Sensitive Data Exposure: Why It Hurts
In the past few years, we've seen a huge increase in the amount of sensitive data that travels across the internet. Web applications can generate and share this data. Also, companies are working harder to provide more digital solutions with more sensitive data exposure to more of their clients.
When we think about data, we should not only think about how to manage this data in a more performative way. It's also very important that we think about privacy and how not to expose sensitive data.
What Is Sensitive Data?
Some developers consider credit card data to be the only sensitive information. Therefore, they're more concerned with its handling and storage than they are with any other type of data.
There's even a standard called PCI-DSS (Payment Card Industry Data Security Standard). The online payment companies and e-commerce stores that handle the credit card data of their customers must follow this standard.
Not every application has functionality related to online payments, and not every application will need to handle credit card data. But that application may still handle sensitive data!
You wouldn't want to have exposure of personal data—such as documents, addresses, or telephone numbers—on the internet for anyone to access.
It's vital to transfer and store this type of information securely because we should also consider it as sensitive.
Generally, we may think that sensitive data is just about credit cards or Social Security numbers. Well, that's not correct. Any data that contains personal information is sensitive. Information that someone can use to link with other information and thereby compromise entities is also sensitive. For example, some organizations use mother's or grandmother's maiden name, the name of elementary or primary school, or the make and model of a person's first car as security questions. So, a hacker could use that information to guess passwords.
Beyond Credit Card Numbers
Here are some other examples of sensitive data.
- Session tokens
- Phone numbers
- Home addresses
- Login credentials, such as usernames and passwords
- Financial information, such as bank account numbers and credit card data
- Contact information, such as addresses and phone numbers
- Health records, such as results of exams and medical records
- Other data, such as date of birth and family names
Sensitive Data Exposure and Data Breach: What's the Difference?
It's no surprise that over the years, most organizations' digital presence has increased. Virtually every aspect of people's lives is now more likely to be digitized, including medical records and shopping histories.
It's important to distinguish between sensitive data exposure and a data breach. So, how can you tell the difference?
A data breach is a problem that occurs when someone gets information without authorization. On the other hand, if the data is exposed to anyone—not necessarily on purpose—it could be interpreted as a case of data exposure.
Sensitive Data Exposure Requires No Maliciousness
A data breach occurs as a result of a malicious attack. On the other hand, sensitive data exposure happens when the application doesn't properly handle and protect a database's information.
Managing Sensitive Data Goes Beyond Cryptography
When I talk about how to manage the data, I'm not just talking about cryptography and digital certificates. They're also important, of course. But we need to take into consideration the whole process of an application—from the platform to the architecture of the app.
Let's take a look at how OWASP affects this issue.
OWASP: Going a Little Deeper
The Open Web Application Security Project, known as OWASP, is an open community that started in 2001.
The objectives of OWASP are to empower organizations to develop, acquire, operate, and maintain reliable applications that are related to security.
The project offers free documents, tools, forums, and studies on security in web applications.
One of the most popular documents produced by OWASP is the Top 10. This list, based on studies, contains the most critical risks in web applications, according to the group.
The document describes the risks in detail. It also shows examples of how the risks work and teaches you how to prevent them.
Way back in 2017, the top 10 listed sensitive data exposure (now inside a category called cryptographic failures).
Below, you'll find some important recommendations from the most recent list.
- Classify data that an application processes, stores, or transmits. Determine which data is sensitive according to privacy laws, regulatory requirements, or business needs.
- Don't store sensitive data unnecessarily. Discard it as soon as possible. You can also use PCI-DSS compliant tokenization or even truncation. Thieves can't steal data that you don't retain!
- Encrypt all sensitive data at rest.
- Disable caching for responses that include sensitive data.
Why Does This Matter?
Why is minimizing sensitive data exposure important for your business and your users?
Getting into the market—and more importantly, staying in the market—may be difficult. A brand's reputation takes years to build, but a major security incident can easily destroy it in a matter of weeks.
That undermining of the trust of customers and supporters creates a reputation challenge that's difficult to repair. And this type of exposure doesn't just worsen the company's image but also can cause a huge financial impact.
Our data is very valuable. Criminals in search of this treasure want to carry out fraud and scams with our information. Depending on the leaked data, criminals can even open bank accounts or make large purchases in the victim's name.
In addition, it's common for criminals to carry out credit card fraud. There are cases where they even try to extort, asking for money not to use or publish the stolen data. The common name for this is ransomware.
Another modern problem is the sale of information on the dark web, where it's harder to find the seller's identity.
Whatever the situation is, exposure of data can lead to serious problems.
Now that you have a better idea of what some of the problems are, what can you do about them?
The Challenges of Neglected Security
Many developers neglect security concepts and best practices. This brings big risks. APIs provide a point of contact between the outside world and the company's internal applications. Let's not forget that APIs can also provide access to updates or processing that the back end performs and handles.
When it comes to mapping their endpoints, many companies fail in this task. We have increasingly complex applications that are poorly mapped or documented. There are cases when the application has no documentation. This is a big challenge.
It's important to identify which data is classified as sensitive. Things like purchase history, income, or Social Security numbers are good examples.
It's also important to identify who has access to the sensitive data and how this data is managed across different environments, such as databases, logs, folders, or files.
After all, the infinity of technologies, diversity, and design used in the construction of APIs also affects how we protect the data within them. We have to understand that an API is, above all, an application. So, we have to follow best practices for its development.
The users should only have access to data that they are allowed to. We can implement this by using Identity and Access Management (IAM).
Keep in mind that preventing this kind of incident requires taking a look into the whole process of API development, considering the different types of users, the many locations the data may be stored, and how this data will travel across applications, devices, servers, and so on.
What Can I Do to Better Understand the Problem?
To help with this problem, Traceable AI has created an ebook called The Price of Hubris: The Perils of Overestimating the Security of Your APIs. You'll find some recommendations and tactics there. You'll also learn about techniques that hackers often use to access sensitive information. In addition, check out Traceable AI's helpful blog and consider subscribing.
With the increasing number of experiences and participants, the security risks and vulnerabilities of these platforms have become increasingly evident. There are new security challenges, and ensuring the perfect functioning of the network has become more important for any company. Business partners and the general public expect more than ever from organizations—and that affects you and your team.
This post was written by Rhuan Souza. Rhuan is a software engineer who has experience with infrastructure. Ruhan is currently working as a full-stack web developer. He’s a passionate developer who focuses not only on code, but also wants to help change processes, and make people's lives easier.
The Inside Trace
Subscribe for expert insights on application security.