A Guide on Preventing Sensitive Data Exposure
It is nearly impossible to live a life today without sharing personal data with outsiders. Just to get by with the basic duties and necessities, we need to share our personal information with our government, employer, doctor, and telecommunications and utility providers. Apart from these, we unconsciously provide personal information to countless businesses as we register for online accounts and memberships, sign up for newsletters, download apps, or even as we navigate on a company website.
Similarly, organizations and businesses today are held responsible for protecting the privacy of their customers and employees. Since most businesses store sensitive data digitally, it has become easier than ever for criminals to steal large amounts of personal data, organized and readily available for exploitation and misuse. As expected, in the latest OWASP list of top 10 vulnerabilities of 2020, sensitive data exposure was again rated as the third most prominent web vulnerability, retaining its position from the previous update in 2017.
It is fair to say that most of the cyberattacks today are aimed at sensitive data. Whether it be state-sponsored threat actors or financially motivated hackers, data lies at the center of the cybercrime scene.
Sensitive Data Exposure vs. Data Breach
Many tend to use the terms “sensitive data exposure” and “data breach” interchangeably, despite these having different meanings. Sensitive data exposure refers to the situation where an organization accidentally exposes sensitive data — such as personal data, financial data, or corporate secrets — usually as the result of the failure at adequately protecting a database. Examples of such failure include the lack of strong encryption, web application vulnerabilities, lack of multi-factor authentication, and simply database misconfigurations.
A data breach is used to describe circumstances where sensitive data have been accessed, viewed, or obtained by third parties through malicious actions. Most data breaches are caused by sensitive data exposure, but not all sensitive data exposure cases result in data breaches.
In this article, we focus on discussing some of the most common causes of sensitive data exposure and how organizations can prevent them.
Common Causes of Sensitive Data Exposure
Storing data in plain text
The leading cause of sensitive data exposure is the lack of encryption or weak encryption. This is a mistake frequently made by SMEs who are either not regulated by data privacy laws, or believe that they are too small of a target. The truth is that financially motivated hackers mostly do not care about the size and industry of the target. Storing sensitive data in plain text is extremely risky because web application vulnerabilities can be exploited to gain access to the application server. Websites without SSL and HTTPS security are especially vulnerable to such exploitations.
Database encryption is actually not as difficult as it sounds. With a database encryption solution like D’Amo, businesses can easily manage automated column-level encryption for their data. D’Amo allows for encryption at the application level, system level, and network level, retaining the search capabilities of the database.
As the all-time top spot on the OWASP top 10 vulnerabilities list, SQL injection is the biggest threat to web applications. Hackers would inject malicious SQL statements into the queries of a web application in order to retrieve sensitive data from the web application server. Hence it is necessary to monitor and filter all user inputs into the web forms to prevent hackers from compromising the server. The best way to do so is to invest in a web application firewall (WAF). In fact, a WAF has become the most basic security measure for most businesses today, readily available from a variety of vendors to choose from.
Different from other causes of sensitive data exposure, gaining access to login credentials or bypassing authentication allows the hackers to gain direct insider access, undermining all the other security measures. Hackers would use a variety of social engineering, credential stuffing, and even brute force attacks to break through password protection. Given the large amounts of personal information already circulating on the dark web, social engineering attacks have become increasingly common.
As a result, it is not only crucial to set strong passwords, but also important to have a second layer of authentication method (2FA or MFA) via one-time passwords or biometrics. Avoid relying on security questions because these can also be easily cracked using social engineering techniques.
Oftentimes, sensitive data are exposed by employees from within the organization. This is usually the result of phishing scams that trick employees into giving out admin login credentials. Phishing has become one of the most popular attack methods because it does not require sophisticated skills and is surprisingly effective. This is why many organizations are making cybersecurity education mandatory for all employees.
Another common case of insider threat is when current or former employees purposely expose sensitive information for monetary gains or simply for revenge. To prevent such attacks, it is important to update admin login credentials periodically and also to limit account access to as few members as possible. By authorizing only those who need access to the database immediately, the risk of data exposure can be significantly reduced. An identity and access management (IAM) system takes care of account authentication and authorization, making it easier for organizations to keep track of their login credentials, limit access, and mitigate insider threats.
Being attacked by ransomware is the worst nightmare for a business. Clearly, ransomware goes hand in hand with sensitive data as the attackers hold data hostage for financial gains. This again signals the importance of keeping sensitive data encrypted. However, for businesses who rely on these data for operation, it is also necessary to back up sensitive data in an isolated network. Taking these two steps together can largely mitigate the impact of a potential ransomware attack. This is because, first, the attackers will not be able to view, exploit, or sell the encrypted data; and second, even if the attackers deploy ransomware to add a second layer of encryption to the data, another backed-up database is readily available in an isolated network. Unfortunately, very few businesses take these two steps seriously and end up paying heavy ransoms without having any guarantee that their data would not be sold under the table. If the attackers were backed by nation-states, paying them ransom could also risk violating international sanctions.
Misconfigured data storage
As COVID-19 continues to drive cloud adoption, it is now very common for companies to use public cloud services to store their data. Yet, many administrators fail to configure these databases correctly and end up making them publicly searchable. Even though cloud misconfiguration does not necessarily lead to data breaches, companies could still be facing fines issued by data regulatory bodies.
Meeting Regulatory Compliance
There is no one-time solution to prevent sensitive data exposure. As the IT environment evolves, attackers will always find new intrusion methods. Hence to stay compliant with data privacy regulations, businesses must constantly review these common causes of data exposure and invest in the appropriate security measures accordingly. Consult with Penta Security for an optimal solution for your business.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security