2017 OWASP A3 Update: Sensitive Data Exposure
Si vis pacem, para bellum! This classic Latin quote by Vegetius translates to “If you want peace, prepare for war.” As far as aphorisms goes, this is probably one of the best known amongst military strategists, and — even after a couple millennia — it’s a perfect fit for the war against cybercrime.
There is no room for doubt: every company with an Internet presence (in other words, everyone) is constantly exposed to cybercriminals whose level of organization and tactics have evolved to a level where they can no longer be ignored. But there is a key point many security professionals are still missing: A war is won by whoever makes less mistakes. Even companies that adopt a sound security strategy must face the fact a cybercriminal just needs to be successful one time to cause major havoc. And they are trying to do so 24 hours a day.
One of the biggest mistakes to avoid at all costs is having a web application that inadvertently exposes sensitive data. The problem is, even in 2018, many web applications and APIs still lack sufficient protection for confidential data, including financial data, healthcare records and personally identifiable information (PII). As expected, criminals are eager to exploit this sort of vulnerability and may steal or modify unprotected data to conduct credit card fraud, identity theft and an exceptionally large number of other crimes.
What Is Sensitive Data Exposure?
The problem with exposing confidential information is not a new issue. The Open Web Application Security Project (OWASP), an open community dedicated to enabling organizations to develop, purchase and maintain trusted applications and APIs, has published a list of the ten most critical web application security risks since 2004. Even before officially becoming a Top Ten item, inadvertently leaking data has always been a constant.
As of the 2017 OWASP update, the sensitive data exposure risk climbed a few steps from the sixth position to the third. This is because confidential data, either at rest or in transit, lacks basic protection such as proper cryptography. Instead of using a supercomputer to try breaking an advanced encryption algorithm, attackers are adopting simpler tactics such as a man-in-the-middle attack to steal clear text data when it is transmitted. In some cases, even if cryptography is in place, it may not be sufficient as many web applications are still using weak cryptographic algorithms or simple hashes to protect sensitive data.
Sensitive Data Exposure Case Studies
A recent example was the case at Panera Bread, a St. Louis-based chain of bakery-cafe fast casual restaurants that exposed literally millions of customer records. The data from every customer who signed up for an account to order food online was exposed, in clear text, at panerabread.com. That included juicy information such as the names, emails, physical addresses, birthdays and the last four digits of the customer’s credit card number. To make matters even worse, the company was notified and fully aware of this situation for at least eight months, from August 2017 to April 2018, before taking any concrete action.
This is not an isolated issue. The report INFORMATION EXPOSED: 2017 Data Breaches in New York State documents the number of New Yorkers who had confidential information exposed between 2016 and 2017. It quadrupled, with companies and other entities reporting 1,583 data breaches to the attorney general’s office during this time period. This alone exposed the personal information of 9.2 million people.
While not every leak in this paper may be directly linked to sensitive data exposure, at least 44% were caused by external system breaches and another 17% by inadvertent disclosure. This continuing issue led New York’s attorney general to prepare new legislation requiring companies to notify both the attorney general’s office and consumers as soon as they learn that their users’ personal data has been exposed or misused.
How Can I Prevent Sensitive Data Exposure?
As with many critical risks in OWASP’s Top Ten list, it starts with using basic security principles. For instance, it is not hard to determine if an application stores or transmits sensitive data: passwords, credit card numbers, health records, personal information and business secrets will always require adequate protection, especially when data is under privacy laws, such as the General Data Protection Regulation (GDPR), or regulations for financial data protection (i.e., PCI Data Security Standard — PCI DSS).
Once the protection needs of data in transit and at rest is determined, a few points should be checked:
- Data should never be transmitted in clear text. Many Internet protocols, such as HTTP, SMTP and FTP, do not use encryption by default. While allowing this inside the company’s intranet is already a considerable issue, relying on unsecure protocols for transmitting sensitive data over the Internet is completely unacceptable. All sensitive data in transit must be encrypted using secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server and secure parameters. It is also important to enforce encryption using directives like HTTP Strict Transport Security (HSTS).
- Sensitive data at rest should never be stored without the use of encryption. It is important to note that even encryption has its flaws, so using outdated or weak cryptographic algorithms is not an option, as this would only provide a false sense of security. The same goes for simple hashes that can be reverted. It is very important to ensure up-to-date and strong standard algorithms, protocols and keys are in use, and also to take proper care of key management.
- Sensitive data must not be stored unnecessarily. A good precaution is discarding it as soon as possible, or using a PCI DSS compliant tokenization or even truncation. Remember: data that is not retained cannot be stolen.
- Properly classify data processed, stored or transmitted by an application. It is necessary to take special precautions in cases when data is sensitive according to privacy laws, regulatory requirements or business needs. The whole idea of having controls reflecting the data classification level while applying cryptography everywhere is a neat idea from a security standpoint, but it may not be required and even result in higher costs and lower performance.
Exposing sensitive information is the kind of incident that may result in a significant impact to any business. Right now, several countries are working on updating (or already publishing) laws that will turn the notification of leaks compulsory for cases involving sensitive or private information, and also require a much faster response from affected companies.
This sort of situation can be easily avoided by taking proper care of security controls for web applications. But, this requires understanding both the cause of the problem and how to fix it, and that is where InfoSec Institute can help.
Their two-day OWASP Top Ten course covers not only sensitive data exposure, but every item on OWASP’s Top Ten Most Critical Web Application Security Risks list. Providing a balanced mix of attention-getting lectures and hands-on secure coding activities, professionals such as web developers, web administrators and other IT and information security specialists will receive the training needed to stay ahead of cybercrime.