Security features

Security is built into the core of our software. To protect your clients and your data. We regularly pass penetration tests with top marks.

How Sirius is built makes it highly resistant to hacking attacks. Sirius is regularly penetration tested to ensure security by “ethical hackers”. What are these attacks and how does Sirius defend against them?

Brute force password attack

This is where a hacker simply tries millions of usernames and passwords. It was reported that this is how iCloud was compromised and images of celebrities stolen. Sirius defends against this by locking out any account that has a small number of failed login attempts in a row. An administrative user can later re-enable the account.

Key Logging or Network Traffic Interception (Man in the Middle)

This is where a hacker installs software on a user’s PC to record keystrokes or views the data transmitted between the user’s browser the online server by monitoring the traffic. In both cases the hacker can look through the recorded text to find a regularly repeated string of characters. This could be a username and the current password. Sirius uses the concept of a Memorable Word. The user is asked for two or three characters from the Memorable Word. The whole word is never typed in. This makes determining the Memorable Word much more difficult.

Another way Sirius defends against Man in the Middle attacks is through the use of One Time Passwords. Every time Sirius exchanges data between the user’s browser and the online server Sirius sends out a unique One Time Password or OTP. It looks like this:

72ABC0BD-253B-4F38-BAB9-7745D4E65E12

When the browser sends back the next request it sends the OTP with it. Sirius then checks that the OTP is the same. If not the user is logged out immediately. This makes it very, very hard to hijack a user’s session.

SQL Injection

This is being reported as the attack used to steal information from TalkTalk. This consists of a hacker manipulating the user interface to add their own database queries to the ones being legitimately used by the application.

Sirius defends against SQL Injection attacks in a number of ways:

Avoids dynamic SQL strings so there’s never any possibility of a database query being amended.

Sirius exclusively uses Stored Procedures to query the database

User inputs are scanned for SQL scripting commands

Lowest possible access privileges for the Windows Domain account that queries the SQL database. The user account only has rights to execute the Stored Procedures it needs – access to other database structures are disallowed.

The above denies attackers the ability to steal data online even if they have managed to obtain user credentials.

URL Manipulation

This is where a hacker who has legitimate credentials to log on to the system changes parameter values in the browser’s URL string in an attempt to access information not properly available to them. Sirius defends against this through user session validation. When a user logs on a Session is established unique to them and the instance of them logging on. Each time the user requests information the user’s Session is checked for validity and their application rights determined. In this way Sirius based applications can ensure only data a user has rights to is displayed to them.