.

Encryption

The security experts at Lean Security state the importance of information (password, account number, credit card numbers) to be displayed in an encrypted format. The cookie information on the other hand needs to be stored in encrypted format. HTTPS should be used and any data transmission over the network needs to be secured.

Session Management

The user shouldn’t be able to access or navigate the application when/if logged out from the system or upon expiration of the user session. The session values should also be displayed in an encrypted format in the address bar. Protocols need to be in place that prohibits the access of secure and unsecure web pages.

Error Handling

In the case of any non-functionality, the system shouldn’t display any exceptions/errors from any server, application or database information. Why? Because application errors often contain information not intended for the user/hacker to view. In its stead, the custom error page should be shown. For this proper exception and error handling is very important. Not conducting a proper job can lead to attacks and disclosure of system level details.

Proper execution of applications testing is absolutely crucial, which can only be carried out by a professional security expert such as Lean Security, the professional security and WAF managed service provider in Australia.

It’s no secret that the landscape of cyber-security is becoming more complex with every passing moment. In addition to complex security systems and protocols in the market, companies and online retailers also have to contend with the rising threat of cyber-crime.

Enterprises and organizations today have the ability and funds to invest in more secure systems in their web and mobile applications. However, the sophisticated, complex and armed to the teeth, digital bad guys shouldn’t be underestimated.

But what can enterprises do in a shadow economy trading that produces malware software by the billion, and where the lonely hacker has been replaced with an organized crime syndicate? Designing better security systems from the start (especially in mobile and web applications) is the answer, along with the following;

Internal Market of Security

Compliance and security roles are becoming popular amongst people, while the functions are getting the visibility and recognition they deserve. As the owner of a business or manager running the operation, you should highlight to the rest of the company how security teams within (and outside) keep the business safe, compliant and right on track. Your employees should know of the action to take in case of a data breach which is why openly discussing response planning is a good recommendation.

Turn Your Security into All New Code

This step will become all the more important as the Internet of Things (IoT) continues to grow within your organization. Since the Internet has taken responsibility of a huge chunk of everyday office operations, secure connectivity to the internet must be worked upon. This will only happen once enterprises and organizations consider security from the very start of their operation. Consider this: Is it easier to conduct operations on a secure foundation from the start, or build and work on a weak infrastructure?

Automate All Your Information Systems

This can be done once security is added into the business and infrastructure from the beginning of operations. When that is done, you’ll find automating many of the processes has not only been made easy but is the obvious course of action. This will in turn free up your security and compliance team to focus on issues that are really important such as finding anomalies and security vulnerabilities.

Of course, organizations and enterprises can outsource their security needs to third party managed security services such as Lean Security. Click here to learn about other services that we can help with.

In simple terms: a web application firewall (WAF for short) is an aspect of technology that monitors, filters or blocks HTTP traffic to and from the web application of your company.  Now on to the detailed definition brought to you by the experts at Lean Security.

WAFs; the Recent Most Popular Security Measure

While it’s true that Web application firewalls found today have grown in popularity; however, we cannot overlook that the web-based threat factors have also been enhanced since then. The nature of these factors can vary; it can be anyone from a seemingly harmless teenager testing out his/her newly learned SQL injection skills on your website. It can also be a nation-state sponsored attacker on the lookout of proprietary information to steal.

This has made web security even more of a challenge. To make matters worse for enterprises, their WAF design needs to be both secured and ‘open’ in order to maintain wide availability all the while complying with proper user authorization and data security.

WAF Protects a Web Application By

Input, output, the access to and from an application etc is controlled with the help of a web application firewall. The technology runs like an appliance (either server plug-in or cloud based service) by which every HTML, HTTPS, SOAP and XML-RPC data packet is inspected thoroughly.

Attacks such as XSS, SQL injection, session hijacking, and buffer overflows are inspected through customizable security protocols, and then prevented. Such attacks are beyond the working of network firewalls and intrusion detection systems. This is why online retailers and businesses employ far more stringent protective measures, tools and softwares to make security process more effective.

WAF Can Be Network-based or Host-based

In addition, the technology (software or program) is usually deployed through proxy and is positioned in front of the web application. A WAF has the ability to monitor web traffic in real or near real time, before it even reaches the application. This is how it’s able to filter out potential harmful traffic patterns quite effectively.

Enterprises have used such security controls since a long time to protect their web applications against the growing threat of zero-day exploits, impersonation, known and unknown vulnerabilities and cyber attackers. It can be safely said that WAFs are the best tool of defence that your small business can employ - of course only when done right.

