EN | PL | ES | IT | RO

Course


Understand security to keep cyber threats away from your SME
Feedback form    |       Play Audio    |   Download:
Overview of Web/Mobile Hacking

How web/mobile apps security flaws are discoveredClick to read  

What is a security flaw?

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and results in a security breach or a violation of the system's security policy.

Core Problems that can conduct to security flaws

Users

 
• can interfere with any piece of data transmitted between the client (could be a browser on a computer or on a mobile phone) and the server
• can send requests(could be addresses in browser, or different calls from the command line) in any sequence and can submit parameters at a different stage than the application expects
• are not restricted to using only a web browser to access the application - could be native mobile applications that can communicate with the operating system or command line tools from the computer
 

Common causes of security flaws

 
• The lack of security awareness

Usually, programmers are not paying enough attention to security but more on the business functionalities and are not aware of the threats. It is  the role of the CTO (Chief Technical Officer) to be the enabler of the security awareness in the software development department.

• Custom development

Secure frameworks are (insecurely) modified to comply with customer’s requirements. Programmers or software providers need to assure that they create technical tests (it will be nicely to provide  reports to the client regarding the tests that were made) to ensure that the application remains secure.

• Resource constraints

Time, money (good programmers), paid (and secure) frameworks, etc.

 

Web app security testing toolsClick to read  

Tools can be used for

Guessing authentication credentials
Access database protocols and command lines to input different texts
Organisation Directory (LDAP) - to modify the structure directory of the organisation
Modifying different web/mobile protocols

Well known tools that can be used to enforce security

Zed Attack Proxy (ZAP)
SQLMap
Wfuzz
SonarQube
Grabber
Netsparker
Arachni
Acunetix
Wapiti
Intruder
CountermeasuresClick to read  

• Requiring a secret, user-specific token in all fields that are completed and submissions to the server - the attacker's site cannot put the right token in its submissions
 
• Requiring the client to provide authentication data(better in conjunction with another device like a mobile phone) in the same browser request used to perform any operation with security implications (money transfer, names, secret documents, etc.)
 
• Limiting the lifetime of session cookies(a file containing a numerical/letter identifier that a website server sends to a browser for temporary use during a limited timeframe)
 
• Access websites that have a secure certificate - the browser address should start with ‘https’
 
• Strongly validate user input using "accept known good" as a strategy, or isolate incoming files and check them legitimacy before executing them
 
• Many businesses that fall victim of cyber attacks do so because they only consider the risks once the worst has happened. The truth is that it’s never too soon to protect your business and there are solutions aimed at small businesses, including cloud based solutions, which make this simple for you to do.
 

How much Security is Enough?

The implementation of security is based on the analysis Cost vs. Risk
Risk is equal with Threat * Vulnerability
Cost is equal with the difference between Cost of Implementing Controls and Cost of not Implementing Controls

 

 

 

 
 
Major security challenges facing by SMEs

Budget constraintsClick to read  

Don’t become the low hanging fruit for cyber criminals
 

• Cyber threats are a significant business risk for SMEs. With practices increasingly moving towards the Internet and cloud, SMEs have a larger attack surface than ever before
 
• As SMEs work to protect themselves in an ever-evolving threat landscape, they find their security needs are constantly changing. While entrepreneurial attackers innovate to find new ways of breaching organisational networks, defenders too must think outside the box and beyond the perimeter
 
• As the cyber threat landscape continues to evolve and become more complex, SMEs are finding their budgets increasingly stretched, and are exposed to the ever-widening cyber skills gap. So the companies are exposed to malicious attacks
 
• Use the analysis Cost vs Risk with all the changes in the cyber-security landscape

 

Employee theftClick to read  

Bad actors inside a company are far more common than you think!!!

• Offer trainings to your employees

Education is another imported feature in protecting your business against cyber attacks.

Your employees need to know the dangers of clicking on links that are not secure or using software that has not been authenticated.

 

 

• Have a Principle of Least Privilege (POLP) Policy

Once you have a good understanding of how to prioritize your data security, you can employ a policy that limits who has access to your data depending on their role and function. This goes beyond simple authorization and authentication and instead only gives access to employees on a need-to-have basis.

This will help reduce the risk exposed to you by ensuring critical data and network access is overall limited. This also makes it easier to discover who might be behind an exposure or incident
   
• Deploy Software to Monitor and Prevent Access

Once you’ve done the hard work of assessing your internal data security needs you can deploy software that monitors behavior and network access and limits who has access to parts of your infrastructure.

 

 

• Have an Incident Response Plan Ready

No plan or software can give you a 100% prevention guarantee so it’s important to plan and prepare for the worst-case scenarios. Using the types of insider threats listed above and the critical data assessment we outlined, you can run through various scenarios:

What if a recently laid-off employee turned off automatic updates for critical software?

What if a third-party infrastructure provider suffered a data breach?

