Website security assessment service | WEB vulnerability assessment

In Indonesia, it’s a fact that most of corporates still have very low awareness of website security. On the other hand, many skillful attackers are causing many security incidents in Indonesia at international level. It is extremely important for you to make sure that your website’s security is checked by a professional with the viewpoint of cyber attacking/software vulnerability since attackers have various ways to penetrate the security hole of your website. If the attackers break your security holes, the risk is not only your website will be jacked or edited, but your website/business can be used for a crime. That is why it is extremely important to strengthen your website’s security even if it’s a very simple website.

Examples of Cyber-Security Threats.

An Indonesian Airline had once become the victim to a cyber-attack, resulting in the leakage of important passenger data. The data leakage stemmed from two sources, the first of which contained 21 million articles of data, and the other, 14 Million. Indonesian telecommunications companies have previously fallen victim to cyber-attacks using web-defacing techniques. ‘Web defacing’ changes the appearance of a website, altering its main page, index file and other pages that are still bound to the website’s URL.

Several Cyber-Security incidents have occurred, not only to corporate entities, but also against government agencies. Based on data obtained from the CSIS (Center for Strategic and International Studies), there are many state-run institutions worldwide that have experienced such cyber-attacks, notably several US Cancer Research agencies that were hacked into in order to retrieve information related to the latest data in regards to developments in the study of cancer. North Korean Hackers have also carried out phishing attacks on foreign officials, aiming to decipher nuclear related information. The Indonesian General Election Commission had also reported Hackers from China and Russia had previously examined the database of Indonesian voters before the presidential and legislative elections were held.

Is Your Company Vulnerable to a Cyber Security Attack?

Presently, as many as 74% of companies have over 1000 highly sensitive files stored within their archives. 21% of which often lack capable protection, thereby being vulnerable in becoming the victims of hacking. Additionally, 41% of companies commonly store over 1000 sensitive files that are not well protected. These can include credit card cumbers and other financial records.

Furthermore, based on Varonis’ data, 65% of companies have 500 users who have never changed their passwords. In fact, based on a study conducted by the Ponemon Institute in 2017, as many as 69% of organizations do not believe that Anti-Virus Software can help solve a data breach related threat. Hackers have various techniques to hack and access important company data. In lacking good cyber security, both large and small companies can fall victim to all kinds of cyber-attacks. This happens because every business has assets criminals may seek to exploit. Sometimes assets are in the form of money, financial information, personal information of staff and customers, or even business infrastructure.

Website security assessment contents

We check and report on 12 crucial items of the assessment. It is a website vulnerability assessment service that can quickly scan the security level of your website.
The scope of assessment may be limited by the scale of the website security (number of pages, search function, presence/absence, and number of forms) that will be tested.
We conduct an assessment by using a security assessment tool that enable us to implement a comprehensive testing.
We also perform a manual test to identify the critical and potential risk by analysing source code.
We will provide some advises to solve the risks and show you the priorities of those risks to be solved.

Why website security assessment is necessary?

Websites owned by financial institutions are not the only ones who need security assessment and countermeasures. The ones who are not handling important and personal information also have a chance to get cyber-attacked.

Also in Indonesia, attacks such as unauthorized access and falsification of data are frequently carried out against websites. As a result, it can cause severe damages, such as personal information leakage, system down, access trouble, up to falsification of identity.

It is important to know how a weak security system can result in financial, reputational, and legal consequences.

1. Financial Impact.
Cyber Attacks can often result in financial losses arising from:
- Theft of Corporate Information
- Theft of Financial Information
- Sales Disruptions (Example: Customers being unable to conduct online transactions)
- Loss of Business or Employment Contracts
2. Reputational Impact
Cyber attacks can damage your business’s reputation and potentially lead to:
- Loss of customer Trust
- Loss of Customers
- Decrease in Sales
- Reduction of Profits
3. Legal Impact
As a business owner, you are obliged to protect your company, its customers and the data of its employees. If you are unwilling to fulfill such basic requirements, if you are bound by a contract, you may be subject to legal sanctions or various fines.

In order to eliminate these risks so as to continue maintaining a secure website, conducting a security vulnerability assessment is highly recommended. Through a primary security assessment, we can properly grasp the extent to which a website is vulnerable to cyber-attacks.

LOGIQUE will flexibly perform various security assessment according to the scale of the website. We also have a primary vulnerability assessment that can be easy and cheaper to start with.

The steps taken by LOGIQUE in conducting a Website Security Assessment

In conducting a website security assessment, Logique Digital Indonesia uses international standards as the reference, including:

1 Reconnaissance

The stage where we will collect initial data or any other things needed for the client. After data is collected, we will be able to plan attacks more easily. Reconnaissance can be done in two ways, which are actively (directly touching the specified target) and passively (surveillance is done through intermediaries).

