The three keys to security: passwords, passwords, and passwords

Insecure passwords continue to be the biggest system vulnerability for UK businesses.

Weak passwords continue to be the single biggest security issue facing UK companies: users too often rely on default passwords or they enable concurrent logins.

According to a report from technology industry body techUK, while new threats continue to emerge "well known vulnerabilities are still the most common".

The report, Securing Web Applications and Infrastructure, is based on penetration tests conducted over the last 12 months by techUK, and was produced in association with the Home Office.

2014 in security

2014 in security: The biggest hacks, leaks, and data breaches

Hundreds of millions of records have been stolen this year through hacks and data breaches as a result of poor, or flawed security. Here are the most notable stories of the year.

Read More

Results showed that the top ten vulnerabilities are:

1. Account weaknesses. A weak password policy could allow unauthorised access to an application or the wider system.

2. Secure Sockets Layer (SSL) issues. Tests consistently show insecurities from weak ciphers in use, to self-signed and expired certificates which can lead to compromised passwords.

3. Cross site scripting (XSS). XSS is one of the most common vulnerabilities which enable attackers to inject executable code into web pages.

4. Clear test protocol in use. While it can be good practice to test applications and systems in general, leaving evidence such as 'test harnesses' or the like can be useful to an attacker.

5. No brute force protection. Brute force may be used to attack an application in a simple but effective way, by automatically trying different password combinations or methods.

6. Directory listing. By discovering the directory structure an attacker may be able to exploit a particular file or use the directory listing to improve their chance of success in compromising the system or application

7. No 'clickjacking' protection. Clickjacking allows a malicious link to be positioned over a legitimate link via a transparent web layer. This allows the malicious user to 'highjack' the link and direct the user to a web page different from the one they believe they are going to.

8. Cookies. Cookies can be a security hazard when they are not marked HTTP only or they are not marked as secure.

9. Host configuration issues. Hosts must be set up properly to defend against attackers or other security problems. The biggest issues here are firewalls and IP leakage.

10. Information disclosure, and especially user enumeration. This is where the functional response of the application or the password reset mechanism may provide unintentional 'clues' as to the construct of a username or password.

However it's not all bad news. Gordon Morrison, director of tech for government at techUK, said: "The good news for businesses and citizens is that there are well established fixes available to protect against these vulnerabilities and avoid falling victim to cyber crime".

For example he noted help was available in the form of a specification developed by the BSI which describes what constitutes good software engineering: PAS 754, Software Trustworthiness - Governance and Management.

Further Reading: