Sensitive data exposure – It’s in your hands
Ábel Maróti (Junior Marketing Manager, Avatao)
Exposing data, especially sensitive data, is a long-time-coming threat. Since personal information such as addresses, payment details, non-hashed passwords, config files, and so on are very popular targets among attackers, it’s obvious that sensitive information is supposed to be protected from unauthorized access. This topic also involves a huge collection of vulnerabilities in different layers, like sensitive information is cached in the browser or is transmitted in clear-text (such as HTTP, SMTP, FTP).
OWASP Top 10 relations
Sensitive data exposure has a prominent place in the OWASP Top 10 list. Needless to say, this type of security risk has been quite impactful in the past, as a single flaw of leaving data unencrypted can lead to enormous losses. But how is sensitive data exposure different from data breaches?
Data breaches include intentional attacks against confidential or otherwise protected data. Breaches are security incidents that result in unauthorized access of data, networks, applications, or other assets. Data breaches occur when individuals, groups, or atrocious applications illegitimately launch into confidential or private IT perimeters.
Sensitive data exposure, on the other hand, happens when sensitive data is mistakenly exposed due to not sufficiently protecting the database. Exposures can be a result of weak encryption (or no encryption at all), software flaws, or human error.
Accessing exposed data can be the first stage of performing a cyber attack. There are numerous sorts of threats aimed at exposing information. This equation has several variables, depending on the type of data, applications, human factors, and more.
Data on the move
Data is – of course – not always stored and left in one unit of storage. It is often in transit, where it has the chance to become more vulnerable. Data often move across channels, between servers, or to APIs. Attacks are focusing especially on traversing data, such as man-in-the-middle (MITM) attacks. This term refers to a process where perpetrators are positioned between the endpoints to intercept data, and impersonate parties. Several other attacks target data in transit, hence securing data channels is a top priority.
When not on the move, data is resting on servers, networks, or other applications, such as archives, databases, or backup files. The unprotected channels do not pose a threat factor in this case, but that doesn’t mean that the data is safe. The protection of housed data usually gets more attention, but when applications remain to have vulnerabilities, data itself is prone to be exposed. For example, malware like Trojan horses can get access to system data via malicious downloads, so that attackers can get their hands on stored data. Depending on the location of the data (whether it is on hardware, server, or another application), numerous types of attacks can target stored data.
Attacks aiming to expose sensitive data
Sensitive data exposure is an occurrence that can be triggered by different malevolent attempts. Let’s reveal a few examples!
As a form of malware, ransomware can encrypt stored data on a target machine. The attackers then demand a ransom for the decryption key to get the data restored, hence the name. There are several ways for this type of malware to get access to the victim’s computer. It is quite often that phishing spam contains a file that can take over the system once downloaded.
By inserting an SQL query into the application, attackers can gain access to databases. By interfering with these queries, attackers can cause permanent changes to systems and databases. Thus, they can not only read and edit sensitive data but also can drop the whole database or even execute admin operations. This way, any available amount of data can be disclosed, deleted, while the attackers become the administrators of the certain database.
Phishing is one of the most-known attack types. It is usually disguised as an email, calling to action. The aim is to trick the recipient into opening the attachment or clicking on the link included. Phishing messages tend to look like trusted entities, making the recipients feel confident about their trustworthiness. As a widespread and pernicious trend, phishing attacks can get unauthorized access to sensitive data.
Broken access control
Access control or authorization helps define whether certain users are granted access to specific content. Authentication checks are being performed after logins, and control what users are allowed to see. When these mechanisms are not implemented properly, unauthorized users can gain access to sensitive information, causing data exposure.
Costs of sensitive data exposure
Cyber attacks and data breaches cost a great amount of money and reputation to companies and governments year by year. In case of sensitive data exposure, users affected (or even unaffected) will start feeling insecure, and losing their trust towards the company. Organizations can lose their integrity and fail customer confidence. These values being essential for business success, they can easily outrank money, as a cost of data breaches. According to last year’s “Cost of a Data Breach Report”, the global average cost of data breaches was $3.86 million (!), but that’s not the only factor. When data is not handled according to GDPR rules, penalties and fines can follow. Depending on the industry, compliance fines can also take place in case of sensitive data exposure. The longer a breach or attack remains undetected, the more money and confidence will be lost. According to the report, the average time range while breaches were undetected or uncontained, was 280 days, which proves that preventing, and detecting sensitive data exposure is still a weak link in cybersecurity.
A real-life example
Let’s take a look at a major instance of sensitive data exposure, to see some context! In 2016, one of Europe’s largest social networking sites, VK.com suffered a data breach: more than 100 million plain-text passwords, email addresses, and user names were leaked. According to sources, passwords were already in a plain text format before the breach happened. The stolen VK.com records were later on sale on the dark web, for 1 BitCoin for the whole pack. As a site similar to Facebook or any other social media site, one can assume how unsafe users must have felt after the leak has been published.
Preventing sensitive data exposure
Detecting data breaches can take a lot of time and effort, but restoring customer confidence takes even more. Once a sensitive data exposure happens, the cost associated with the breach, the penalties following, and the loss of security reputation can cause serious damages to any organization. That being said, prevention comes to mind as a possible solution, rather than working on restoration. Consistent security training, and building a strong security culture can help organizations to protect their data from being exposed. Avatao offers an efficient solution to reinforce your developers with strong secure coding skills. By deploying regular, customized, and engaging training, security teams can strengthen their defenses against external threats.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 8 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?