NTA Monitor

Latest News

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

The Return of the Insider Threat

1st July 2009 When NTA started security testing twelve years ago, the main focus was on the insider threat. There were many reports with statistics showing that most security breaches were due to insiders. By contrast there was very little focus on the external threat via Internet and third-party network links. Back then many companies did not even have a firewall. Read More

90% of UK websites are insecure

90% of UK organisations' websites contain one or more vulnerability that may enable external users to gain unauthorised system access or disrupt service availability. A further 33% of websites have been found to contain critical vulnerabilities that are widely known and actively exploited by hackers.

These findings form part of NTA's Annual Web Application Security Report 2007, which analyses data gathered from web application security tests undertaken on behalf of a variety of organisations, including financial institutions, legal practices, universities and local government bodies, during 2006.

Roy Hills, Technical Director at NTA Monitor, says: "Web applications are accessible 24 hours a day, 7 days a week and control sensitive data such as customer details, credit card numbers and proprietary corporate data. With an ever increasing number of people using the Internet for personal business such as banking, bill payments and shopping, and as a core part of their working lives in terms of remote working and resource sharing, it's high time that organisations take greater steps towards protecting these revenue generating and efficiency enabling systems."

As the number, size and complexity of web applications increases, so does the risk exposure. Attackers focusing on web application security problems are actively developing tools and techniques for exploiting them. Three key recommendations that organisations can follow to reduce their risk are:

An account lockout mechanism should be in place to lock out accounts permanently or temporarily, to help prevent attackers from being able to brute force user accounts
META characters such as single quotes, double quotes and semi colons should be disallowed in order to minimise the threat of SQL injection attacks, which are a high risk vulnerability
In order to help protect against keystroke loggers, the mouse and keyboard should both be used during login processes, for instance, users should be asked to use drop-down boxes or radio buttons as well as keying in details

The full report contains further recommendations and not only looks at the different types of vulnerabilities found in organisations, but also examines how a range of industry sectors fair against the average findings. It is available from NTA by emailing marketing@nta-monitor.com

This article was first released on: 21st March 2007