Security Testing Literacy: Protecting our Cities in 2019

Adapted from the November 2017 contribution by Benoit Poudrier, Automation Specialist

In Canada, the communities of Stratford, Wasaga Beach, Midland and Toronto have all been targeted by ransomware attacks. Increasingly over the past few years, municipalities across North America have become the target of ransomware attacks.  In the US, cybercriminals have not only managed to penetrate more than 20 municipalities, but also school boards, libraries and police departments.  Some of the affected cities have paid hundreds of thousands of dollars to their attackers in an attempt to regain access to data and mitigate the impact to essential services. Given this ongoing activity, we thought it would be timely for us to update and republish PQA’s 2017 blog post, ‘Security Testing Literacy.’

Improving the security posture of your web applications requires vigilance and an ongoing commitment to secure coding practices. A recent study by HP’s Web Security Research Group found that 69% of web applications scanned had at least one SQL injection vulnerability, and 42% contained persistent cross-site scripting vulnerabilities. It only takes one exposed vulnerability for a hostile threat agent to damage your brand equity and put your customer’s data at risk. To avoid potential exploitation, organizations need to find and fix vulnerabilities proactively.

It is extremely difficult to recover from the associated costs (economic and other) of an exposed security vulnerability. Increasing literacy around cybersecurity is an essential first step in proactively finding and fixing vulnerabilities in your organization. At a time when almost every municipality, business, device, method of communication, or transaction is connected to the internet, every organization must be aware of the risks that accompany storing and archiving data online.

It is no longer a matter of if you get hacked; it’s a matter of when you get hacked. PQA wants to help you define the steps you’ve taken to protect your municipality.

Who Needs Security Testing?

Everyone that uses or produces software requires some level of security testing, especially when interacting with sensitive data such as credit cards, banking, passwords or user account information. Every software company, website developer and IT team should have the resilience of their security tested. Through rigorous testing, you will be able to:

• • Develop appropriate security measures specific to the user data that you are protecting and storing.
  • Identify vulnerabilities before it’s too late. Penetration testing uncovers vulnerabilities in a safe environment before they are exploited through a malicious hacking attempt.
  • Avoid remediation costs and downtime that results from security breaches. A 2018 IBM study suggests the global average cost of a data breach is $3.86 million. Equifax, in the case mentioned earlier, was required to pay up to $700 million to help compensate victims of the attack and, as of 2019, has accrued $1.35 billion in costs resulting from the breach.

PQA  can help you to assess what your specific needs are and how you can fit security testing throughout your development cycle

What Can Be Hacked?

Governments, organizations and individuals are storing and circulating information in cyberspace at an increasing rate. In doing so we all become increasingly exposed to cybercriminals. While extensive access to information makes life more convenient, it is crucial to remember that almost everything that requires a computer is vulnerable to cyber hacking.

Here are a few examples:

• • Municipalities: In Ontario, the communities of Stratford, Wasaga Beach, Midland and Toronto have been targets of recent ransomware attacks. The 444-member Association of Municipalities of Ontario has urged the provincial and federal government to aid municipalities in protection from cyberattacks.
  • Credit Cards: In 2017, Equifax was hacked. That hack became one of the worst security breaches in American history, affecting 143 million people. That’s equivalent to 44% of the U.S. population. The hackers not only obtained credit card numbers, but also managed to gain access to birth dates, addresses, social security numbers and driver’s license numbers.
  • Healthcare: Anthem, an American health insurance company, was hacked in February of 2015. The accounts of 78.8 million people were impacted and their personal information exposed.

Find links to these stories in the references section at the end of this article.

Defining Security Testing:

Security Testing encompasses different types of tests and procedures with the intent of verifying the integrity and security of your application. Essentially, Security Testing exists to find weaknesses and loopholes in your software or website; the earlier it can be implemented in your development and testing processes, the less it will cost to fix potentially exploitable mistakes that are found in the future. The expense to address a potentially exploited weakness goes up as you approach the final stages of your application development and release. Ultimately though, this cost pales in comparison to the hundreds of thousands of dollars cybercriminals have demanded in recent ransomware attacks on municipalities, and the millions of dollars incurred in remediation costs and downtime.

Who is a Security Tester?

Although many roles are involved with security testing, one of the most technical is that of a Penetration Tester. Penetration testers have a deep understanding of today’s security issues and vulnerabilities. They use various tools to help you discover your cybersecurity weaknesses, and this allows these vulnerabilities to be addressed before exploitation by a cybercriminal. Additionally, you can bring Manual Testers onboard to run simple tests in day-to-day testing routines to help find potential susceptibilities. An example would be a simple SQL injection in any text box on the website, or in the URL itself, for each accessible page.

How Do They Test?

Threat risk modelling is an essential process for secure web application development. It’s a way to plan around potential risks that your software, security or assets could face so that you can develop a strategy to protect yourself.

It allows organizations to determine the correct controls and to produce effective countermeasures within budget. For example, there is little point in spending $100,000 for fraud control on a system that has almost no fraud risk.

There are five steps to the threat risk modeling process:

1. 1. Identify Security Objectives
   2. Survey the Application
   3. Decompose it
   4. Identify Threats
   5. Identify Vulnerabilities

For more detailed technical information, Our Team would be happy to help.

Conclusion:

Security Testing should be a crucial part of any product or development process. Sensitive information is increasingly being stored and accessed in cyberspaces and, because of this, we need to build awareness of security hacks that organizations can face, how to prevent them through security testing, and how to repair them when the flaws are exposed.

We at PQA, as Canada’s leading independent provider of quality assurance and software testing solutions, are an experienced team of testers. For us, it is an essential priority to work with your specific Security Testing needs and tailor our services to support your unique development and testing projects.

Talk to us today about your security testing needs.