Hackers exploited a vulnerability in Facebook’s application code this year to steal the information of over 50 million users. Back in 2017, the notorious WannaCry ransomware also made headlines by attacking and encrypting data in Windows systems that hadn’t updated their Operating Systems with a demand for payment of a ransom to recover the encrypted files.
In addition to high-profile cyber attacks, the HeartBleed security flaw in an openSource library known as OpenSSL also let hackers steal private server SSL keys.
With cybersecurity as the order of the day, how are such cyber attacks still possible?
The answer to this question is much simpler than it may seem: hackers exploit vulnerabilities in computer systems or use deceit to be let into the system and thus gain access to steal data.
What is a vulnerability?
The Cambridge Dictionary defines the adjective vulnerable as follows: “able to be easily physically, emotionally or mentally hurt, influenced or attacked.”
There are two typical examples of vulnerabilities in a computer system:
- Leaving a port open: the applications that we use on the internet provide their services publicly through a web server, which listens for requests on port 80 by default. If we fail to properly control requests from a browser at this point, we become vulnerable to DoS (Denial-of-Service) attacks.
- Lack of input validation (not validating characters in a data collection form): imagine a website user login prompting for a username and password. If we don’t validate and limit the number of characters that can be entered into these fields, we could be vulnerable to XSS (Cross-Site Scripting) attacks.
How can I protect myself against cyber attacks?
The first premise for protection is mistrust: if you receive an e-mail from someone you don’t know, do not click on any link in the message, since it could be a phishing e-mail.
In the Santander Group we follow 5 Cybersecurity rules:
- Protect your information and equipment
- Be discreet online and in public
- Think before you click or reply
- Keep your passwords safe
- If you suspect it, report it
4 key factors to develop a secure application:
1. Secure requirements:
Imagine an application for a bank branch that provides access to different users and each user has a different role at the branch. One of our requirements will be user profiling, which lets us restrict access to confidential information to certain roles only. Imagine that this application also stores client data. This means that we need to comply with European data protection legislation, i.e., GDPR, and our secure requirement will thus be to encrypt and pseudonymise this client’s personal data.
2. Secure design
Continuing with our application, this factor means that its design should be robust and invulnerable to attacks. If our application has a user login function, we should design it so that it limits login attempts to 3, though we should also design it not to display “Invalid Password” or similar error messages in such cases, since doing so could give clues to malicious users regarding the existence of such a user and thus provide a possible access to the system through a brute force attack. A valid error message such as “Invalid Credentials” will not give the attacker any hints as to whether the username or password was wrong.
3. Use of secure libraries
According to Forrester and Gartner, between 80% and 90% of all commercial software developers use open-source software components in their applications. Sonatype estimates that up to 90% of an application is built from third-party components. We use the most secure components in our developments. Let’s say that we want to save time and costs in the development, so we use a library for the functionality to generate reports in Excel or PDF. With this library, we can finish the development in hardly 2 weeks, yet we haven’t checked the library’s public vulnerabilities. If we had selected a superior version of this library, we would have forestalled any public vulnerabilities.
4. Secure development
We can develop securely by, for instance, validating characters in a form with application input data to protect against hackers injecting codes in the application through XSS attacks.
When there are no invalid character validations in place, nothing bad will happen if the attacker checks “joan” as the username with “R4driguez” as the password. However, when entering “joan” and a password such as “’ or 1=1 –”, there is a possibility that this access could cause an exception in the backend user database that could propagate back towards the user interface and the error message might contain useful information about our database that the hacker could exploit.
Finally, here are some sites where you can view library vulnerabilities:
- OWASP: the organisation posts an annual list of the Top 10 vulnerabilities detected