What if an employee in the finance department clicked on a phishing email?

 

Human ErrorClick to read  

• Email Misdelivery

Email misdelivery was the fifth most common cause of cybersecurity breaches - 58% of employees admitted to emailing the wrong person at work

• Poor Password Hygiene

In many organizations, passwords are the first line of cybersecurity defence. But often, they’re also the biggest weakness - 61% of breaches are due to stolen or compromised user credentials.

• Inadequate/Incomplete/Delayed Patching

Cybercriminals exploit software vulnerabilities to gain access to enterprise networks, systems and data. When such exploits are discovered, the software developers (or vendors) fix the vulnerability and send out the patch to all users.

• Poor Access Control

Inadequate access control is another major human error in cybersecurity breaches since it allows bad actors to take control of enterprise networks.

Technical measures and best practices for SME

Become CyberwiseClick to read  

Your SMEs can easily discover its cybersecurity readiness level by finding answers to these important elements described below.  It will help you pinpoint security gaps in your organisation and necessary best practices such as:

Office firewalls and internet gateways
Secure configuration
Software patching
User and administrative accounts best practices
Malware protection
Awareness of password weaknesses
Basic risk assessment

 

Security ToolsClick to read  

Having the right cyber security tools for a small business has become essential

• 60% of small businesses close within months of a cyber attack
 
Budgets are limited to so choosing the correct cyber security tools for a small business is critical into these areas
 
• Firewalls and network security
• Email Security
• Passwords
• Antivirus

 

Cybersecurity practicesClick to read  

Some of the practices that will help SMEs to be more protected in front of cyber threats:
 

• Avoid unknown emails, links, and pop-ups
• Be cautious with unvetted USB
• Use Multifactor Authentication (MFA)
• Keep your mobile device safe
• Use strong passwords
• Be aware of social engineering
• Using secure WI-FI
• Ensure data protection
• Install security software updates
• Use firewall protection at work or home
• Communicate with your IT department

 

Less known web application vulnerabilities

Common web security mistakesClick to read  

Some of the most meet mistakes that SMEs are doing and needs to be under review immediately:

 

• Permitting invalid data to enter the database
• Focusing on the system as a whole
• Establishing personally developed security methods
• Treating security to be your last step
• Developing plain text password storage
• No website security scans
• Creating weak passwords
• Storing unencrypted data in the database
• Not encrypting the sensitive data
• Having obsolete software
• Having software components with known vulnerabilities
How web application vulnerabilities affects SMEs and preventionClick to read  

This occurs when the people in charge make decisions about creating cyber security measures by over relying on their intuition and experience but not on existing statistical trends and impacts of cyber-attacks
 

AUTOMATED EXPLOIT OF A KNOWN VULNERABILITY

Compromised asset: The Operating System (OS) of the computer.

Prevention: The SME can use patch management software to scan network, identify missing patches and software updates, and distribute patches from a central console to have the entire network up to date. Also, SMEs can train the employees to comply with the up to date patches by themselves.

 

MALICIOUS HTML EMAIL

Compromised asset: Computer, mobile phone, tablet any equipment that can view the malicious emails.

Prevention: The SME can implement aggressive spam filtering so this kind of emails does not appear in the user’s inbox. It is also necessary to raise employee awareness about email security. Employees must be made aware of spam emails. An SME can implement periodic training for employees about recognizing spam email.

   

RECKLESS WEB SURFING BY EMPLOYEES

Compromised asset: Computers, tablets, mobile phones connected to the company network.
Prevention: The employees should be advised not to surf any website other than work related sites. Also the employees should be acknowledged that all the internet surfing log is monitored so they do not surf unethical websites during work. Implementing policy related to “Acceptable Use Policy” of the Internet is necessary.

 

DATA LOST ON A PORTABLE DEVICE

Compromised asset: Portable device and the sensitive data stored in it.

Prevention: Most mobile devices have the option of encrypting all user data on the devices, and/or requiring a password to access the data. There should be a policy requiring all employees to use that particular feature for the portable devices used for work. Use of Mobile Device Management (MDM) software that helps the company to manage mobile devices and wipe all data on the device in case of necessity
     

RECKLESS USE OF HOTEL NETWORKS AND KIOSKS Compromised asset: Company’s entire network and employee’s device.

Prevention: Devices like laptops, smartphone, tablets should have the updated antivirus, anti- spyware/malware, and firewall. Also policy should be implemented that employees can never turn off security defenses of the devices.

 

LACK OF CONTINGENCY PLANNING

Compromised asset: It can affect the entire IT infrastructure of the SME.

