In today’s world of rapidly developing technology we forget that there are new threats we may not think of and for this our answer is NEWORDER Group – An Information Security and Ethical Hacking Professional Service that provides an in-depth insight into your school’s actual state of security. It verifies whether you have put in place the best security measures to minimise the impact of any and all security risks.
NEWORDER will assist in identifying the risks by performing the required tests to determine your school’s vulnerability.
EXTERNAL VULNERABILITY ASSESSMENT AND PEN-TEST OVERVIEW
The NEWORDER Information Security and Ethical Hacking Professional Services provide a strategic and tactical insight into the School’s real state of security. It verifies whether the “best practices” and appropriate security measures are in place to mitigate and minimise the impact of known and unknown security risks. We assist with the identification of these risks by directly probing and performing Web Application Scanning, Discovery, Vulnerability Assessments, and Exploitation, much like an actual attacker would do.
Black Box or a Blind Pen-test is performed with zero/minimum prior information about the School. Black Box pen-testing simulates an external attacker who only has the School’s Web Application URL. All the additional information that is needed for the test, will be sourced by the “attacker” using various resources such as School Website, Scanning, Social Networking Websites, Social Engineering, DNS Records, Who-is records, etc.
The methodology framework is combined with the external risks that any school is faced with in today’s computer technology environment.
In this Black Box pen-test, we attempt to identify weaknesses against hosting environments as well as web applications by using a combination of known and unknown attack vectors. In this Zero-Knowledge pen-test, testing the web application and hosting environment security posture without any valid credentials and privilege. It is attempted to get the credentials and the privilege through the various attack methods.
The NEWORDER Pen-Test 2.0 framework is unique to the NEWORDER brand as it was in- house developed by decades of research, case studies, and hands-on expertise.
There is NO Silver Bullet. Tools do not make software secure! They help scale the process and help enforce the policy. Remember that security is a process, not a product.
While it is tempting to think that a security scanner or application firewall will either provide a multitude of defences or identify a variety of problems, in reality, there are no silver bullets to the issue of insecure software. Most importantly, these tools are generic, meaning that they are not designed for your custom code, but for applications in general. What the effect of this is, is that while they can find some general problems, they do not have enough knowledge of your custom application to allow them to detect most flaws. A combination of industry-leading, as well as custom developed automated tools, were used to perform parts of the external assessment combined with our unrivalled skillsets, unique methodology, frameworks, and experience.
Some industry-leading automated tools and custom developed automated tools will be used to perform parts of the external assessment. Most of the evaluation will be performed by applying skill, based on our unique methodology, frameworks and experience.
An effective Information Security Management initiative can only be built upon a clear understanding of the aims and goals of the business so that the outcomes can demonstrate benefits to the whole organisation. All too often we see a disconnect between an organisation’s business strategy and the security functions that are in place to support its operations. It appears that the more extensive business doesn’t fully understand the possible security risks or how these would impact on critical services. Consequently, this is only left out of its strategy. On top of this, the traditional way in which organisations tend to manage risk against cyber-attacks is to roll out a wide range of technologies and tools. These technologies are often unrelated and therefore not managed holistically. This approach may be effective against specific threats, but it is heavily dependent upon technology and does not allow a business to develop aligned business and security strategies. This disjointed approach also makes it difficult to prioritise investment in Information Security Management and is the reason why so many Information Security programmes fail to deliver on the intended benefits because they fail to demonstrate how they support a business’s overarching objectives.
The NEWORDER custom developed Corporate Threat Protection, and Prevention Framework provides an additional layer of capabilities around an organisation’s existing ICT security mechanisms. Perimeter security, network security, endpoint security, application security, and critical business assets are the core areas of the Corporate threat assessment, which will highlight shortfalls within technical configurations, business processes, governance enforcement, and professional skills.
The NEWORDER “Threat Intelligence Cyber Warfare Center” has been designed to operate as a multi-tenant managed security service provider (MSSP) to integrate our professional security as a service (SECaaS) model into any organisation’s infrastructure on a subscription-based or SLA-based model. The service offering is specifically focused on organisations that seek to be associated with an industry recognised Information Security brand to manage Information Security as a whole, and that organisations can focus on other aspects of emergency response and leave the technology infrastructure to specialised professionals.
The guideline employed during our evaluations is primarily based on the Open Web Security Application Project (OWASP) framework and internally developed guidelines and frameworks based on years of experience. The following section provides an overview of the OWASP-2017 Top-10 List;
A1 - INJECTION
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorisation.
A2 - BROKEN AUTHENTICATION
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
A3 - SENSITIVE DATA EXPOSURE
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
A4 - XML EXTERNAL ENTITIES (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
A5 - BROKEN ACCESS CONTROL
Restrictions on what authenticated users are allowed to do are often not adequately enforced. Attackers can exploit these flaws to access unauthorised functionality and/or data, such as access to other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
A6 - SECURITY MISCONFIGURATION
Security misconfiguration is the most commonly seen issue. This is usually a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
A7 - CROSS-SITE SCRIPTING (XSS)
A8 - INSECURE DESERIALIZATION
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate severe data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts.
A10 - INSUFFICIENT LOGGING AND MONITORING
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to attack systems further, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically identified by external parties rather than internal processes or monitoring.
Checks on vulnerabilities in web applications will include but not limited to the following:
1. INVALIDATED PARAMETERS
Information from web requests is not validated before being used by a web application. Check for flaws that could lead to an attack on backend components through a web application.
2. BROKEN ACCESS CONTROL
Check to ensure that restrictions on what authenticated users are allowed to do are properly enforced. Check for exploit to access other user’s accounts, view sensitive files, or use unauthorized functions.
3. BROKEN ACCOUNT AND SESSION MANAGEMENT
Ensure that account credentials and session tokens are properly protected.
4. CROSS-SITE SCRIPTING (XSS)
Ensure that web application cannot be used as a mechanism to transport an attack to an end user’s browser. Check to ensure that end user’s session token will not be disclose or spoof content to fool the user.
5. BUFFER OVERFLOWS
Check to ensure web application components such as CGI, libraries and web application server component has proper validated input so as not to cause system to crash.
6. COMMAND INJECTION FLAWS
Ensure that the web application does not pass parameters when they access external systems or local operating system.
7. ERROR HANDLING PROBLEMS
Ensure that the web application does not allow an attacker to cause errors to occur that the web application does not handle.
8. REMOTE ADMINISTRATION FLAWS
Ensure that remote administration functions are protected to prevent attacker from gaining full access to all aspects of a site.
9. APPLICATION DENIAL OF SERVICE
Ensure that an attacker cannot consume all of the required resources, thereby preventing legitimate users from using the system.
10. INSECURE CONFIGURATION MANAGEMENT
Ensure that web servers, application servers and web application environments are not susceptible to misconfiguration.