The Ultimate Guide to Addressing Web Security Vulnerabilities
Way back in 2007, Bennett Haselton showed the world how to find credit card numbers using Google search. He typed the first eight digits of a credit card number in the format "xxxx xxxx" in Google, and using some advanced numerical queries, he was able to find all the 16 numbers of almost a million Chase credit cards.
When Google came to know about it, they immediately worked on their filters to prevent anyone from searching through number ranges. In fact, for such requests, Google would return a response that'll say something like "You're a bad person!" So, everyone thought their personal information was safe, until another IT security specialist found a way around it in 2012. Instead of typing a range like 5513000000000000..5513999999999999, he typed it all in hexadecimal, like this: 13960B56A59000.. 1396F42B4A9FFF. And guess what - he was still able to access sensitive credit card information. Honestly, hackers would have found this technique long back, and could have siphoned off or sold millions of such information on the black market.
This is just one example of what's possible on the web. There are literally millions of such techniques and workarounds that hackers with malicious intent have been using for a long time now. This explains why every major company that deals with sensitive information have had a breach in the last five years or so. In 2016 alone, there were more than 500 data breaches, that includes the disclosure of 427 million records from MySpace, 80 million records from Anthem, and 15 million records from T-Mobile. No industry has been immune to these data breaches, and this has resulted in millions of dollars in lawsuits, not to mention the tarnished reputation of companies.
Why do you think data breaches occur so frequently?
One of the primary reasons is a lack of proactive and defensive approach to tackling security vulnerabilities. For most companies, security becomes a priority only after some form of breach has occurred, and unfortunately, only after some sensitive information has fallen into the hands of the wrong people.
To prevent falling into the trap of data breaches and the costly consequences that come with it, here are some things you can do.
Review all data
Both these kinds of attacks happen when data is not validated at different points. To prevent these attacks, your application has to assume that all data comes only from an untrusted source, regardless of whether it is coming from a URL, database, or any other source. So, it'll check every point where user-supplied data is handled or processed, thereby reducing the chances for hackers to inject their own code.
Remove Vulnerable Applications
Some applications pose greater security risk because of certain vulnerabilities present in them or lack of security support from the developers. It's best to remove such applications as the vulnerabilities may be hard or sometimes even impossible to fix. Below are some examples of applications that you should avoid:
Apple QuickTime for Windows
Apple QuickTime is a multimedia framework that's available for both MacOS and Windows. This year Apple has decided to end its support for QuickTime on Windows, as there are a ton of vulnerabilities in it that could allow potential hackers to gain control of the entire computer.
Adobe Flash Player
Though Adobe Flash Player is being used to enrich browsing experience, it has a poor record for security. For many years, hackers have used its vulnerabilities to watch users through their webcam or listen in to conversations. This is why most modern browsers have discontinued support for Adobe Flash Player, but it continues to be an Achilles heel in older browsers.
Apple iTunes for Windows
Another Apple product that works poorly on Windows is iTunes. This vulnerability is because Apple keeps sending security updates and patches, that you should constantly install. If you miss even once, or if you're using an outdated version, then you're setting yourself up for a potential attack. In general, it's best to remove it from your system, especially if you haven't followed the updates.
Legacy Versions of Oracle Java
Though Java is used in thousands of applications accessed by billions of users, it comes with many security loopholes. This is why you need to constantly stay on top of updates and patches to ensure that all current vulnerabilities are fixed in your version. At the same time, it's important to remove the older legacy versions of Java from your system to mitigate the chances of an attack.
Microsoft Office 2007
Microsoft is going to end its support for Office 2007 by October 2017, which means there are going to be no more security updates for this software. With a lack of support, Office 2007 is going to get more vulnerable to attacks. Also, its poor security and sharing features make it an easy avenue for hackers to access confidential information.
Thus, the above applications have to be blacklisted to ensure that your data and systems are protected. If you're unsure how to go about it, there are companies like Thycotic that specialize in staying on top of vulnerable applications, and they even blacklist them for you. A software called Privilege Manager for Windows offered by Thycotic is probably the easiest way to protect your system from such vulnerable applications.
Using products like Privilege Manager for Windows can go a long way in making your system safer and more secure.
Avoid Broken Authentications
Authentication is one of the most important, and yet one of the hardest aspects to implement. All authentication credentials and session identifiers have to protected at all times with encryption to prevent code injection, XSS, and session theft. It's recommended to go with existing frameworks for authentication, rather than creating one from scratch, to ensure that all loopholes are covered. It is also a good idea to have a two-factor authentication for financial and other high-value transactions.
Beef up Security Configurations
Every security infrastructure is a complex web of servers, devices, firewalls, databases, and authentication systems. Each of these elements should be configured properly to ensure that they fit well within the larger infrastructure. Even one misconfiguration can put the entire system at risk, so it's important to have trained and knowledgeable professionals in charge of configuring and managing the security configurations.
Limit Data Exposure
Limiting exposure of sensitive data such as SSNs and credit card numbers is absolutely important. They should always be encrypted, both during transit and when at rest. In fact, user passwords and credit card information should never travel across the web for any reason, besides being hashed all the time.
In short, there are many vulnerabilities present in applications, so one should be wary while using them. It's important to have a proactive and defensive approach when it comes to security, as it can go a long way in mitigating many risks for you. Some of the things you can do to protect your sensitive information is to have different review points for handling user data, remove blacklisted applications from your system, take the help of companies that stay on top of security vulnerabilities, use existing frameworks for authentication, doing the right security configurations, limiting data exposure, and more. Such an approach is sure to protect your sensitive information, even from the most sophisticated hackers.