Sunday 18 April 2021

What is sensitive data exposure


What is sensitive data exposure

Question: What is sensitive data exposure?
Sensitive data exposure happen when an application OR company exposes users's personal data that might be result of no-encryption, weak encryption, software flaws or upload data to public by mistake.

Question: Example of Attack Scenarios?
  1. Someone upload the company data in Facebook/twitter etc by mistake
  2. Transfer of data through HTTP/FTP/SMTP without encryption
  3. Storing the credit card numbers, health records, personal information (email/phone) storing in database without encryption
  4. Encrypting the data with weak cryptographic algorithms or default algorithms
  5. Reuse of cryptographic algorithms OR hash
  6. Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing
  7. User agent (e.g. app, mail client) not verifying the certificate when received request.

Question: How to Prevent sensitive data exposure?
  1. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs
  2. Apply controls as per the classification.
  3. Don’t store sensitive data unnecessarily
  4. Make sure to encrypt all sensitive data at rest.
  5. Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
  6. Encrypt all data in transit with secure protocols such as TLS
  7. Disable caching for response that contain sensitive data
  8. Store passwords using strong adaptive and salted hashing functions.
  9. Verify independently the effectiveness of configuration and settings

Question: Give few popular data breach in history?
  1. Sony PlayStation Network: 77 million records compromised in 2010
  2. Sony Online Entertainment: 24.6 million records compromised in 2011
  3. Evernote: 50 million records compromised in 2013
  4. Living Social: 50 million records compromised in 2013
  5. Target: 70 million records compromised in 2013
  6. eBay: 145 million records compromised in 2014
  7. Home Depot: 56 million records compromised in 2014
  8. JP Morgan Chase: 76 million records compromised in 2014
  9. Anthem: 80 million records compromised in 2015
  10. Yahoo: One billion records compromised in 2016
  11. Deep Root Analytics: 198 million voter records in 2017

Saturday 17 April 2021

Root Causes of Session Hijacking and Session Fixation and Broken Authentication

Root Causes of Session Hijacking and Session Fixation and Broken Authentication
Question: What is Session Hijacking?
Session hijacking is an attack where a user session is taken over by an attacker.

Question: What are the Root Causes of Session Hijacking?
  1. Guessable session ID
  2. Absence of detection mechanism for “repeated guessing trial” either with brute-force or systematic methods.
  3. Weak cryptography algorithm
  4. Unable to detect repeated guessing trials while there is a mechanism in place
  5. Insecure session handling methods
  6. Limitation of HTTP: the statelessness of the protocol or lack of any inherent or integrated state management mechanism

Question: What is Session Fixation?
Session Fixation is an attack that permits an attacker to hijack a valid user session.

Question: What are the Root Causes of Session Fixation?
  1. Permissive Server: a server that accepts client generated session ID
  2. Session management type in use
  3. Reuse of session identifiers

Question: What is Broken Authentication?
Attacker get authenticated when he attack on Session Data and get success.

Question: What are the Root Causes of Broken Authentication?
  1. Lack of metrics: absence of well-developed metrics
  2. Lack of security knowledge among programmers to apply information and communication security mechanisms to their solutions
  3. Wrong decisions or compromises
  4. Use of self-developed modules instead of well tested and thoroughly analyzed modules for security services such as authentication
  5. Storing user credentials with other application data.
  6. Guessing Attempts: allowing repeated guessing attempts
  7. Lack of security awareness among users.