2 Scanning

At this stage, an application is needed as a technical tool to collect various advanced data on the target that we have set. The data sought is more general, which is about the system they have.

3 Gaining Access

We will gain access to take control of one or more network devices to further extract data from the target, then use the device to launch attacks on other targets.

4 Maintaining Access

That is the stage where we will make several steps needed to remain in the target environment with the aim of collecting as much data as possible. In this phase, the attacker must remain idle so that they cannot be caught while using the host environment.

5 Covering Tracks

The last stage where we will cover the track, forcing the attacker to take the steps needed to remove all the similarities during detection. Any changes that have been made, improved authorization, etc. All must return in a non-recognition state (not recognized) by a network administrator host.

LOGIQUE provides a variety of Cyber Security services.

A. Application Penetration Testing

A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls.

1) Web Apps
A web application security test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.

2) Mobile Apps
The security test on mobile apps focuses only on evaluating the security of a mobile app on iOS or android devices. Like web apps, the process also involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities.

3) Desktop Apps
For those of you who might be wondering if desktop applications are still a thing, yes, of course. Most enterprise applications are installation-based and use hardware resources to run them. Also, many real-time systems are still desktop-based because of their performance capabilities. In this case, LOGIQUE can also do testing to ensure the security of the software.

B. Network & Infrastructure Penetration Testing

Assessing security or penetration testing on servers, local network, and staff PC. This infrastructure test is a proven method of evaluating the security of your computing networks, infrastructure, and application weakness by simulating a malicious attack.

C. Code Review

Auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment.

D. Cyber Security Awareness Training

Choosing a weak password or clicking a bad link is the example of personal decisions that even the best cyber security cannot help. This is the reason why cyber security awareness is vital especially among end users and programmers, and LOGIQUE can provide the training for you.

E. Cyber Security Consulting

LOGIQUE is ready to help your IT team to solve security problems and provide the best solutions. We can give technical advices to your IT team and strategic advices to your management team.

Logique Digital Indonesia is experienced in conducting security assessments

In Indonesia, we have performed security assessments on websites of a governmental organization, financial institution, e-commerce, up to a car manufacturer. Most of the cases, you will be shocked with the test result, but it is better at least you can notify the risk and make an appropriate strategy against it. LOGIQUE will help you lessen the risks until the risk gets almost none by monitoring its security constantly. While conducting penetration tests for various companies, we had subsequently discovered several security holes that required immediate patching up. Some examples of the bugs we had encountered are as follows:

1. Injection
2. Cross-Site Scripting (XSS)
3. Sensitive data exposure
4. Security misconfiguration
5. Broken access control
6. Others

We are offering a special price for trial of our vulnerability assessment service.

Although it is a simple assessment, we recommend that you know the status of your website’s security and how critical they are. Feel free to contact us for consultation. We would be pleased to respond to your questions in English, in Indonesian, or in Japanese about the details related to website security assessment service, such as assessment detail, report items, cost, duration, etc.

LOGIQUE Works 2019

Time	Industry	Object of Assesment	Found Problems (Risk Level)
Time	Industry	Object of Assesment	High	Middle	Low
Sep - Oct 2019	Travel	Web app	5	4	2
Sep - Oct 2019	Media	Online Media	8	0	3
Sep - Oct 2019	Entrainment	Network infrastructure	4	2	1
Sep - Oct 2019	E-commerce	Market Place Web	8	4	4
Oct 2019	E-commerce	PWA	4	3	0
Oct - Nov 2019	Forwarding	Website company profile	5	5	3
Oct - Nov 2019	E-commerce	Web app	6	0	2
Oct - Nov 2019	E-commerce	Web app	2	2	1
Oct - Dec 2019	E-commerce	Web app	53	1	0
Nov - Dec 2019	E-commerce	Mobile app for Android	2	2	2
Nov - Dec 2019	E-commerce	E-commerce	3	2	2
Nov - Dec 2019	E-commerce	E-commerce	2	2	1
Nov 2019	Fintech	Web app	1	2	3
Nov 2019	Fintech	Mobile app for IOS and Android	2	4	2
Dec 2019	Finance	Corporate Web	2	1	4
Dec 2019	Automotive	Corporate Web	4	0	2
Dec 2019	Service	Member web	3	4	3

Sample Report

SQL Injection

Missing Authorization Mechanism

Bypassing Unrestricted File Upload

Table Bug of Finding

Unencrypted Local Storage

Telnet Service Externally Available