Testing and Securing Web Applications

By Greg Johnson, CEO of Webcheck Security

Cybersecurity is a multi-faceted pie with multiple pieces, independent yet connected. Each piece of the pie, whether dealing with policy, business continuity, anomalous alerts or signatures, is a critical component. Similarly, each piece of the critical pie becomes important as it relates to web applications.

We all use them – web applications – from QuickBooks to Microsoft Office or Google Suite, from banking apps, information portals, or SalesForce to Qualtrics; each application is supported by the critical pieces of the pie.

Testing and Securing Web Applications is a book touching not just on the web application itself, but the whole cloud infrastructure that supports it. Indeed, it is a book about cybersecurity in general. The book is laid out in the following manner:

Chapter 1. Network Security. Chapter 2. Cryptography Chapter 3. Penetration Testing Chapter 4. Threat Hunting Chapter 5. Conclusion

From network protocols and infrastructure to the cryptography algorithms protecting data in transmission or storage, the base of the web application’s infrastructure is explored.

Next, the key elements of penetration testing – or benevolent hacking – are explored in detail. Tools and technologies, methods, even a step-by-step test process is described in detail. The “art” of pen testing is examined with its many components – not the least of which is skill at writing and documenting findings in a way which is helpful to developers.

Finally, hunting for threats by experienced analysts is explored in the context of a Security Operations Center or SOC. A SOC is a combination of technology and expert analysts. Such analysts are the professionals that find needles in a haystack, but these needles that can compromise the system and lead to data breach.

Testing and Securing Web Applications  is written for both layman and practitioner, and could serve as a course text. Chapter beginnings lay out and define concepts, and deeper descriptions await those wanting to learn. The inexperienced can choose to read chapter beginnings and paragraph introductions. The practitioner or those wishing to delve deeper can digest it all.

About the Author(s)

Ravi Das is a Business Development Specialist for The AST Cybersecurity Group, Inc., a leading Cybersecurity content firm located in the Greater Chicago area. Ravi holds a Master of Science of Degree in Agribusiness Economics (Thesis in International Trade), and Master of Business Administration in Management Information Systems. He has authored five books, with two forthcoming ones on artificial intelligence in cybersecurity, and cybersecurity risk and its impact on cybersecurity insurance policies.

Greg Johnson is the CEO of the penetration test company, Webcheck Security. Greg started Webcheck Security after serving on several executive teams and a long sales and management career with technology companies such as WordPerfect/Novell, SecurityMetrics, A-LIGN, and Secuvant Security. A Brigham Young University graduate, Greg began his career in the days of 64k, 5.25" floppy drives and Mac 128k’s. As the industry evolved, Greg moved into the cyber arena and provided his clients with solutions surrounding compliance, digital forensics, data breach and response, and in 2016 earned the PCI Professional (PCIP) designation. In several business development roles, Greg consulted, guided and educated clients in compliance guidelines and certifications for standards including PCI, HIPAA, ISO 27001, NIST, SOC 1 and SOC 2, GDPR/CCPA, and FedRAMP.

When he is not providing cyber solutions for his clients, he can be found spending time with his wife Kelly, playing with his grandchildren, and rehearsing or performing with the world-renowned Tabernacle Choir on Temple Square.




To order your copy click here!


To learn more about services at Webcheck Security click here.


Introduction


In today’s business landscape, catalyzed by the COVID19 pandemic, there is a lot of uncertainty to wade through. One of these is in hiring a full-time, direct hire CISO. There are a lot of expenses that go with it, especially when it comes to paying his or her salary.


For example, depending upon their level of expertise and how big the company is, the salaries to be paid can range anywhere from $185,000.00 to the upwards of $400,000.00. Keep in mind that this does not include an elaborate benefits package, stock options, bonuses, etc.


Also, the average tenure of a CISO is just under two years. The burnout rates are very high, and the amount of stress that is placed upon them easily detracts the focus of the tasks that they are supposed to accomplish.


Another key aspect to keep in mind is that the CISO will have a limited range of expertise. While they may be highly skilled in one particular area, the skills that they possess will not necessarily mean that they will easily transfer to other areas of Cybersecurity that are needed by businesses today.


