Get your FREE consultation
Our team will contact you
Question (if applicable)
By clicking the button you agree with our Privacy Policy

Prevent TOP 5 information security mistakes that can harm your business in 2020

In 5 mins read you will know, how to avoid them
1. Notifications

If you sending notifications (email, push, etc) to the users, you can send them wrong or test notification that can harm your business.

  • Split access to notification services (API tokens, login and password, certificates, etc) to production and test environment
  • Don't share certificates for sending mobile push notifications between developers
  • Create a message review process before sending notifications to the users
Note: "BelkaCar app crashes. Users in bulk received messages about a rental car." (Source link)
Pic.1 - Erroneously notification from BelkaCar (picture source link)
Message translation "Booking is switched to the payment mode"
2. Two-factor authentication (2FA) misconfiguration

If you want to increase clients protection mechanisms in your application, you will focus on 2FA that will help you to verify users actions (transactions, password changes, etc), but the realization is not enough, proper configuration is much more important.

Make sure that you two-factor authentication mechanisms is configured properly:

  • Don't allow change source for getting second-factor code (OTP)
  • Limit OTP validation attempts
  • OTP can't be reused in any other places and unique for every request
  • Make sure that your OTP code is not predictable.
Note: "Hack Brief: Hackers Stole $40 Million from Binance Cryptocurrency Exchange" (Source link)
3. Exposed databases

Companies are not scanning their external perimeter and not validating exposed to internet services for unauthorized access. Attackers scan external perimeter and it can have opened databases.

To avoid, you need to::

  • Scan your external perimeter periodically (Assetnote, etc)
  • Scan services on opened ports for unauthorized access (Qualys, etc)
Note: "Database of U.S. Voters Left Exposed" (Source link)
Pic.2 - Exposed database with users data (source link)
4. Lack of credentials security for authentication

An authentication configuration on service is not enough to be fully protected. Authentication can be bypassed if you are improper securing your credentials.

To avoid, you need to:

  • Always change default passwords
  • Don't use predictable passwords (Pwned passwords, etc)
  • Use passwords generators for generating strong passwords (LastPass Password Generator, etc)
  • Don't store your passwords in source code management systems (GitHub, Gitlab, etc)
  • Don't save passwords in browsers, documents, etc. More secure way is to use password managers (LastPass, etc)
Note: "Equifax used the word 'admin' for the login and password of a database" (Source link)
5. Slow web or mobile application load

Some scripts or attacks can slow down your web or mobile application load. This can be malware scripts injected by attackers on your web site, DDoS attack, etc

To avoid, you need to:

Note: "If web or mobile application load more than 1 second, you loosing your clients"
Pic.3 - VirusTotal Whitespots.io scan results (source link)
Summary

Stay away from cyber-attacks is not easy, but with right approach and people, nothing is impossible.

Thank you for reading until the end.

Your friend in information security world,
(c) Whitespots team.

    Get your FREE consultation

    Email
    Question (if applicable)
    By clicking the button you agree with our Privacy Policy