General Rules Of Thumb
- Set up an email (e.g. security@mybusiness.com) and a page for security researchers to report vulnerabilities.
- Depending on what you are making, limit access to your user databases.
- Be polite to bug reporters.
- Have your code review done by a fellow developer from a secure coding perspective. (More eyes)
- In case of a hack or data breach, check previous logs for data access, ask people to change passwords. You might require an audit by external agencies depending on where you are incorporated.
Set up Netflix’s Scumblr to hear about talks about your organization on social platforms and Google search.
Sanitization of Input
- Sanitize all user inputs or any input parameters exposed to the user to prevent XSS.
- Always use parameterized queries to prevent SQL Injection.
- Sanitize user input if using it directly for functionalities like CSV import.
- Sanitize user input for special cases like robots.txt as profile names in case you are using a URL pattern like coolcorp.io/username.
- Do not hand-code or build JSON by string concatenation ever, no matter how small the object is. Use your language defined libraries or framework.
- Sanitize inputs that take some sort of URLs to prevent SSRF.
- Sanitize Outputs before displaying to users.
- Sanitize all the things
If you access post data then use this$title = sanitize_text_field( $_POST[‘title’] );
update_post_meta( $post->ID, ‘title’, $title ); - Escape when you output
If you output the data to HTML you should use htmlspecialchars() else, if you’re storing the data in a database you should escape strings using mysqli_real_escape_string() and cast numbers (or use prepared statements for both) and protect identifiers/operators by whitelist-based filtering.
Introduction to Security Hacking
Security hacking is an unauthorized way to get into someone’s computer to fetch personal and important details of the user. Today, the world has various programs to strengthen their computer security but even then some loopholes act as a friendly entrance for viruses. Hence, it is important to take a look at top viruses alias security hacking programs that can ruin the system.
These viruses are installed or injected into the system by security hackers. Yes, like programmers there are hackers also whose task is to infect the targeted computer. Technological updates take place in security hacking also, hence it is important to keep your system updated all the time.
List of top hacking techniques
1. Bait and Switch
Through this hacking technique, the hacker runs a malicious program that the user believes to be authentic. The user installs it on the computer and gives unwanted access to the system to this virus. This hacking technique is frequently used due to the growing content marketing. As the users are suggested to download a link or run a program that looks clean but these links redirect the users to some malicious site.
2. Cookie Theft
The cookies of a browser store the personal details, log in, passwords, browsing history, and other important data that is used to access different websites. This virus is extremely harmful as it can make himself identified as the user on a browser. The virus is also known as cookie hijacking and session hijacking. This virus can get involved in your system when the session is active. The session is said to be active when a user makes a login into a password-protected website and the session ends when the user logout of the website.
3. Clickjacking
ClickJacking is a virus also known as UI Redress. In this attack, the user click is hacked. The user clicks on the point he/she wish to but the hidden malware redirects it to the page they wish the user to visit. In other words, the user is directed to an unidentified link that makes viruses access the computer easily. Recently, this virus has targeted thousands of Facebook users by inviting them to click on links that offer sales, discounts, prize money, and more.
4. Virus, Trojan
It won’t be wrong to call these viruses age-old hacking techniques. They get installed into the computer and send all the important data to the hacker’s computer. This virus can get installed into the system when using a pen drive or USB storage device. Also making downloads from any unknown websites can cause trouble for the system.
5. Phishing
The hackers trap the users and get into the system by sending spoofing links to the users. Spoofing link is sent by replicating the frequently visited websites. By making a fake website, the hacker gets the login details of the users as they enter these details for login into the website. This is a way to fetch various important details of the users such as credit card numbers, bank details, and accessing personal information. The sites that are spoofed at large are Paypal, eBay, and yahoo.
6. Passive Attacks
Passive attacks are also known as Eavesdropping. This hacking technique is different from others, as the hacker keeps a tab on the system instead of getting into it. The motive of this hacking technique is to fetch some unique information that can also be referred to as unwanted information. Passive attacks also hide the identity of the hacker which makes their work easier.
7. Fake WAP
The hackers make use of software that fakes WAP – wireless access points. This connects the hackers to a public WAP. Getting connected to a public WAP is an ideal situation for the hackers as they can target a large number of users by doing this.
8. Waterhole Attacks
A waterhole is a bad actor load malware that gets installed into the computer when the user clicks on a particular link. This virus gets downloaded from spyware software and is difficult to trace. This attack has is identified a few years back when it first attacks the website of a human rights organization from China in year 2009. Later, this hacking technique was used to hack the website of Myanmar’s president in the year 2015. Currently, there is no way to identify the virus although various companies are trying to find ways to identify this virus.
9. DDOS Attack
Also known as a denial of service attack. This hacking technique floods the website with immense traffic that the server won’t get time to process all the requests. This process slows down the system and sometimes it can also crash the server. The hackers make use of zombie computers to incorporate a large amount of traffic to the website.
10. Keylogger
Keylogger keeps the record of keystrokes and key sequences used by you. It can get access to various confidential reports, passwords, and details from the system by running these passwords. This virus mainly targets the banking industry and hence various banks asks you to use virtual keyword instead of using regular keyword.