So what is the solution to these problems? The answer lies in hiring what is known as a Fractional Information Security Officer, also known as the “FISO” for short.


What The FISO Can Do For You


There are many FISO services that are available from Managed Service Security Providers (MSSPs) today. You can hire a FISO for as long as you need them, at literally the fraction of the cost (hence the name) of what it would take to hire a full time CISO. For example, you can hire them for just a few hours a week, or more as needed, depending upon your specific levels of requirements.


One of the key benefits of a FISO is that since they are typically hired on a contractual basis, you can end it or onboard them again as needed. In other words, they are highly scalable, unlike the direct hire CISO.


So what can they do for you? Here is a just a sampling:


  1. Initiating an Assessment Program: Assessing the level of risk that your company can tolerate can be a complex process. With the breadth of experience that the FISO can bring to the table, within just a matter of days, they can craft out a Risk Assessment Analysis in order to determine where the hidden vulnerabilities exist from within your policies and practices as well as IT and Network Infrastructure. They will also take each digital asset that you have, and based upon a certain categorical scale, they will rank each one as to how vulnerable (or not) they are to a security breach. With this in mind, you will then be able to carve out a much more efficient and effective Cybersecurity strategy for your company. Plus, the FISO that you hire will also have the ability to vet out third party vendors in order to ensure they are compliant to your established security protocols.

  2. The Development of Key Plans: Given the magnitude of what the word is facing today, the C-Suite across many businesses are now starting to realize the importance of the development and execution of mission critical programs in order to keep their organizations operating even in the face of a second of COVID19 should it occur. Once again, the FISO will have the experience to help you initiate and draft up the following plans:

  3. Incident Response (IR) Planning: This plan will carefully spell out the steps that your business needs to do in order to combat a threat variant once it has been detected. This will include not only the best way to react to it, but how to mitigate head on as well. It will involve analysis of cyber insurance coverage and protocols for reaching out to said insurer, legal counsel and public relations.

  4. Disaster Recovery (DR) Planning: Once you have contained the impact once you have been hit, the next step is then to resume critical business operations as quickly as possible. With the Risk Assessment that the FISO did, you will know immediately which processes need to be restored immediately, followed by the lesser priority ones.

  5. Business Continuity (BC) Planning: After you have brought back operations to some degree of normalcy, the next step is to then figure out how you can continue viably as an organization well into the future. This will be done by further mitigating the risks of any future Cyberattacks with the lessons that have been learned. The FISO that you have hired can also create this plan for you, by further augmenting into it the deep levels of experience that their other contacts will have. This is something that the direct hire CISO will not have the ability to do.

  6. Maintaining Prioritized Cyber Governance and Oversight: Given that the Remote Workforce is now a reality for quite some time to come, the meshing of both home and corporate networks is starting to become a real problem. A key risk in this area is the exposure of confidential information and data. As a result, you are being closely watched, with the likes of the CCPA, GDPR, and even HIPAA. If you do not comply, you will likely be under the scrutiny of an audit, and possibly even face some very harsh penalties. A good FISO will have the necessary skillset to develop a program to encompass compliance with industry, federal, state and best practices statutes, and even develop a set of controls to make sure that you stay that way for a long time to come. In stark contrast, a typical CISO would have to hire outside consultants to accomplish this task, which would cost your company even more money. But with the FISO, any other resources that are needed are part of the fixed, package deal.

  7. Implementing Security Awareness Programs: Security training is very much a hot button topic today, especially with WFH. Unfortunately, many IT Security teams are too overburdened with providing such kind of instruction to employees. Because of this, this task is often left to the Human Resources (HR) department to conquer. More than likely, they will not have the expertise to deliver a deep dive kind of training program. The FISO can fit this role perfectly well and provide the in depth and quality type of instruction that is so badly needed today.


Conclusions


Apart from what has been reviewed, the FISO can also do the following:

  •  Procure the right kind of Cybersecurity Insurance Policy that will be the most optimal for your company

  • Help you to prepare your IT budget so that you can get the money you need to spend

  • Take part in Forensics examinations in order to collect hard to find pieces of evidence.

