8
Jun

Most Common Cyber Vulnerabilities Part 3 (Sensitive Data Exposure)


The previous parts of this series introduced us to injection flaws and buffer overflow. As the third part of the series, we will be dealing with sensitive data exposure and its various aspects.

It’s the mutual trust between the business and its customers that their online data will stay safe and confidential. But there are times when accidental and intentional data breaches occur, which results in sensitive data exposure. With the creation of a huge amount of online data, it is now impossible to handle cyber vulnerabilities, such as data exposure. Along with that, unencrypted data and inadequate security can worsen the situation and can offer an effortless entry point for cybercriminals. This list of factors contributing to sensitive data exposure is not limited to only unencrypted and unsecured data; its reach is much more than that. To learn more about this vulnerability, keep reading.

What Do You Know About Sensitive Data Exposure?

It is always recommended that sensitive data should be stored in an encrypted form so that it will never be available or accessible to “public” users in a readable format, that is, in plain text. This doesn’t imply that encrypted data is a foolproof way of protecting and securing your critical data from cybercriminals. With internal and external threats lurking on one of the most important assets of a business, it is important that the businesses puts-in all efforts to keep this asset from falling into the wrong hands. In addition to that, the cloud offers a secure platform to store data, but only when you store it in a protected environment. Otherwise, like any other storage area, it will act as an open playground for attackers.

It’s recommended that the staff is regularly updated on accidental data exposure. This may occur when a malicious link is accidentally clicked, or a suspicious software is downloaded.

What Makes Sensitive Data?

There are different types of data; some are organized, some are not, some contain basic details while some have confidential information stored in it. Here is what sensitive data consist of:

  • Banking details: credit card numbers, account numbers, and any related data
  • Health-related data
  • Personal details: social security number, date of birth, full name, maiden name, driver’s license number, and so on
  • Other details: usernames and associated passwords

Generic form of data that can fall under the category of vulnerable data is:

  • Passwords or banking details stored online in plain text
  • Significant webpages not protected under Hypertext Transfer Protocol Secure (HTTPS) protocol
  • Hashed passwords with no added salt
  • Disclosure of tokens in public source code

Sensitive data exposure can cause financial loss for the organization and the concerned individual. Apart from that, this can lead to identity hijacking and for organizations, this will negatively impact the brand.

You can divide sensitive data into two broad categories:

  • Regulated data—This type of data remains sensitive throughout its life cycle, but its degree of sensitivity varies with time. It is advised to keep regulated data classified all the time.
  • Unregulated data—This type of data does not always seem sensitive. In simple words, the data does not appear sensitive at first glance but makes much more sense when its context is considered. For instance, publicly known data appears non-sensitive, but there are times when the company’s confidential data and some intellectual property data are exposed publicly when it should be classified as highly sensitive. This is what makes unregulated data.

Can You Determine if Your Sensitive Data is Exposed?

Unlike any other traditional cyber vulnerabilities, it is neither simple nor possible to detect sensitive data exposure. The task seems difficult because of two major reasons:

  • Determining which information can be categorized as sensitive—this demands manual work
  • An outsourced pen tester would never know whether the internal data is encrypted or not as internal data is not subject to third-party exposure

Follow preventive security measures to assess whether your sensitive data are exposed.

Potential Impact of Sensitive Data Exposure

The potential impact of sensitive data exposure on an organization varies with the sensitivity of exposed data. For instance, if a credit card is stolen, then the attacker can hurt you financially. But if your password is exposed, then there are chances that your private data may be misused. In the case of your documents being lost, then the perpetrator can attempt in many ways to pose as a victim or steal your identity.

That is how the impact fluctuates with the varying degree of sensitivity.

Known Events Representing the Impact of Sensitive Data Exposure

Several well-known events are showcasing the impact of sensitive data exposure.

Case 1: 100 Million Plain-text Passwords Stolen from VK.com

VK.com, Russia’s biggest social networking platform, with more than 350 million users, was breached in mid-2016. The compromised database contained names of the user with their associated email addresses, plain-text passwords, details indicating their location, phone numbers, and, in a few cases, their secondary email addresses.

Storing passwords in plain-text was the real security risk. The attacker, Peace, then put up the compromised data set for sale on the marketplace of the dark web [1].

Case 2: Slack Bot Exposed Linked Tokens on Public Domain

In the same year as VK.com’s data breach, Slack, a popular communicating tool used in the corporate world, made headlines for sensitive data exposure. The tool not only allows communication but also permits its users to create automated services, such as supporting ChatOps movement to do repetitive manual tasks. Under this, Slack unintentionally allowed companies to share their private sensitive tokens on Github. With these exposed tokens, cyberattackers can gain full access to the victim company’s internal communication [2].

Five Security Measures to Prevent Sensitive Data Exposure

With the effective implementation of the given security measures, you will be able to prevent sensitive data exposure to a great extent. Strong consideration should be given to the implementation of multifactor authentication (MFA) [4]. MFA “is a security system that requires more than one authentication form independent categories of credentials to verify the user’s identity for a login or other transaction” [5]. Additionally, the implementation of a Cyber Awareness and Resilience program can greatly reduce the likelihood of exposure of sensitive data elements, with its use.

1. Data Encryption and Defining Accessibility

Always encrypt sensitive data, even when it is in transit form, especially when you are storing it. For extra sensitive data, try limiting its accessibility to only a handful of authorized users with separate private keys (in case of encryption).

2. Maintain Strong Passwords

As per 2017 Verizon Data Breach Investigations Report, 81% of hacking-related breaches occur because of stolen and/or weak passwords [3]. Weak passwords lead to easy security breaches.

To generate strong passwords, you can use the hashing function algorithm. With that, it is advised to change your passwords regularly and maintain a unique password for every different platform.

3. Regular Risk Assessment

Risk levels to sensitive data change with time. It is recommended to regularly monitor and conduct a risk assessment for any potential threat for your sensitive data.

4. Backup for Your Data

During a data theft, the maximum losses occur because of no proper backup of data. Maintaining a secure and protected backup would help you to minimize the losses.

5. Use Advanced Standard Security

It’s important that you have secure authentication gateways. With the use of advanced standard security, such as SSL and TSL, you can ensure that the data flowing between a web browser and a web server is not only encrypted but also remains private. In addition to that, HTTPS offers secure communication protocol for the applications using it.

Sensitive data exposure can occur either accidentally and/or intentionally. If you want to prevent this from happening, pay proper attention to the storage and transit of your sensitive data. Along with that, limit the accessibility of the data.

In the next article of the series, we will be covering another important and common cyber vulnerability—broken authentication and session management.

Sources

[1] https://thehackernews.com/2016/06/vk-com-data-breach.html

[2] https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/

[3] https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf

[4] https://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

[5] https://www.linkedin.com/pulse/cyber-awareness-resiliency-dr-merrick-s-/

Editor's Note:
Reviewed by Sergio Pohlmann, VP of GTISUL and Dr. Merrick Watchorn, DMIST, Sr. Executive Director, ManTech, & Quantum Security Alliance, Program Chair.
get certified from ec-council
Write for Us