Threat Agents
Threats can come from those parties that have access to the data especially if it is not controlled or is poorly protected.
In addition to that, even the possibility to reach backups of the discussed information can increase vulnerability.
Threats can come from the very organization or from the outside, which makes the number of potential threat agents greater (“Security testing – Sensitive data exposure”, 2017).
Attack Vectors
Attackers can get into the conversation of two parties and obtain access to the information they were willing to share with one another. It requires real-time processing, which is not very convenient but can give attackers a chance to send some information as well (DuPaul, 2017).
It is also possible to steal data right from the server. Such attack can be maintained without waiting and does not presuppose the necessity to target another party as an additional source of information.
Security Weakness
Rather often professionals who provide crypto do not do their best to make it difficult to break. In general, they just add the easiest and the most simple key or a common algorithm that can be easily approached by a hacker.
What is more critical, many professionals just think that that in is not critical for them to encrypt data because no one else needs it.
In this way, internal attracters can reach sensitive data without any obstacles. Fortunately, external ones tend to face some issues when focusing on server side flaws.
Technical Impacts
If attackers manage to get into the system and reach sensitive data, its loss will be observed. As a rule, they steal some information about credentials, health records, personal data, or credit cards.
It is also possible that attackers add some information they would like to share with others. However, people’s privacy prevent this from happening.
Business Impacts
When some sensitive data is exposed, it usually leads to dissatisfaction of the involved parties and makes the representatives of the second party resort to the court because their privacy was affected. In this way, companies tend to lose their loyal clients and partners, as sensitive data exposure proves that they do not value these relationships enough. As a result, organizational reputation spoils, which affects company’s reputation and a range of benefits it provides.
In fact, small players are the ones who tend to be affected by sensitive data exposure the most. Being focused on particular event or activity, they tend to lose client attention. Big companies also face this issues but they can shift the focus on those areas one is able to deal with (Särud, 2016).
Vulnerability
Those organizations that use applications with poor sensitive information make its users more vulnerable even though they realize where the attack is predicted (GitHub Security, 2017).
To find out whether company’s sensitive data is affected or can be potentially affected with the course of time by any attackers, professionals should assess it at least following the next plan (“Top 10 2013-A6-sensitive data exposure”, 2013).
Prevention
To protect your sensitive data from exposure, companies tend to:
- Develop a policy that identifies sensitive data and allows to understand it easily
- Use data encryption. Some organizations even resort to automatic encryption of data but not decryption
- Protect encryption keys separately
- Pay the same attention to backups
- Protect data when transferring it online
- Avoid caching information
- Do not use autocomplete that can lead to the display of wrong data
- Have a content checker that prevents the exposure of sensitive information through emails
- Use biometric login to make sure that no one else can approach the data
- Follow screen lock policies so that no one can have access to information showed on the screen
- Store only vital information so that the rest of it can be encrypted and hidden
- Ensure that the data can be wiped if the device is stolen or lost (McMullin, 2015).
Attacks
Attackers may reach sensitive data if a company resorts to the application that provides an opportunity of automatic encryption because in the majority of cases it allows to maintain automatic decryption as well. In his way, it is better to use not only the public key but also a private one that others do not know.
If secure sockets layer is not used, an attacker can monitor user’s traffic and steal his/her cookie. Later, it can be used to get private information.
When storing passwords, a rainbow table should be used. With the help of precalculated hashes, it will ensure safety.
References
DuPaul, N. (2017). Man in the middle (MITM) attack. Web.
GitHub Security. (2017). Sensitive data exposure. Web.
McMullin, M. (2015). OWASP top ten series: Sensitive data exposure. Web.
Särud, L. (2016). OWASP top10: Sensitive data exposure. Web.
Security testing – Sensitive data exposure. (2017). Web.
Top 10 2013-A6-sensitive data exposure. (2013). Web.