“I am amazed at how many businesses in America, even approaching billions in revenue, don’t have a CISO to guide them in their organization,” says Greg Johnson, CEO of Webcheck Security. “Cyber risk mitigation cannot be done effectively with a great IT team alone – the demands of the operational du jour are too great. There must be prioritized governance and leadership from a seasoned, certified, qualified professional.”


To learn more please visit our FISO page by clicking here.


To hire a FISO contact us by filling out the form here.

  • Webcheck Security

A US economy ushered in 2020 with high hopes for a productive new year. No one foresaw that before the end of the first quarter the world would head into lockdown. Companies that had the ability, moved to work-from-home models. Many businesses slowed and yet Zoom and other technologies and industries surged as demand for video calls, toilet paper, and managed service providers (MSPs) skyrocketed.

In this shifted paradigm, how do we protect and secure our system? How do we navigate what is becoming our new normal? Let's take a quick look at the cyber landscape now and then delve into what we need to do to be prepared.

What is happening?

"Any type of world event is used by bad actors as a distraction" - Greg Johnson, CEO Webcheck Security

In this age of coronavirus Hackers have seen multiple avenues in which to direct their attacks. For example, when Italy began spiking in virus cases, the cybercrime spiked as well. Hackers saw a weakness and didn’t care that we were sick. No, they will go after us especially when we are vulnerable. Warnings from the FBI tell us that health-related domains are being bought or heisted by hackers at an alarming rate. Covid 19-themed emails have become a norm as bad actors tempt you to visit sites claiming to have information, but all they really have is malware. "Zoom bombing" has become a new trend with pornographic content being displayed to embarrass but also as way to gain credentials. Awareness is a critical issue here. As everyone moves online from remote locations, more attack surfaces open up now that the employees aren’t all behind the same managed firewall.


What to do about it

So with these new remote working conditions, how do we ensure a modicum of security? Implementing best practices in regards to cyber security for remote workers, along with frameworks such as CIS 20 should be a priority. Here are four simple things we can do to keep our companies safe:


  1. VPN. Have all employees working from home use a VPN. A VPN, or Virtual Private Network, encrypts the data stream from the private user to the company network. This ensures that your company's data is encrypted in transit. These can be employed easily at a relatively low cost.

  2. Password Policy. Have and enforce an adequate password policy. For example, NIST recommends pass phrases of more than 7 characters.

  3. Phishing Simulations. Regular Phishing exercises or training should be conducted. While the majority of the workforce is now unsupervised at home they should have the basic knowledge of phishing so as to avoid malware and protect the company's data. Remember if it's an email you don't recognize, or aren't expecting, DO NOT CLICK. Should you require training click here for more info.

  4. Vulnerability Scanning. Employ a quarterly vulnerability scan - hackers employ these so why shouldn't you? Vulnerability scans automatically scan over your site to find the "Low hanging fruit"- those vulnerabilities that could easily exploited. Once these vulnerabilities are found you can fix them up before a bad actor can use it against you. Even better to run a penetration test.


Vulnerability Scanning and Penetration testing

The very best way to ensure you are secure is to run a penetration test. Service providers especially need to employ full penetration tests. While a vulnerability scan sweeps over the first layer, penetration tests are a deep dive into every layer. An ethical hacker uses multiple tools to find weaknesses and then delivers a report carefully documenting the findings. A key part of penetration testing services from Webcheck Security is that is can all be done remotely. There is no need to be onsite for pen tests, and when our engineers need to get behind the firewall a box can be shipped to the site and simply plugged in, or a VM downloaded from our AWS build site.

Other remote services we offer include PCI and NIST cyber assessments, cyber maturity assessments, fractional information security officer (FISO) services, cyber consulting, social engineering, and more. For a full list of our services, all of which can be done remotely, please visit our services page.

In conclusion the main focus in these unprecedented times should be to remain aware. As more of our workforce moves online more attack surfaces are created. Employing best practices and penetration testing can keep your company secure as you navigate a new normal.

To learn more visit the corresponding podcast Remote Cybersecurity in Unprecedented times by Blog Talk Radio.



Fill out this form and tell us how we may serve you!