Basic Cybersecurity Checks For Your Firm

Maintaining the security of your applications and networks should be a high priority. You have to check for information related to security vulnerabilities of your products and services.

Below is a list of basic checks you can perform to ensure that your website is not an easy target to maliciaous actors. If you are interested in learning more about cybersecurity and earn a Cisco certified certificate for FREE then visit https://www.netacad.com/en/web/self-enroll/course-745956 or https://www.netacad.com/web/self-enroll/course-745973

  • Check for all Vulnerabilities in Flash files.
  • Use reports from automated open source tools or scans.
  • Check if your website is affected by outdated browsers
  • Understand and recognize Denial of Service Attacks
  • Understand Issues and their identified security impact
  • Check for missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure – without clear and working exploit)
  • Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these.
  • Use of a known-vulnerable libraries or frameworks – for example an outdated JQuery or AngularJS (without clear and working exploit)
  • Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)
  • Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user
  • Lack of HTTPS
  • Check for insecure SSL / TLS configuration
  • Password complexity requirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address
  • Presence/Lack of autocomplete attribute on web forms/password managers.
  • Server Banner Disclosure/Technology used Disclosure
  • CSRF on logout or insignificant functionalities
  • Publicly accessible login panels
  • Clickjacking
  • CSS Injection attacks.
  • Tabnabbing
  • Host Header Injection
  • Cache Poisoning
  • Reflective File Download
  • Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: * or accepting of custom Origin header that do not specifically show a valid attack scenario
  • PRSSI – Path-relative stylesheet import vulnerabilities
  • OPTIONS/TRACE/DELETE/PUT/WEBDAV or any other HTTP Methods accepted by the server which do not specifically show a valid attack scenario
  • Cookie scoped to parent domain or anything related to the path missconfiguration and improperly scoped
  • Private IP/Hostname disclosures or real IP disclosures for services using CDN
  • Open ports
  • Your policies on presence/absence of SPF / DKIM / DMARC records
  • Lack of DNS CAA and DNS-related configurations
  • Weak Certificate Hash Algorithm
  • Social engineering of your employees or contractors
  • Any physical/wireless attempt against your property or data center

Share with: