8 ways to create better cybersecurity awareness with a limited budget – 10 minute mail

Not all cybersecurity budgets are made equal, and for some that means having too many or too few tools. For others this means having few employees or being the lone ranger responsible for better security awareness in the company. Here are options that fit every budget:

Cybersecurity on a budget

Invest in VPN to protect your peers and staff

This seems like a no-brainer but VPNs should be standard for all organizations, especially with the normalization of cloud computing and remote work from all employees. While not every WiFi hotspot can be trusted, one cannot expect employees to stop all work due to an insecure connection. But how can you demonstrate value to your board or management? Try setting up a “trustworthy” WiFi pineapple at your next company party for a live demo of Man In The Middle. Yes, MITM is still possible today even with HTTPS.

Assess assets with an Incident Response Plan

If a hacker were to be detected in your systems this moment, what would your next step be? Having an incident response plan in place, communicated and rehearsed would hopefully have you calm and collected knowing what action to take with systems backed up. Applying that mindset that someone is already accessing your systems and being prepared in how to respond is the best way to stay on top of threats.

With this in your toolbox, you will be able to show stakeholders what information could be compromised should a hacker get into “X” or “Y”. Best of all, it doesn’t require external resources to execute, and if you don’t know where to start, here’s our guide on how to build an Incident Response Plan.

Implement a responsibility disclosure program

There’s a lot of talk about bug bounty programs and leveraging ethical hacker knowledge but having a full program in place comes with a price tag and demand for human resources to fix complicated issues that skilled bug bounty hunters will find. Without being able to show the value or ROI, how can you get the budget needed?

We recommend starting with a responsible disclosure program on your site. This option invites ethical hackers to report vulnerability issues without concern for legal repercussions and they do it out of goodwill. With knowledgeable staff, this can be set up without external resources and you’ll receive feedback via vulnerability reports from ethical hackers. This could also help make an informed case for future improvements such as a bug bounty programs, more frequent pentesting or implementing an automated solution. Need inspiration? Disposable mail has a publicly available responsible disclosure policy in place.

Disposable mail Website Security Check Computer

Threat modelling before it happens

Threat modelling is often done by security teams and with the rise of DevOps, it’s being incorporated into developer workflows as well. With this tool, teams look at assets, threats and vulnerabilities in the software. This answer what exactly needs to be protected, what are the external/internal threats to protect against as well as what vulnerabilities exists that need to be fixed. This tool can also be used by non-security team members to get them in the mindset of continuous improvements and protection of assets.

Automated web vulnerability scanning

In 2018, our Disposable mail Crowdsource white hat hackers submitted almost 450 new vulnerabilities to better the breadth of our web vulnerability scanner. From Crowdsourced modules alone, we had 50,000+ vulnerability findings in our clients’ assets scanned. You can imagine all the JIRA tickets that had to be issued and handled, and it was a helpful way for the security manager to get an overview of the security status of web applications. The vulnerability reports summarize what could be exploited by a hacker and then managers can prioritize remediations accordingly in workflows.

Using an automated web vulnerability scanner can save you time from detecting known vulnerabilities and allows your security team more time to dig deeper for issues that require more creativity and cannot be automated. A modest investment for a web application scanner is relatively less costly than a multi-million or billion user breach such as we saw in 2018.

Results from automated scanning to show the security status of your web applications and can be compared with the results of annual security audits and penetration testers to get more value out of the latter.

Security training as part of employee on-boarding

One way to scale up security awareness in an organization is to include it in the on-boarding process and educate employees outside of the core security team. For some that could mean everyone besides the CISO. However, there’s a growing trend for developers and designers to care about application security (in fact that’s how Disposable mail got started!) and supporting them on this journey is valuable. Here are some ways to make security skills accessible:

  • Host internal knowledge sessions and providing a working environment where developers can hack their own code
  • Build up security champions
  • Employee-led sessions on how to hack or learn about information security
  • Eliminate the blame-game when a security issue occurs and enable ownership of writing secure code
  • Run Capture-the-flag (CTF) events for participants to practice offensive and defensive coding skills

Developers aren’t the only ones who need training. Be sure to include training people of all levels from interns to C-level on the real-life implications of phishing, password management and social engineering.

Sharing knowledge is caring for colleagues

Even a security company needs to encourage better security practices for awareness from staff but not everyone has time for 1-to-1 sessions to communicate it all. At Disposable mail, we’ve been able to scale up security knowledge sharing by creating explanatory video on OWASP Top 10 and other known vulnerability on the Disposable mail Youtube channel for colleagues and anyone else security-interested. We also have internal lightning talks on our security test updates, hack demos and weekly security tips from our security researchers to encourage everyone to think security-first.

Start an internal RSS feed or channels for security news and interesting write-ups

With the rise of digital workplaces like Facebook Workplace and Slack, it’s even easy today to share interesting articles and learning resources. To build up a security mindset in the workplace, you could set up RSS feeds to automate news from your trusted security channels like the popular Reddit community /r/netsec or get immediate notifications when research articles from Disposable mail Labs are published (you know we had to mention that!).

Final thoughts

Building up security awareness or a security culture is not a cut-and-paste job, and with some of the mentioned tools and internal learning resources, adoption may be easier. There are things one should pay for like VPN or an online vulnerability scanner to help with the tedious and easily preventable matters, while there are ways to be resourceful when creating cybersecurity awareness. Lastly, all levels of organization should be aware of security risks and planning as if someone is already in.

Curious to see how Disposable mail automated web vulnerability scanner can make security easier for you? Get started today with a free trial and check your web applications for 1000+ known vulnerabilities today.

Jocelyn Chan

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cybersecurity Awareness Month – 5 tips for safe browsing – 10 minute mail

October is Cyber Security Awareness month, and a good time for organizations and anyone who uses the Internet (yes that means everyone) to review security best practices, for a safer user experience. Based on the current state of the Internet, here are our best tips for a better online browsing experience, for website guardians and end users.

October is Cyber Security Awareness Month

1. Trust only HTTPS

While a few years back it was still widely debated whether HTTPS was really needed, encryption certificates and HTTPS are more widely adopted today since they can now be obtained for free by providers like Let’s Encrypt. Even Google has gotten involved with HTTPS-advocacy by flagging sites still on HTTP only as “Not Secure”, which can impact the user experience and even affect your Google SEO ranking. 

And we agree with Google for flagging unencrypted websites (those in HTTP) as insecure. Why? Without the “S”, everything that goes to-and-from between the website backend and client is trivially readable by anyone sitting conveniently in between the traffic, which means that HTTP could expose users of a website to a variety of attacks. This includes an attacker listening to the network traffic in the same network or visit a website that’s been tampered with. For example, if the user connects to a WiFi hotspot controlled by a malicious attacker, they have the opportunity to insert malicious code or modify the content that the user sees on the website.

However, HTTPS is not the silver bullet to determine whether the website is absolutely secure or not. As we mentioned in the beginning, HTTPS certificates are easy to obtain for any kind of website, whether it’s used for hosting a legitimate e-commerce platform or a phishing website. And even encryption won’t protect your users from Javascript-related vulnerabilities such as Cross-site Scripting (XSS)

2. Double check the sender

Have you ever received an unusual email that’s made your blood pressure rise? Have you noticed weird transactions or activity on a personal account that’s prompted you to quickly log in to verify that everything is okay? These are some of the tactics that attackers use to get your attention and coerce you into clicking a convenient, yet cryptic looking, link, which leads you to fake login pages that are actually controlled by the attacker.

Phishing emails may look quite realistic, but there’s something off with them. For example, Apple would never send you an email from domain called tepindaupmi[.]com. 

Phishing Email example apple id

Image: Example of a phishing e-mail

Another way is to use email spoofing, which is caused by misconfigured email servers in the wild. This means that attackers can spoof the sender address, giving the phishing email even more legitimacy by making it appear it actually came from a trusted domain or trusted person.

If you’re an administrator of an organization, it is highly encouraged to configure a SPF, alongside with DKIM and DMARC to prevent your domain from being used as a camouflage for phishing campaigns. We’ve previously covered this with some internal research on misconfigured email servers from top domains and it’s still a relevant issue today. 

Also, it should be noted that the attackers have discovered that in addition to phishing emails, people tend to be more susceptible to attacks delivered over unconventional mediums, such as text messages, according to Verizon’s Data Breach Investigations

3. Disable Javascript

Javascript is a widely used interpreted programming language, which allows the creation of dynamic web pages and interactive functionalities. Interpreted programming language simply means that it does not have to be compiled before execution, thus allowing it to be interpreted by web browsers. But this also comes with a lot of security issues, because Javascript can access HTML building block elements that create the overall structure for the website, called the Document Object Model (DOM). However, this also means that in case of a Javascript-related vulnerability, an attacker can supply scripts that can be executed within the user’s browser. 

Javascript related issues include Cross-site Scripting (XSS) vulnerabilities. You can read more about different kinds of XSS vulnerabilities.

Because Javascript tampers with data on the client-side, you can disable or limit execution of Javascript on your browser. For Google Chrome, you can specifically block sites and for Firefox, you can download for example this browser plugin. It should be noted that blocking all Javascript will most likely limit your Internet browsing experience, because some websites offer only partial support for Javascript-free HTML version. This means that some websites may not allow you to log in or the website layout can seem odd.

Go ahead and try it– disable Javascript on your browser and see what happens when you browse the Internet. 

Disable Javascript in Google Chrome

Image: Google Chrome settings to blacklist or whitelist for domains where Javascript can be loaded

Again, this is not a one-size-fits-all solution, and any Javascript related vulnerabilities should be remediated and fixed by the website’s owner. Even black/white-listing specific domains will do you no good where javascript is persistent on the website and is therefore executed within that specific domain’s context and you have not blocked that domain. 

4. Keep passwords and secrets, secret

Passwords. No matter who you are, if you’re an internet-goer, a developer or an administrator, storage and handling of passwords has been an issue ever since they were first introduced as a method of authentication. 

So just to recap, a good password is one that is only known by you, is unique to each service, and is long enough to withstand a guessing or brute-forcing attack. Also, Multi-Factor Authentication (MFA) should be enabled whenever a service supports it. 

For secrets such as API keys and tokens, the secure storage becomes a little bit trickier as they need to be available to services and systems that use them. However, one definite no-go is storing them in the source code, as the source code is often copied to less secure locations and can be compromised. Secrets should always be kept clear of your version control.

5. Always ask yourself – why?

Whenever online, it is always good to take a breather and analyse the website you’re using, the message you received, and change your password by logging in to the service in question by typing out their URL manually in your browser. 

Also messages and content that makes you feel like you need to act fast can be a sign that something is wrong. Attackers want to make you feel like you’re in a hurry, because that’s when you’re more prone to accidentally click on the links which you shouldn’t open. So next time you’re about to click a link in an email, however over it first to see the source and then manually type it or find it via search. It’s a bit more work, but can save you from giving up your credentials.

And to continue in the spirit of Cybersecurity Awareness Month, share these tips with your colleagues, to encourage best security practices in the workplace and across the Internet in general.

Written by:
Laura Kankaala
Security Researcher, Disposable mail

Disposable mail is an automated web application scanner that checks your web apps for 1500+ known vulnerabilities. By collaborating with our community of ethical hackers, we’ve developed a test bed with vulnerabilities beyond the OWASP Top 10 including misconfigured SPF records and HTTPS implementation. Check the security status of your web apps with Disposable mail today. Get started your 14-day free trial.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.