Cyberattacks on small and midsized companies in 2019 cost $200,000 per company on average, mercilessly putting many of them out of business, says CNBC in its analysis of a recent Accenture report. In light of the global cybersecurity skills shortage, the number is set to soar in 2020. Solely in the UK, over 50,000 British SMEs could collapse next year following a cyberattack.
This article brings a list of free tools that are already being used to combat these alarming challenges and enabling SMEs to arm themselves against a wide range of cyber offenders.
Website Security Test with GDPR and PCI DSS Compliance Scan
The problem: It would be hard to come across an SME without a website, or at least a web page on the Internet. Such websites are habitually poorly protected, becoming low-hanging fruit for cybercriminals. Even if the website does not store or handle any payment transactions or otherwise sensitive information, once breached, access to it can be sold in Dark Web marketplaces from $5 to $500 depending on the website’s popularity, industry, and quality of visitors.
Cybercriminals will then exploit the website to send spam, proliferate spyware and ransomware, and distribute Remote Access Trojans (RAT) tailored to empty e-banking accounts of unwitting visitors. As well as reputational damage and falling sales, such unforeseeable incidents can likewise trigger protracted and expensive lawsuits from the victims, let alone fines and penalties imposable under GDPR and a mushrooming myriad of other privacy laws and regulations.
Worse, once your website is identified as a source of spam, malware, or DDoS attacks stemming from the breach, Google and other search engines will swiftly blacklist it. The integrity of your SEO efforts and Google Ads investment will vanish in minutes and for many months, while Google support will be reviewing your complaint to delist you from the dangerous websites’ purgatory. In most cases, however, your existing position in search results (SERP) will be irretrievably lost.
The tool: Our first free online tool is, therefore, a website security test that not only searches for web vulnerabilities, weaknesses, and configurations but also runs a GDPR and PCI DSS compliance scan:
The free test just requires a website URL to start; no registration or installation is required. The following non-intrusive and production-safe website security tests and checks will be performed:
- In-depth CMS scan for 50,000+ known web security vulnerabilities
- A full scan of WordPress, Drupal, Joomla and Magento plugins
- Full scan for Open Source Software and its components
- Check of privacy and security HTTP headers
- Check of Content Security Policy (CSP)
- Check for presence in Black Lists
- Check for malware
On top of this, you will get a detailed assessment of the applicable requirements from the following compliance and regulatory standards:
- PCI DSS 3.2.1
- EU GDPR
Importantly, the free test is equipped with a quick OSINT discovery of your subdomains, providing broader visibility of External Attack Surface. The test likewise provides a free API if wanting to automate the testing or export vulnerability data into any existing cybersecurity solution or platform.
Mobile Application Security and Privacy Test
The problem: Mobile applications and ecosystems are bringing a steadily growing income to SMEs who are reaching new customers and markets across the globe with their products and services.
The emerging mobile marketplace is, however, not without its drawbacks and pitfalls. Insecure mobile apps, or a poorly implemented data encryption of transmitted data, may expose sensitive customer data, trigger reputational injury, and considerable financial losses. Some cases may even lead to lawsuits from belligerent clients and immense financial penalties from the data protection authorities and regulatory agencies.
Moreover, your app can be permanently banned from the Apple and Google Play stores, causing irreparable and protracted damages to your business.
The tool: To detect, mitigate, and prevent such undesirable consequences in a timely manner, we present a mobile security test for your iOS and Android applications:
The free test requires your mobile app to be uploaded, or if the application is already available in Google Play, just to type its name in the search box and select it from the list. No installation or registration is required to test on your mobile apps.
During the security scanning process, the following checks and tests will be conducted:
- In-depth OWASP Mobile Top 10 security scan
- Smart scan for hardcoded passwords and API keys
- Holistic privacy check and inventory of application permissions
- Dynamic (DAST) testing of your mobile application binary for security flaws
- Static (SAST) testing of your mobile application source code for security flaws
- In-depth Software Composition Analysis (SCA) for known Open Source Software (OSS) risks
- Review encryption of the data sent to the mobile app backend (APIs and Web Services)
- Malware and Cryptojacking scan
You will get a consolidated overview of your mobile application security and privacy with actionable excepts of problematic source code and recommendations on how to fix the issues. Additionally, you may use a free API to automate testing of your mobile apps before releasing a new version, for example.
