Page - 251 - in The Future of Software Quality Assurance

Security: It’s Everyone’s Business! 251 millions held offshore, for a substantial fee”. And the most insidious is empathy— my grandmother/mother/child/cutepuppy is dying, and I need money to save them (photo attached). All these attack the person—and our technology and processes mustbe in place to combat these. 4 WhatSecurityTesters Need toUnderstand Let’s be clear. We have looked at elements of criminal offenses. All the attacks mentioned above are crimes in the UK according to the Fraud Act and Computer MisuseActamongstothers.Thesecrimesfall intotwocategories—cyberdependant (hackingan onlineaccount,wherewithout IT, the crimewouldn’texist) andcyber- enabled (where the number of victims of a criminal act can be increased—an organisationIworkedforusedtoreceivesnail-maillettersfrom“NigerianPrinces”). This is something that is absolutelyvital fora security tester to understand.You might be running a legitimate test within your organisation, but unless you have documented permission from a person of relevant authority, you could be charged and even found guilty of an offence. Remember, a malicious user might be an employee of the organisation. If you do not have specific permission, how do we knowthatyour test isn’t anactualattemptat maliciousharm?Somethingasbenign as clearing your browser cache could be interpreted by authorities in the USA as destroying evidence. Any work conducted as a security tester must be covered by legal indemnity—the basis for which is supplied by the Open Web Application Security Project (OWASP).5 If you have ever played Monopoly, this is the security tester’s “Get Out of Jail Free” card. Literally. It provides evidence that the work security testers are undertaking IS AUTHORISED, and isn’t cover for an internal malicioususer. As said, even if youare testingyourownorganisation’ssystems, youabsolutely need this permission. Never let someone else (e.g. a hypotheticalproject manager) convinceyouthis isnot required.If this isn’t inplace,youarebreakingthe law,and couldbesubject toprosecution. Another interesting threat thathasgrownsince2014isamethodcalled“account stuffing”.Let’ssayahypotheticaluserhasmultipleonlineaccounts.Theusercannot rememberuniquepasswords forall the accounts, and uses the same password for a numberof accounts. Now, let’s say they have the same password for both the local florist AND their Amazon account. So, if I steal the local florist usernames and passwords(remember, their securitypolicymightnotbebestpractice), I couldnow accessmanymoreaccountswith thatcredential set. What’s more disturbing is the marketplace for stolen credentials has been “automated”. Stolen credentials are fed into an automated process checking these against sites like Amazon,PayPalor E-bay(amongstothers).A successfully stolen and checked account can then be sold to interested parties for between $0.50 USD 5https://www.owasp.org/index.php/Authorization_form