Cyber Security Awareness

FREE

This is our main man Thomas. He's just made his first ever website!

Thomas has basic coding skills, and using simple PHP language, he's written out a simple form attached to a database for people to contact him.

This is Emily. She's very knowledgeable when it comes to security, and sometimes uses her power for mischief. Emily stumbles across Thomas' web page, and realises that he hasn't protected himself from SQL injection attacks...

Emily types a simple command into the form - and voilà!, she's able to see all of Thomas' messages!

What else could Emily get from Thomas' site through this vulnerability? Select all that apply

How can Thomas fix up his site so Emily can't attack it?

Since we last spoke to Thomas, he's found his niche, and his website has become very popular! Thomas has started to make money from online ads, and wants to keep this separate from his other income.

Thomas decides the best way to do this is sign up for a new bank account online.

The day after he sets it up, he can't get back into it! What's happened to Thomas' money?!

How could this have happened?

Predictable Passwords This is one of the most common ways to get caught out online. Websites should not allow you to use passwords like "12345" or "password", and sites that do open themselves up to vulnerabilities.

Eavesdropping On unencrypted connections, bad actors can use readily available software to see the passwords, usernames and Session IDs transmitted from users to the website.

Impersonation By using a Session ID that is not invalidated at the end of each session, bad actors can impersonate users and gain full access to their accounts.

Emily's a very knowledgeable internet user, and today, she's decided to look for some vulnerabilities in everyday websites.

Emily has her eyes set on this social media website - how can she cause some mischief?

Using the HTML <script> tag, Emily puts some malicious code in the "Status update" box, which makes the code automatically repost itself. (The real code would be a bit more complicated than the one shown here!)

Which types of websites can be affected by a Cross-Site Scripting (XSS) attack? Select all that apply

It's been a while now, and Thomas is quite happy with his site as it is. He's got multiple features and plugins installed.

To administer all of these new features, he's created the ability to log in with a browser, and change settings from where ever he is.

Unfortunately, he hasn't set up and tested his access control correctly - leading his site to become vulnerable to attacks.

Some specific Access Control issues that exist include... Insecure Session IDs Path Traversal (going directly to a secure page without passing through access checks) Incorrectly set file permissions Client Side Caching on Public Computers All of these risks can be mitigated by improving the security of access control.

What is the most secure way of giving administrators access to a site?

Our successful friend Thomas has decided to start selling his products online. He decided to accept Credit Cards on his website.

His site stores credit card information in plain text, but the text is destroyed after each order is completed.

After a few weeks, one of Thomas' customers contacts him, and angrily tells Thomas that his Credit Card details had been stolen!

How could Thomas' customer's data have been stolen? Select all that apply

Here are some good questions to ask when reviewing your sensitive data storage... Is any of your data stored in clear text long term, including backups of this data? Is any of this data transmitted in clear text, internally or externally? Are any old / weak cryptographic algorithms used? Are weak crypto keys generated, or is proper key management or rotation missing?

Emily is taking a day off hacking, and is paying her friend for a concert ticket.

She submits a transfer form on her bank's website - but she notices something while poking around. The website doesn't authenticate its requests properly.

Emily sees a way that she can exploit this, so everybody who posts a comment to her website also sends her $100 - as long as they're also logged into her bank's website.

What other types of sites are vulnerable to CSRF? Select all that apply

Thomas' website has expanded! He's got heaps of features - some of which he didn't code himself.

Some features, like his online shop, are additional plugins that he has installed.

One day, one of Thomas' plugins stops working, and gives him some strange error messages when he tries to fix it.

Thomas is working on his site, which by now, has plenty of plugins.

However, Emily knows some vulnerabilities in Thomas' plugin APIs, and uses her knowledge to cause havoc!