In the modern interconnected world, an approach to IT security that simply plugs holes with additional firewalls or intrusion detection systems provides only limited safety. Today, the most significant ‘holes’ in a company's IT infrastructure are those which are required to be there—these are the access points that allow your customers to interact, access, and update applications and data. But while these access points are open to your customers, they are also accessible to parties that intend on harm or exploitation of your business.
98.9% of attacks take less than a day to compromise an IT system or application.
JDS’ application security testing service assesses your application’s controls, makes recommendations to remedy identified issues, and removes factors that could aid an attack upon your business. Our security testing encompasses applications and environments specialising in web, mobile, and cloud applications.
JDS provides our security testing clients with reports containing both technical definitions of the security issues located and, importantly, the high-level business context for the vulnerability. This includes scenario modelling in easily digestible language, enabling your business to make appropriate and timely business decisions and reduce your organisational risk profile.
Learn more about our comprehensive approach to security analysis and testing.
Real-world crises: when things go wrong
-
Bangladesh Bank–February 2016
Industry: Financial Services Industry
Effect: US$101 million stolen
A group of internationally-based hackers attempted to steal nearly US$1 billion from Bangladesh Bank after identifying some security vulnerabilities. They compromised the bank’s network, observed how transfers were done, and used this to gain access to the bank’s credentials for payment transfers. They then used the credentials to authorise their own bank transfers, to the tune of US$951 million. Similar attacks have been seen at the Banco del Austro in Ecuador (US$12 million stolen) and the Tien Phong Bank in Vietnam (unsuccessful).
Result
US$101 million of transfers were successfully completed by the thieves; US$63 million was never recovered.
-
LinkedIn–2012
Industry: Professional services
Effect: 117 million accounts
In 2012, LinkedIn’s database was breached, releasing user email addresses and hashed passwords. The data was put up for sale online.
Originally, it was thought that just 6.5 million accounts were affected, and LinkedIn asked that those users reset their passwords. Later, 117 million user account details were put up for sale online, and it is thought that the data came from the same breach. If that’s the case, then it is possible that each of those user accounts has been vulnerable since 2012.
Result
Up to 117 million user email/password combinations exposed, giving potential access to financial data; ramifications for users who use the same combination on other sites.
-
Indiana University–2014
Industry: Higher Education
Effect: 146,000 students
The names, addresses, and Social Security Numbers of a large number of Indiana University students and graduates were stored on an unprotected site. The lack of protection meant that several data mining applications not just accessed, but downloaded all the data files.
Result
Students and credit reporting agencies had to be notified; ongoing risk for financial fraud and identity theft, and associated liability.
-
British Airways–2015
Industry: Transport
Effect: Tens of thousands of customers
British Airways frequent flyer account details were accessed, most likely by an automated program seeking vulnerabilities.
Result
Service disruption meaning club members could not use their points; reputational damage.
-
Tesco Bank–2016
Industry: Financial Services Industry
Effect: 9000 customers
Tesco Bank had monitoring and security mechanisms in place. However, Tesco Bank data such as credit card verification had to be accessed by the parent company Tesco, which does not appear to have been as secure. Security is only as strong as the weakest link in the chain, and in this instance, money was stolen and customers defrauded.
Result
Customers defrauded to the tune of 2.5 million pounds. The bank had to pay associated costs, and manage associated brand damage.
-
VK.com–2016
Industry: Communication
Effect: 100 million users
VK.com, a Russian-style Facebook, was allegedly breached sometime between 2011–2013, and user details later released. The data included full names, email addresses, phone numbers, and plain-text passwords.The data was put up for sale for around US$570 in total.
Result
VK denied the hack.
-
Anthem–2015
Industry: Financial Services Industry
Effect: 78.8 million
Anthem suffered a cyberattack in late 2014, with information accessed potentially including names, home addresses, email addresses, employment information, birth dates, and income data. The FBI investigation found that the attacks were conducted by international parties who were curious about the American healthcare system.
Almost all of Anthem’s product lines were impacted.
Result
Anthem had to pay US$115 million to settle a class action litigation suit as a result of the breach. They also provided up to four years of credit monitoring and identity protection services to affected customers.
-
Telegram–2016
Industry: Communication
Effect: 15 million users
Telegram is a messaging service not dissimilar to WhatsApp, which is known for its end-to-end encryption. When signing up, users verify their phone number via use of a text message. These messages can be accessed by the phone company, and bad actors with access to that information can add devices to a user’s account. This means they can read a user’s chat histories and messages. 15 million user accounts in Iran were compromised.
Result
Telegram recommends use of a strong password and verification email address, in addition to the SMS. They cannot guarantee the security of third-party service providers, such as a phone company.
-
Philippine Commission on Elections (COMELEC)–2016
Industry: Government
Effect: 55 million users
Weaknesses in COMELEC’s network and data security meant hackers were able to access the full database of all registered voters in the Philippines. The database contained personal details many of which were stored in plain text, and included fingerprints, passport numbers and expiry dates, and potentially voting behaviour.
Result
The data could be used for extortion, phishing, or blackmailing purposes, and related hacks may lead to election manipulation.
-
Yahoo–2013 and 2014
Industry: Communications
Effect: up to 1.5 billion accounts
Yahoo’s security was breached twice, in 2014 (500 million accounts stolen by a state-sponsored actor) and 2013 (1 billion accounts). Information included user names, telephone numbers, birth dates, and encrypted passwords.
Result
Yahoo’s sale price to Verizon was reduced by some US$350 million as a result of the hacks.
A rigorous approach
JDS adopts the Open Web Application Security Project (OWASP) methodology for application security testing. This ensures all web, mobile, and cloud applications undergo a comprehensive assessment.