The government’s Cyber Crime Reduction Partnership and technology industry trade association techUK has revealed the top ten most common online security pitfalls, and what users can do to protect themselves.
Penetration tests conducted over the last 12 months demonstrated that although there are new threats emerging, well known and understood vulnerabilities are still the most common, as Gordon Morrison, director of tech for government at techUK explains.
> See also: Security of web infrastructure under question
‘These threats may not be new, but all still post a real risk to UK web users,’ says Morrison. ‘The good news for businesses and citizens is that there are well established fixes available to protect against these vulnerabilities and avoid falling victim to cyber crime.’
The level of cyber threat to UK businesses is significant, with some attacks causing more than Â£1 million in damage in 2014. 87% of small firms experienced a security breach, and 93% of large organisations had also been targeted.
A new report,Â Securing Web Applications and Infrastructure, identifies the problems being detected most recently by the security industry, the harm they can cause and what to do to avoid them, so the impact and cost of cyber crime to the UK can be reduced.
The top ten threats online today
Account weaknesses, and especially a weak password policy
Secure Sockets Layer (SSL) issues
SSL provides a secure connection between the browser and the specific server (domain). It ensures data is encrypted and authenticates between the two connections. However, tests consistently show insecurities, from weak ciphers in use, to self-signed and expired certificates.
Cross site scripting (XSS)
XSS is one of the most common vulnerabilities which enable attackers to inject executable code into Web pages.
Clear test protocol in use
No brute force protection
Brute force may be used to attack an application in a simplistic but sometimes very effective way. Passwords and/or encryption keys may be guessed and automated tools deployed against them.
No â€˜clickjackingâ€™ protection
Cookies – not marked HTTP only or not marked as secure
This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.
Host configuration issues, especially firewall issues and IP leakage
Information disclosure, and especially user enumeration