Sunday 18 April 2021

What is sensitive data exposure

 

What is sensitive data exposure


Question: What is sensitive data exposure?
Sensitive data exposure happen when an application OR company exposes users's personal data that might be result of no-encryption, weak encryption, software flaws or upload data to public by mistake.


Question: Example of Attack Scenarios?
  1. Someone upload the company data in Facebook/twitter etc by mistake
  2. Transfer of data through HTTP/FTP/SMTP without encryption
  3. Storing the credit card numbers, health records, personal information (email/phone) storing in database without encryption
  4. Encrypting the data with weak cryptographic algorithms or default algorithms
  5. Reuse of cryptographic algorithms OR hash
  6. Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing
  7. User agent (e.g. app, mail client) not verifying the certificate when received request.

Question: How to Prevent sensitive data exposure?
  1. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs
  2. Apply controls as per the classification.
  3. Don’t store sensitive data unnecessarily
  4. Make sure to encrypt all sensitive data at rest.
  5. Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
  6. Encrypt all data in transit with secure protocols such as TLS
  7. Disable caching for response that contain sensitive data
  8. Store passwords using strong adaptive and salted hashing functions.
  9. Verify independently the effectiveness of configuration and settings


Question: Give few popular data breach in history?
  1. Sony PlayStation Network: 77 million records compromised in 2010
  2. Sony Online Entertainment: 24.6 million records compromised in 2011
  3. Evernote: 50 million records compromised in 2013
  4. Living Social: 50 million records compromised in 2013
  5. Target: 70 million records compromised in 2013
  6. eBay: 145 million records compromised in 2014
  7. Home Depot: 56 million records compromised in 2014
  8. JP Morgan Chase: 76 million records compromised in 2014
  9. Anthem: 80 million records compromised in 2015
  10. Yahoo: One billion records compromised in 2016
  11. Deep Root Analytics: 198 million voter records in 2017