Don’t let your organization get caught with its pants down!
Today we are going to learn about number six on the Open Web Application Security Project (OWASP) top ten list, sensitive data exposure. We’ll start with a quote from my fourth grade teacher Ms. Strickland, “Knowledge is power.” In today’s fast-paced world we use information technology to help store, manipulate, and analyze this data. The unscrupulous among us wish to take data for themselves. They wish to take power. This is why we’re talking about sensitive data exposure today, to help protect your power.
defining the problem
Sensitive data is information that can be used or manipulated for nefarious purposes to great effect, such as credit card numbers, tax IDs, and authentication credentials. Accidental exposure of this data would not only be embarrassing for your firm, as expressed in the Coppertone Girl’s expression, but could also lead to malicious crimes such as credit card fraud, identity theft, etc. Not only do you risk customers’ distrust, but you risk incurring their wrath in the form of lawsuits from liabilities. You’ll notice that although this kind of attack surface area is labeled as “difficult” to exploit, the impact to your business (and payoff for the baddies) can be severe.
Below is the OWASP cheat-sheet on sensitive data exposure:
detection & prevention
The vast majority of the time, properly encrypting your sensitive data is sufficient to protect it. However, it must always be encrypted. This means, while it’s at rest in your data store, while it’s in transit on the wire, and while it is displayed in your customers’ browsers. This means salting and encrypting sensitive data in storage, using TLS/SSL on pages displaying sensitive data, disabling caching of these pages, and helping to protect against oblique attack vectors against your customers (such as via XSS). In addition, it means considering and taking appropriate action against insider attacks. Finally, it’s worth re-evaluating your need to continue storing the data after it’s used. Data stores can’t be pillaged if there’s nothing in them.
In summary, sensitive data exposure can be difficult for attackers to exploit, but they’re highly motivated because of the potential payouts. Don’t store sensitive data if you don’t need it. Be sure to encrypt the necessary sensitive data during storage, transit, and display. And finally, don’t be like the Coppertone Girl and get caught with your pants down!
Credera has a security team that is well versed in the detection and prevention of security holes and application vulnerabilities. If you would like to discuss any of the materials you have read or have a particular need for testing or secure application development, please email us at SecurityTeam@credera.com