Prevention: Developing policy for any sort of continuity is the main solution. Although developing policy can be a hard task, an external expert can help in this case
   

 

Consequences of cyber attacks for SME

Real-life consequences of cyberattacks on SMEsClick to read  

Economic impact
Cyber attacks often result in substantial financial loss arising from:

• theft of corporate information

• theft of financial information (eg bank details or payment card details)

• theft of money

• disruption to trading (eg inability to carry out transactions online)

• loss of business or contract

Businesses that suffered a cyber breach will also generally incur costs associated with repairing affected systems, networks and devices.

Reputational damage

Trust is an essential element of customer relationship. Cyber attacks can damage your business' reputation and erode the trust your customers have for you. This, in turn, could potentially lead to:

• loss of customers

• loss of sales

• reduction in profits

The effect of reputational damage can even impact on your suppliers, or affect relationships you may have with partners, investors and other third parties vested in your business.

 

Legal implications

Data protection and privacy laws require you manage the security of all personal data you hold - whether on your staff or your customers. If this data is accidentally or deliberately compromised, and you have failed to deploy appropriate security measures, you may face fines and regulatory sanctions.

Cyber-attack and human errorClick to read  

Even as SMEs accelerate their digitization efforts to contend with today’s competitive economic climate, they may find it difficult to make the necessary security investments – whether it’s through building an in-house team of specialists or enlisting a costly third-party vendor for support.

Without a ready pool of talents, it is difficult for SME owners themselves to plan, set up, and maintain the right cybersecurity infrastructure to protect against both known and unknown threats, now and into the future even if the human error is there because the lack of people skills that are part of the company.
 

The areas where that can be impacted:
 
• Damage to the brand 
• Loss of clients
• Have lost the opportunity to attract new clients
• Have lost the opportunity to expand their activities

 

Cyber risk management

Managing cybersecurity risk focusing on cyber insuranceClick to read  

Cyber insurance or is a type of insurance cover that aims to protect your business from IT threats and covers you if your systems or data has been lost, damaged or stolen in the event of a cyber attack.

What does cyber insurance cover?

Most cyber insurance policies generally cover first party and third party costs relating to a cyber-attack:

• First party cyber insurance covers damage to your business such as the cost of investigating the cyber crime, restoring IT systems, recovering lost data, reputational damage, extortion payments demanded by cyber criminals and costs relating to business shut down

• Third-party cyber insurance covers the assets of others, typically your customers and any potential claims against you including damages and settlements as well as legal costs to defend your business

When assessing a client’s risk, insurers generally focus on the following main categories:
 

• Dedicated Resources
 
• Policies and Procedures
 
• Employee Awareness
 
• Incident Response
 
• Security Measures
 
• Vendor Management
 
• Board Oversight

 

 

 

 

 

 

 

 

 

 

 

Does my business need cyber insurance?

If your business uses, sends or stores electronic data you could be vulnerable to cyber crime. Cyber insurance could help you with financial and reputational costs if your business is ever the victim of a cyber attack.

Cost and impact of cyber insuranceClick to read  

Cyber security insurance (and cyber liability insurance) can help your business further mitigate risk exposure by offsetting some of the costs involved in cyber incident recovery.
 

These may be expenses related to:

• the management of a cyber incident

• the investigation of a breach

• data subject notification and remediation

• liability - breach of privacy or confidential data

• professional fees related to recovery actions

• business interruptions, eg from network downtime

   

 



Keywords

Security, security fools, SME, vulnerabilities, risk insurance

Objectives/goals:

At the end of the module, the trainee will be able to:

● Understand Security flaws in Web/Mobile apps
● Understand how major challenges in security affect SMEs activities
● Know the best practices for SMEs in terms of security
● Acknowledge the security tools recommended for SMEs
● Know how to prevent vulnerabilities
● Understand the need for using a risk insurance

Description:

In today technologically evolved business landscape, there is a drastic increase in IT security breaches worldwide. As years have passed, the level of threats has also been continuously evolving, which is making it even more difficult for enterprises and government agencies to find the right cybersecurity solutions.

Bibliography

OWASP

http://www.owasp.org

Business Security Challenges

https://smallbusiness.chron.com/business-security-challenges-69720.html

Improving SaaS Visibility: How To Provide Guardrails, Not Gates

https://informationsecuritybuzz.com/articles/improving-saas-visibility-how-to-provide-guardrails-not-gates/

Why Small Businesses May be More Vulnerable to Cyber Attacks

https://www.cose.org/en/Mind-Your-Business/Operations/Why-Small-Businesses-May-be-More-Vulnerable-to-Cyber-Attacks

Security Countermeasure

https://www.sciencedirect.com/topics/computer-science/security-countermeasure


Related training material

CONSORTIUM


team img
team img
team img



team img
team img
team img
The European Commission's support for the production of this publication does not constitute an endorsement of the contents, which reflect the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.
Legal description – Creative Commons licensing:
The materials published on the CyberMSME project website are classified as Open Educational Resources' (OER) and can be freely (without permission of their creators): downloaded, used, reused, copied, adapted, and shared by users, with information about the source of their origin.