SE Labs

Posts tagged 'review'

SE Labs launches new security testing site

selabs-uk_v2-6297840

The new website reflects the changes in the security industry over the last few years. We’ve listened hard to your feedback and watched as the industry’s needs have changed.

Clients, both security vendors and their customers, need increasingly customised analysis of products and their effectiveness. Which is the best? And what does ‘best’ really mean?

Read more >

Strong protection in uncertain times

A hacker mentality is keeping (computer) virus testing on track.

Latest endpoint protection reports now online for enterprisesmall business and home users.

This is the first in our series of 2020 endpoint protection reports. And it is unique, for all the usual reasons but also a new one.

We would normally highlight the latest new threats that we’ve discovered on the internet and discuss how we test them against the security software you use in your business and at home in the most realistic ways possible. And we’ve done that. But these reports are different to any we’ve produced before, for another reason.

Read more >

Email security: Is it any good against hackers?

World’s first in-depth, public test of security services vs. targeted attacks.

This email security test report is the product of two years of advanced threat research. We have worked with the security companies themselves and with their customers.  We have monitored what the bad guys have been doing and identified and replicated real-world email threats that affect everyone generally, and also specific types of businesses.

There is no report like this anywhere in the public domain. We are extremely proud to present the results here.

Read more >

Enemy Unknown: Handling Customised Targeted Attacks

Detecting and preventing threats in real-time

Computer security products are designed to detect and protect against threats such as computer viruses, other malware and the actions of hackers.

A common approach is to identify existing threats and to create patterns of recognition, in much the same way as the pharmaceutical industry creates vaccinations against  known biological viruses or police issue wanted notices with photographs of known offenders.

The downside to this approach is that the virus or criminal has to be known to be harmful, most likely after someone has become sick or a crime has already been committed. It would be better to detect new infections and crimes in real-time and to stop them in action before any damage is caused.

This approach is becoming increasingly popular in the cyber security world.

Deep Instinct claims that its D-Client software is capable of detecting not only known threats but those that have not yet hit computer systems in the real world. Determining the accuracy of these claims requires a realistic test that pits the product against known threats and those typically crafted by attackers who work in a more targeted way, identifying specific potential victims and moving against them with speed and accuracy.

This test report used a range of sophisticated, high-profile threat campaigns such as those believed to have been directed against the US Presidential election in 2016, in addition to directing more targeted attacks against the victim systems using techniques seen in well-known security breaches in recent months and years.

The results show that Deep Instinct D-Client provided a wide range of detection and threat blocking capability against well-known and customised targeted attacks, without interfering with regular use of the systems upon which it was deployed. The deep learning system was  trained in August 2018, six months before the customised targeted threats were created.

Latest report now online.

Review: ImmuniWeb On-Demand Application Security Testing

hacked-1764593

What do a start-up, small business and enterprise have in common?

They all have one or more websites.

That’s not a very humorous punchline, but the security implications of managing business websites aren’t funny either.

In an age when extremely large organisations are being hacked, as well as specialist security companies, website security could not be a more serious business. Throw into the mix regulations such as the data protection act and the incoming GDPR legislation and being the person responsible for the company website just became positively horrible.

A website is a business’ public face, whether it be a local taxi company or a global pharmaceutical giant. It is virtually impossible to do business these days without a website and maintain credibility, but a website hack instantly harms any company’s standing.

How do websites get hacked? Sometimes the attackers will focus on compromising the site’s administrator, but more often than not (in our experience) the site itself is attacked directly by means of an exploit.

Such an exploit could be a aimed at a vulnerability in the platform, such as WordPress, or the server’s operating system. Sometimes the hosting company itself is targeted: a good value-for-money proposition for an attacker who wants to run one attack and gain access to thousands of websites.

Will AI save our sites?
Artificial intelligence is great but people are often necessary for some tasks. ImmuniWeb understands that. Assessing the security of a website is non-trivial and, while automated tools exist to test for the presence of various vulnerabilities, often it takes a human brain to really get to the bottom of a problem. Much in the same way that SE Labs uses people to enhance security testing, ImmuniWeb adds the personal touch to checking the quality of a website’s security.
The service provides testing for vulnerabilities listed in the OWASP Top Ten Vulnerabilities list, PCI DSS vulnerabilities and a range of other sensible criteria, including predictable CAPTCHA protections and open directory listings.
Wizard setup
wizard-4625603
Setting up the initial test was a very simple task. Enter a few relevant details into  ImmuniWeb’s Wizard-driven website, pay the fee and the work starts. A couple of days later a report is made available and you have around three months to download it before it is deleted automatically. You will receive warnings about the impending deletion.
The report is detailed. The first pages give an overview of the risk level based on how many vulnerabilities have been found, certain administration configuration issues that might exist and even an indication of other websites that might be impersonating yours.
Who is hosting?
report-4813405
The data in the reports is interesting and some of the issues brought to light could be easily solved. It does depend on how you have your web hosting organised, though. For example, if you run your own servers you can follow advice on upgrading certain services, such as Apache or SSH.
However, if your site runs on a hosting platform provided by a third-party, such as GoDaddy, 1&1, 123Reg or a thousand others then you have a choice: You could contact the company and request that they upgrade; or move to another host and hope that they do a better job with updates.
In this review we discovered that the hosting company we use for the SE Labs website was a little behind with some updates. We used the ImmuniWeb report as evidence that there was a potential problem and, to our surprise, the company responded fast and claimed to fix the issues.
While we could verify the changes ourselves (after all, we test security systems ourselves) we understand that for most businesses a second test would be warranted. We ran a second test for this review and were pleased to see that the previous issues had indeed been fixed.
How much?
This is where things could get expensive, though. An on-demand small business (SMB) test costs $1,499. If you are a start-up and want to have your site assessed then this is a reasonable business expense. Multiple verification tests add up, though. A faster ‘Express’ test is less expensive, coming in at $499. If you expect your site to change frequently then continuous assessments are available, with prices starting at $999 per month.
Total Cost of Reassurance
But while your site might not change, knowledge about security vulnerabilities does. New vulnerabilities are being discovered at a frightening rate and updates for popular web server components, such as MySQL, appear often. When testing our own website ImmuniWeb noted out of date software, which was updated accordingly.
By the time we ran the second test the same, updated software was again out of date. If the same issues happen to you, it might be worth learning how to test the versions of the services running at your web hosting company and give them a prod to update as and when necessary. Paying over $1,000 to assess something they should be taking care of seems unnecessary.
Monitoring the weak link
Losing control of your website is a situation no business wants to contemplate, whether it’s a start-up looking for funding or a massively profitable public company. Web application vulnerabilities are a significant weak point that can and should be assessed regularly. ImmuniWeb provides just such a service but because people are involved, as well as machine learning-equipped systems, there is a significant cost to the system, as well as an advantage over free website scanning sites and tools.
While, on the face of it, using ImmuniWeb’s service might appear expensive, compared to training your own team of penetration testers, or sub-contracting a company to do the work for you, it is good value for money.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press