Password managers stand as an essential tool in the modern digital landscape. With the escalating number of online accounts, they offer a secure repository to organise and store a multitude of passwords, alleviating the need to memorise multiple complex sets of credentials. By generating intricate passwords and encrypting data, these managers significantly bolster security against prevalent cyber threats like phishing and data breaches. Their cross-device accessibility, often protected by master passwords or biometric authentication, ensures convenience without compromising safety.
Within almost 99% of web application penetration tests, there is usually at least one TLS / SSL related issue. Typically these are either reported as a Low CVSS score, or sometimes creeping into a Medium, depending on the application and its uses. We wanted to provide an informative article highlighting the real risks of these issues and how they can negatively impact the security of organisations.
In November 2022, we completed a web application security assessment for a new client within the health / wellbeing sector. We were told through previous discussions, that the web application had both standard user accounts for everyday use and administrator accounts for backend administration. As is fairly standard with these engagements, we were given credentials for a standard user account and were tasked to see what could be achieved from this position…
Multi-Factor Authentication (MFA) has been widely adopted over the years as a means to enhance the security of authentication processes for all sorts of systems. It has somewhat become a must-have security control in order for organisations to claim that their systems have a withstanding security posture. This is especially true for organisations willing to be compliant with information security specifications, such as ISO 27001 and Cyber Essentials.
However, it has been demonstrated time and again that even when MFA is put in place, it can be circumvented. The recent attack on Uber is a rather convincing example of this. The attack itself is not the topic of this post, but it serves as an incentive to remind ourselves that an authentication process that mandates MFA from its’ users is not impenetrable.
In this blog post, we will be comparing the most common and prominent MFA methods with a focus on their usage within organisations’ internal infrastructure, as that is where the impact can be menacing.