Never compromise with the security of your web application and systems as an enterprise. It’s better to hire experts in WAF software design. Get in touch with Lean Security, the best WAF managed service provider in Australia, to learn more about our iron-clad web-based security platforms.   

Cyber-scammers and hackers are the ones equipped with the ability to bring about a downfall to online shopping as we have come to know it. Retailers and other businesses that depend on secure internet network battle it out by bringing in help from Lean Security, the number one professional managed security service provider in Australia. This blog is a follow-up of our  Cyber-scammers Confess: Every Trick in the Book That Hurts Our Internet Security (Part 1). Take a look at what these cyber scammers have up their sleeves, and how you can outsmart them at their own game! 

Trick #1: We Lure You with “Shocking” Videos on Facebook

Interesting videos and other content tends to circulate on social media, posted and shared by millions of people. You may have come across videos posted by friends on Facebook with words like ‘shocking’, ‘incredible’, and ‘must see’ etc, strategically titled so as to grab your attention. Such video links, when clicked, ask you to take a survey or download a media player that, in reality, will install malware on the computer.

How to Outsmart Them: To see whether the video is legitimate and on YouTube, type the title (of the video) on Google. It’ll be already reported if the video is actually a scam.

Trick #2: We Can Break Into Routers That Use WEP Encryption

In fact, scammers and computer hackers do this very easily! How do they do this? There’re many old modelled routers that still rely on Wired Equivalent Privacy (WEP) encryption which, when compared to the newer routers, is much easier to crack. This is done with the help of a software program that’s widely available and can be downloaded by anyone.  

How to Outsmart Them: Make sure to use the most secure type of encryption for your router, which is WPA2 (WIFI Protected Access 2) or WPA. If your router doesn’t provide either one of the encryptions, give a call to its manufacturer or managed security service provider and see what needs to be done. Always remember to change the Wi-Fi password of a new router from its preset settings. 

Trick #3: We Impersonate Trustworthy Companies

Cyber-scammers and hackers are often masters of disguise, fooling users into believing something that isn’t true. They may send a fake financial warning your way from the bank or credit card company you have your accounts in; or may send an order confirmation from a well known retailer; or perhaps a social networking invitation from someone in your network etc.  

How to Outsmart Them: Internet users forget that most companies will never ask you outright for account or other financial information. This type of scam can almost always be spotted if you hover the mouse over address in the ‘From’ field or simply by clicking on the ‘Reply All’ button. If the message is indeed a scam, you’ll notice a lot of misspellings or strange email addresses. Another helpful tip is to call the company (not on the number given in the email!) when in doubt.

The security experts at Lean Security always emphasize on taking caution when surfing the net, conducting an online transaction from the bank, or making a purchase from an online store. The same goes for businesses that must also employ security measures like web application testing and scanning, amongst others from Lean Security.   

The number one threat when it comes to our internet security are computer hackers, who have numerous tools and complex software at their disposal to wreak havoc on our internet systems, web applications and online security. Following are some tips that Lean Security gleaned from the experts themselves on how to better protect your privacy while online:

Trick #1: We Send You Personal Emails

The spear phishing method, i.e. when cyber-scammers and hackers send targeted emails with the purpose of stealing sensitive information (in form of financial details or passwords) has become incredibly sophisticated. Previously, Internet users could easily spot dubious emails. This was due to the common tell-tale signs of punctuation and spelling errors; today, however, such emails may address the user by name, professional title and even mention a project that they’ve been working on!  

How to Outsmart them: You can easily spot phishing emails by keeping an eye out for unusual or incorrect URLs, requests for money or your personal information, suspicious attachments, or a message that’s actually an image. Opening attachments or clicking on links is a bad idea if you aren’t 100% certain of the sender’s identity.

Trick #2: We Crack Simple Passwords…In No Time!

Even amateur hackers have access to complex programs that work in a systematic and constant manner, testing millions upon millions of possible password combinations. Their schedule isn’t hampered by the program, in fact they could fall asleep and the program will still be working next morning, attempting to gain access to your information!

How to Outsmart Them: The experts that provide security testing services at Lean Security recommend creating an iron-clad password for your email and other important accounts. Choose a phrase, use characters and letters from it as well add numbers and upper or lowercase letters (e.g. Jack and Jill went up the hill could become J@jwnPThl). A password manager that spurts out and remembers random and difficult to figure passwords can also be used.    

Trick #3: We Sneak While You Surf

A new method of attack is used by a growing number of cyber-scammers and hackers, which is the ‘drive-by download’. The user isn’t able to tell the difference between a malicious website and a perfectly harmless one; but once clicked, users are redirected to several other sites running in the background, one of which launches an attack. Often, the owner of the website won’t even know his/her site has been compromised.