Ways to Prevent Security Hacking
Security hacking can be prevented by using these regular norms and specific steps are also listed down to help you stay protected from various viruses. There are several ways to prevent security hacking and we have listed them below for you.
Create Secure Backups
Create a backup for each of the files you store on the system. We suggest you encrypt the files as it makes data more secure and limited. Also, keep your backup files updated as they might lose important information as you keep working on the original files. Remember, never save the backup files on your system, save these files on a G drive as they are more secure on a different network rather than on the usual system.
Update and Patch System
System updates keep the firewalls updated and minimize the risk of hacking. This is very important for all systems and especially for windows operating systems as a small loophole can also cause hacking that can ruin the system. Updating partially works for anti-virus as it fixes various issues by adding new versions to the system. Protect system from waterhole attack also.
Use Anti-Virus Software
People must understand the need for anti-virus software as it combats multiple issues and make the user know what the problem or attacks the system is facing. There are hundreds of free anti-virus available in the market. This is a myth that you have to pay for getting quality anti-virus software installed. There is nothing like that, you can google free anti-virus and will have a list of free and quality anti-virus software on the screen. Waterhole attacks can also be prevented by using anti-virus software.
Train Your Workforce
The organizations must run a training program for the employees to make them understand which links or websites they should click on. Make your employees know that they should not click on any questions or download links if it asks them to navigate to another page. Also, you must be careful while opening any irregular or suspicious mail/attachment.
Working places must restrict access to various websites that have nothing to do with their business. For example, blocking Facebook, Instagram, and other social media websites. Restrictions limit the spread of viruses and keep the system protected. This step can also be used to prevent waterhole attacks.
Take Action Immediately
In case the system is not responding in a regular manner then you should take the immediate help of a specialist. People usually, restart or switch off the system for some time which is wrong. Disconnection of system abort file encryption process and you are likely to lose huge information by shutting down the system.
Prevent Baits & Switch Attack
This attack is one of the old attacks and is impossible to identify. The hackers use this hacking technique to target people running applications developed by others. Yes, the users using applications or programs developed by them are only secured from Baits & Switch attacks. Everyone else is at a higher risk of being targeted by this attack. Hence, the user must verify the websites or clients to whom they are giving ad space on their platform. This is the only way to prevent this attack.
Prevent Cookie Theft
Never use a public internet connection. Open connections are easy to target and hence we suggest you keep a sufficient mobile data balance. This will keep your network secure and protected from Cookie Theft. Now, there are networks that can help you create a personal router that makes your life easy and safe.
Prevent Clickjacking
Firstly, minimize the risk of clickjacking by installing browser plugins like NoScript and NoScript, this prompts users to allow javascript actions on their frequently visited websites. This also specifies the trusted domains. The users without these plugins are at a greater risk of being the victim of the clickjacking virus. This process takes the least time and protection the system for a longer period.
Secondly, use X-Frame options. All popular browsers including Windows Internet Explorer, Google Chrome, Firefox, and Apple Safari uses HTTP header X-Frame options to check whether it is a different page or a frame. Specify your web browser with an HTTP header that contains the “DENY” value.
Thirdly, built web application firewalls. These walls protect the system from injecting any unknown code. Some organizations keep these firewalls in like to have rather than need to have a category. This is because the need to have is more expensive, but we suggest you outsource a company offering firewall protection as it is best for preventing these attacks. Firewalls are also useful to prevent Keylogger attacks.
Prevent Phishing Attack
Firstly, beware of sharing confidential details. Organizations such as banks and reputed firms will never ask for details like your account number, credit card pin, or other information related to your bank accounts. There are many fraudulent companies that ask for these details. Stay aware of such companies.
Secondly, never disclose your details by reading emails that contain threats such as your services will be deactivated or use you no longer be able to browse the website due to insufficient balance.
Thirdly, read the privacy policy of the websites you are visiting or using frequently. The websites list their privacy policy in the footer.
Fourthly, discard emails that read as “Dear Sir/Madam” you have won a bumper prize or you got credit from our bank. Cross-check the credit card thing with your bank as many banks send these emails even if we don’t have an account with them.
Fifthly, Do not submit your details with any form that is embedded with an email. This email is likely to be a replica of an original website. The hackers access details easily by using this trick.
Sixth is an important point. Click on the link embedded in the email only if you are sure about it. Else, open a new browser window and type the URL. The link will open only if it is correct.
Prevent Fake WAP – Wifi Access Point
Firstly, try using your mobile data in public places as they are more secure. But, those using public connections make sure that they are connecting to a VPN network as it will keep them protected from fake WAP.
Prevent Keylogger Attack
The best to prevent these attacks is to use virtual keyboards as they can make the hacker scan keystrokes. Another way to prevent this attack is to keep changing the passwords at regular intervals. The keystrokes help the hackers in accessing details, hence keep changing the password so that one particular Keystore can never be traced.
Prevent Passive Attack
The best way to prevent this attack is to make use of a virtual keyboard instead of the real one. This is the only effective way to keep your system secure.