Why Credit Union's should secure their Web Application's
Throughout October, given it was European Cyber Security Month (ECSM) Secora Consulting provided guidance and advice on what organisations can do to improve their cyber security posture. Following on from that advice, in this feature, we take a closer look at common web application vulnerabilities we often encounter while testing Credit Union applications and what they mean.
If your Credit Union offers an online or mobile banking service, you may find your clients are using this service more frequently. This could be due to level 5 restrictions that are currently in place in Ireland or that mobile banking is becoming widely popular. With many customers embracing this new way of banking with their Credit Union, it is important to recognise the risks associated with operating an online banking service.
The Importance of Application Testing
Throughout COVID-19, with people restricting their movements they have turned to the internet to assist them in carrying out many tasks from their grocery shopping, having virtual family gatherings and indeed banking. This has led to organisations implementing software and applications to continue to operate throughout this pandemic. Ensuring your Credit Union’s online banking applications have strong robust security features is essential to minimise your risks to breaches. The more likely your customer base is to set up an account and use your application, the more appealing it becomes to cyber criminals.
Ensuring the security controls you have in place are effective, and being able to prove this to your customers and the relevant regulatory authorities is becoming increasingly more important. Everyone wants to know that their online banking app is secure.
Common Application Vulnerabilities - What Are They?
The following vulnerabilities represent some of the top OWASP security risks to web applications. You may have heard of these before and your applications may be put at risk due to them, but what exactly are they. Below we give a brief explanation of these vulnerabilities.
- Structured Query Language (SQL) Injection
Standard Query Language (SQL) is typically used to allow applications to communicate with a database they may be paired with. Hackers can alter the SQL statements used in an application’s backend. Carrying out an SQL injection (SQLi) attack can allow a hacker to trick your application into executing commands that provide the hacker with unauthorised access to your data.
- Cross-Site Scripting (XSS)
Cross-site scripting attacks exploit vulnerabilities in web applications, their servers or the plug-in systems on which they rely. By exploiting an XSS vulnerability an attacker can hide malicious content in the content being delivered on the end-user’s browser from the web application.
Hackers typically use this form of attack to perform actions like defacing websites, hijacking user sessions and cookies, or redirecting unsuspecting users to websites where they can steal their information.
- Broken Authentication and Poor Session Management
Broken authentication is an umbrella term for several vulnerabilities that hackers exploit to impersonate legitimate users online. Broken authentication can often coincide with a weakness in session management.
Many websites, like a Credit Union’s online banking require users to login to access their accounts. More often than not, this is done using a username and password. When a user enters this info a site will typically assign and send the logged in visitor a unique session ID which has a key to the user’s identity on the server.
If not secured properly and encrypted this information could be intercepted by a cyber criminal who could then use these credentials to impersonate a user.
- Security Misconfiguration
Security Misconfiguration is simply defined as failing to or incorrectly implementing all the necessary security controls for a server or web application. This can happen quite easily for instance due to human error or if developers are working to a strict deadline when creating an application.
Security controls which are incorrectly defined or implemented can leave a web application vulnerable to unauthorised access by a hacker. Areas they like to target include URLs and input fields. It is best practice to carry out regular configuration reviews to ensure that any controls in place are necessary and effective.
- Insecure Deserialisation
Insecure deserialisation is when user-controllable data is deserialised by a web application. Hackers can manipulate serialised data in order to pass harmful data in an application. In extreme cases it is possible for hackers to replace serialised data with an object or data of an entirely different class which can result in remote code execution.
- Extensible Markup Language (XML) External Entities Injection (XXE)
An Extensible Markup File (XML) is used to structure data for storage and transport. Attackers can interfere with how a web application processes XML data. This could allow attackers to view files located on the applications server and access back-end systems on which the web application relies.
- Broken Access Controls
Access controls typically enforce policies which would prevent users accessing or viewing restricted information or resources. Most applications would have at least two user levels, an Administrator and Standard User level. Access control detection is usually the result of not undertaking functional testing by the developers.
Failures in your access control policies can lead to unauthorised information disclosure, modification or destruction of data (this can be accidental or intentional) or unauthorised users using privileged functions. As such, broken Access Controls can leave an organisation vulnerable to an attack from both the inside (employees) and outside (attackers).
- Vulnerable Components
Developers may unknowingly use components in their web applications which are out-of-date, susceptible to attack, or unsupported. It could even be the case that a component was included which was fully supported and patched at the time of launch, but since hasn’t been updated and may be missing critical patches.
Ensuring that all components used in your applications are as up-to-date as possible is critical, as component updates typically include security modifications or improvements. If your application is running an out-of-date component, this component may have a known vulnerability present, through which a hacker can gain access and steal sensitive information or hijack your systems.
How Can Secora Consulting Help?
To ensure a high level of security within your applications, manual testing is vital, it takes specialised expertise and vast experience to go the lengths and breadths of an application to identify vulnerabilities like those highlighted above. Serious threats and vulnerabilities can often be missed by automated scans, manual testing is an effective way at detecting missing or ineffective security controls..
At Secora Consulting, we offer a range of services that can identify these vulnerabilities and more. Our web application penetration testing service will constitute a simulated attack on your web application, with the aim of replicating the actions of a malicious actor and identifying vulnerabilities.
Looking for a more comprehensive review of your IT infrastructure? Consider an infrastructure penetration test, where Secora Consulting will examine your entire infrastructure and determine the most likely causes of attack.
Struggling to align to Central bank requirements?
Secora Consulting’s bespoke IT Security Framework can be tailored to suit your Credit Union and assist you in aligning with the Central Bank's requirements regarding IT Governance and Risk Management.
We will provide your Credit Union with a bespoke independent third party verification framework. This framework will allow you to effectively prepare for your Central Bank audits by remediating any weaknesses in your security controls and successfully align you with all of the Central Bank’s IT Security expectations.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.