ARTELABS provides practical advice on Information System Security (ISS), Web Platform Security (back-end, front-end, database and IoT) and raise awareness among employees or users about online internet threat.
To this end, we visit SMEs in order to have a general overview of the company’s operational context in order to analyse and provide appropriate technical and optimal solutions aimed at strengthening (“hardening“) the security of their web platforms and IT infrastructures.
A popular CMS which has become very popular and which uses standard technologies will be more and more under attack. It is estimated that 35% of all web sites are powered by WordPress. WP 5.4 has been download more than 23 millions times on May 2020.
Identify potential vulnerabilities
The context in which the IT project is being carried out count. If online Web Applications are the main core business of the company, several aspects must meet standard safety criteria. For example, the modularity of the source code, the database integrity rules (primary keys, links, data encryption, etc.).
In Web Portals, very often, the weaknesses are located at the access points open to external customers (contact forms, login forms, registration forms, password recovery, customer areas for accessing sensitive data such as PDFs, etc.).
These online forms can be subject to various attacks, depending on the security level of the application. Very often, web URLs provide unwanted characters that can help the hacker to retrieve sensitive information. URLs often contain identifiers concerning users and documents made available online to customers.
The quality of the code source obviously matters but also simple practices integrated in advance can prevent intrusions.
The more security is applied to online services, the more constraints are added to the users and the more complexities are added to the developers’ level. Not everyone would like to spend too much time for routine tasks…
Single-factor Authentication (user and password) still prevails, but despite strong passwords that comply with adequate security criteria, the latter can still be intercepted by mischief or inadvertency. With SFA, a person matches one credential to verify himself or herself online.
To really know WHO is conducting an online transaction, today the smartphone remains the best “identifier” for end users. Indeed, since the device is becoming a daily work tool, users are careful not to lose it or lend it to third parties and, on the other hand, they already include upfront secure authentication such as finger ID or Face ID.
Implementing Two-factor Authentication also implies external costs that not all SMEs can afford. For example, the SMS challenge to authenticate with a 2FA to a web platform may be too expensive depending on the daily connections per day.