How to Outsmart Them: Make sure all available updates are already installed to your browser. You may also consider using Firefox that automatically updates whenever one is available. Out of all the browsers, users of Internet Explorer are the ones most at risk of these attacks according security experts.

We at Lean Security understand how much important internet security is for businesses, which is why our security experts provide the best managed security services as well as mobile and web application security assessments to small, medium and enterprise businesses. Get a free assessment of your website today!

There has been a significant increase in high profile data breach cases over the past two years involving major corporations. This doesn’t mean that small business aren’t safe from hackers and thieves however, as small business don’t even have the necessary resources or know-how by which their important data can be protected.

Does this mean that small businesses are doomed? Lean Security doesn’t think so, as there’s absolutely no need to spend an exorbitant amount of money or resources to safeguard their network against threats prevailing and attacking businesses today. In addition to having a simple cyber plan, the Australian based managed security services reckons knowing about the threats is the first step to fighting against them.        

 #1: Malicious Code

You don’t want this to occur, what happened to a manufacturing firm where all the company code generators and programs were destroyed by a software bomb, subsequently causing the company to lose millions of dollars. As a result, the company was unceremoniously thrown out from its previous position in the industry and had to lay off 80 workers!

How Can This Not Happen To You: Install anti-virus, anti-spyware programs and firewalls on all computers that are being used in your business and make sure that the computer software is up-to-date and contain only the most recent patches.

#2: Stolen/Lost Laptop or Mobile Device

There have been occurrences of laptops being stolen from government officials’ homes, containing sensitive information that could have been and in most cases was used for illegal or devious purposes. In one instance, the affected department had to notify 26.5 million people of the incident, resulting in public scrutiny and hearings into the matter.

How Can This Not Happen To You:  Have all the data of your customers encrypted when travelling and taking it anywhere on a portable device which will make the data unreadable to outsides until a password or encryption key is entered.

#3: Spear Phishing

This threat is prevalent for those businesses that rely heavily on e-mail as a mode to conduct business. Imagine if your company received as many as 50,000 spam and phishing emails in the course of a normal business day. Do you your employees know the difference between a regular email and a spam one? If not, then your business runs the risk of accidentally opening a spear phishing email which can either bring a virus into the system’s network or steal important info such as the administrator password.

How Can This Not Happen To You: If such an email is received, it’s recommended that employees either contact their manager or simply pick up the phone and get in touch with the one who supposedly emailed it.  

The above threats and more can be aptly addressed by Lean Security, the only managed security services in Australia that offer a free security assessment of your company’s website. So what are you waiting for?

Data breaches will occur whether you run a small scale business or a fully fledged enterprise. It’s understandable that you would want the best for your business but when it comes to data breaches, being aware of the potential threat is often the first step that’s taken to mitigate this security threat as best as possible. Lean Security, your neighborhood  penetration testing service provides the following tips that can be used to safeguard against security and data breaches.

Institute End User Awareness

This training when carried out provides a definite advantage to the business, but only when end user awareness changes the very culture of the company and makes it more security minded. Moreover, this training if carried out properly can help to eliminate mistakes that typically lead to a security breach as well as help the concerned notice odd behavior or fraudulent activity inside the company.

Deploy Intrusion Detection and Prevention

This should be used for all mission critical systems, as well as those that can be accessed via the internet, i.e. through web servers, e-mail systems, servers housing customer or employee data, active directory server, and/or any other system that’s considered mission critical.

Stop drive-by Downloads

Or in other words, implement content filtering tactics. A number of breaches that occur due to drive-by downloading which open up your machine by a malicious or compromised website, making it easy to exploit and access any information. The ability to block where insiders go is an important component to a good security policy.

Perform Regular Vulnerability Assessments

Conducting regular vulnerability assessments lets organizations know where there security systems stand and what more has to be done to ensure no security breaches takes place. Companies typically perform vulnerability scans once a quarter, but these should be carried out week according to Leak Security. In addition, scans should be performed against every system in the network be it internal or external.

Implement Insider Behavior Monitoring

The system monitoring program will be one where the HR person in your company or any compliance officer has the resources to view and replay behavior of employees can prove to be invaluable to ensuring data security. There are programs and software that can be made use of where you can combine that with data loss prevention technology and come up with rules that block sensitive content from leaving the network.

Implementing this and more will make the difference between a good and secure network that can be achieved by one of many  penetration testing services by Lean Security. After all, why do it yourself when the same can be done for you in a much better manner?