IT systems usually save in a database user’s personal information such as passwords, credit card numbers, house address, telephone number, id number, etc. When the system is not protected effectively from unauthorized access there is a high probability that a hacker might exploit that vulnerability and steal that information. That vulnerability is ‘Sensitive Data Exposure’.
Apart from precious data loss, sensitive data loss has a much more serious impact on ‘brand image’ and reputation. As per a leading E-commerce CEO, ‘Sensitive Data Exposure has become a real nightmare to all of us! It may cause a real embarrassment if such incidents occur to us.’
OWASP foundation has treated this vulnerability with acute seriousness and ranked them as NO. 6 in their Top 10 list of 2013.
The Table below depicts the OWASP foundation’s view on ‘Sensitive Data Exposure’:
Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
Application Specific | Exploitability AVERAGE | Prevalence WIDESPREAD | Detectability AVERAGE | Impact SEVERE | Application / Business Specific |
Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit, and even in your customers’ browsers. Include both external and internal threats. | Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser. | The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage are common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server-side flaws due to limited access and they are also usually hard to exploit. | Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc | Consider the business value of the lost data and impact on your reputation. What is your legal liability if this data is exposed? Also, consider the damage to your reputation. |
The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data:
Sources: OWASP, Wikipedia and Indusface Internal Analysis
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on December 25, 2023 13:10
A Managed WAF is a comprehensive cybersecurity service offered by specialized providers to oversee, optimize,… Read More
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More