OWASP Top 10 2017 – A6 Sensitive Data Exposure: Identify Your Weaknesses

Number 6 on the OWASP Top 10 2017 list is A6-Sensitive Data Exposure. The first question to ask is whether your organization even has sensitive data that needs protection against exposure. The quick answer is that, in today’s digital world, most organizations will have some sensitive data that requires extra protection, such as:

Passwords
Credit card numbers
Social Security Numbers
Health information
Other personal information
Depending on your organization’s interaction with data collection involving consumer information, your data collection efforts may reveal additional sensitive personal information.

How vulnerable is my sensitive information?

To discover the answer to this query, you must analyze how the network treats each piece of sensitive information that you collect. For each type of sensitive information, determine whether the network:

stores sensitive information in easily readable text over long periods of time;
transmits sensitive information — externally or internally — in easily readable text. As you might expect, transmission over the internet to external sources is especially prone to cyber criminals;
uses old, outdated algorithms or weak encryption to protect sensitive information;
generates weak cryptographic keys or the key system lacks key rotation or has poor key management; and
sends sensitive information to the browser without security directives or there are security directives missing when sensitive information comes from the browser.
Note: Hackers do not generally break into cryptography directly. More often than not, they will steal something that helps them break the encryption. For example, they steal keys or steal clear text data from the server (while the data is in transit) or from the network’s browser. Hackers often conduct man-in-the-middle attacks to steal sensitive data. A man-in-the-middle attack takes place when a hacker steps in-between two trusted parties who think they are talking directly to each other (but the hacker is in the middle of their communication stream allowing him to modify the communications to his advantage).

What is the most common security weakness?

Believe it or not, the most common security breach occurs because an organization did not encrypt sensitive information at all. For those networks that use encryption, the problems relate to weak key generation or weak key management. Other common problems include weak algorithms and weak password hashing (hashing means turning the original password into another, shorter string value or a key that represents the original password).

Browser weaknesses are also very common and easy for hackers to detect. Fortunately, hackers find them difficult to take advantage of on a large-scale. Almost all browser exploitation relies on a user clicking on something. For example, a bug in a browser may make it possible to construct a web link that displays one website in the status bar but, when clicked on, the browser actually transports the user to another website, called status bar spoofing.

Hackers trying to break in from the outside have trouble finding vulnerability flaws on the server-side because they have limited access. Those vulnerabilities they find are also harder to exploit. Internal hackers often take advantages of vulnerabilities on the server-side through their access to sensitive information.

How do I know if my network is vulnerable to sensitive data exposure?

You must start by asking who your threat agents are; that is, what bad actors can gain access to your sensitive data (and include in that list anyone who can gain access to the backups of your sensitive data). We are talking here not only about data during transit. You need to recognize who can gain access to sensitive data when it is at rest (stored, not going anywhere) or when it remains vulnerable in a customer’s browser. And you need to think internally as well as externally if you are going to get the full picture of your vulnerability.

As part of the review of your network’s vulnerability to sensitive data exposure, determine what your organization’s legal liabilities are if a data exposure occurs. Consider the damage to your organization’s reputation as well as the monetary exposure from angry clients for lost or exploited data.

What happens if the network encryption fails?

If network encryption fails, or if your organization fails to encrypt the network to protect sensitive data, the result is the same. Hackers will steal the sensitive data (passwords, health care information, sensitive financial or personal information, credit card information, etc.). We’ve all seen headline news of hackers breaking into government data banks, merchant customer data (like the attack against Target) or stealing Yahoo’s customer information or ransomware attacks demanding money to release files or return whole networks to the owner.

In the future, instead of attacks to steal information, the attacks may seek to destroy data or modify a company’s data in a malicious manner.

So, is there any way to prevent sensitive data exposure? There are five things — at a minimum — that you can do to try to prevent sensitive data exposure.

When you identify the threats and the threat actors you need to protect against, take pains to encrypt all the sensitive data (at rest and in transit) in a way calculated to protect the data against the identified threats.
Don’t ask for data you do not need. Don’t store data you do not need. Discard data as soon as possible after you no longer need it. Cyber criminals cannot steal what you do not store.
Use strong algorithms and keys and strong key management. Consider using FIPS 140-1 and 140-2 cryptographic modules.
Store passwords with an algorithm designed specifically for passwords. Examples are bcrypt, PBKDF2, or scrypt.
Disable auto complete when completing forms that contain sensitive information.
Disable auto caching for pages that contain sensitive information.
And keep a wary eye on cyber criminal activity.