SSL/TLS Encryption and Certificate Test with PCI DSS, NIST and HIPAA scan
The problem: The modern-day Internet would be impossible without encryption. Even beginners know that a green lock icon on the left side of the browser address bar is a good indicator of trust and confidence. Properly implemented SSL/TLS encryption and correctly installed SSL certificate may boost your online sales and provide you with a competitive advantage on the global market.
If you are running an e-commerce website and accept payments in credit cards, you likely adhere to strict security requirements imposed by PCI SSC on online merchants, including the most recent version of PCI DSS. Amid those 12 well-thought security requirements, due implementation of SSL/TLS encryption plays a notable role to safeguard credit card data from interception and theft.
The formidable GDPR also unambiguously requires a properly implemented encryption strategy whenever you process, store, or handle any Personally Identifiable Information (PII) of Europeans or European (EU) residents.
Recently, Google introduced an important amendment to its search and ranking algorithms, clearly giving preference to websites with flawless HTTPS encryption in accord with the industry best practices.
The tool: Let’s now have a look at this free SSL/TSL security test which is able to rapidly scan your website and its subdomains for all know encryption misconfigurations and related weaknesses:
In contrast to many other SSL security tests and online encryption validation tools, this one is capable of testing not only the HTTPS encryption but likewise fits well for email (e.g., POP3S, IMAPS, STARTTLS) and all other common SSL/TLS implementations on any port.
The test just requires your website or server name and then will rapidly conduct the following checks and scan for:
- Over 30 known SSL/TLS implementation vulnerabilities including Poodle and Heartbleed
- PCI DSS Requirements for SSL/TLS encryption, cipher suits, and SSL certificate
- NIST Guidelines on SSL/TLS, including an in-depth check of all cipher suits
- HIPPA Guidance on SSL/TLS hardening and implementation
- Insecure (non-HTTPS) insertion of external web content
- SSL certificate chain and CA check
Moreover, the test will enumerate all your subdomains discovered with non-intrusive OSINT reconnaissance. Eventually, you can seamlessly automate regular scanning by using the free API.
Domain Security Test
The problem: Phishing is probably one of the most prevalent and well-known problems that cost billions of dollars every year to inattentive or careless victims. With the skyrocketing increase of Business Email Compromise (BEC) attacks, also intertwined with so-called “CEO Fraud” emails, phishing prevention merits a special place in your cybersecurity strategy.
Domain attacks, including typosquatting and cybersquatting, impersonate your brand and trademarks in the digital space. They steal your visitors and website traffic, parasitizing on your goodwill and hard-won reputation. In small and rapidly growing markets, such freeloaders may undermine your marketing efforts and negate your previous success.
Last but not least, fake accounts in social networks that pretend to represent you or be somehow connected with your business may likewise bring a lot of reputational harm and loss of profit.
The tool: To tackle the foregoing challenges, you should try this phishing and domain security test:
All you need to commence the test is to enter your domain name. The test will meticulously crawl over 200,000,000 of the existing, or previously existing domains trying to find infringers, imposters and other digital parasites.
It will depict your domain security by delivering an up2date inventory of malicious domains and websites including:
- All currently known phishing, malware and scam websites exploiting your brand
- Fake accounts on Twitter, Facebook, and other social networks
- Full list of typosquatted domains abusing your brand
- Full list of cybersquatted domains abusing your brand
The test is likewise capable of identifying and distinguishing the websites and domains that belong or are operated by your organizations, marking them appearing in blue. While all other rogue domains will appear in red and require your attention for prompt takedown action.
Check these and other free security tests by ImmuniWeb® Community offering and stay secure in 2020!