Following our article summarizing and describing the OWASP Top 10 attacks, we are going to evoke “sensitive data exposures”, ie the exposure of sensitive data to people who are not supposed to be able to have access to it. This category is also often known as “data leak”.
First things first, it is important to note that this point obviously concerns non-public data. In this category, pirates mainly look for specific data such as:
- A company’s confidential information (R&D, knowledge and know-hows, etc…)
- Clients data (name/surname/email/credit card number, etc…)
- Information about your internal network or you organization
Protect yourself agains sensitive data exposure
- It quickly seems essential to have a clear security policy regarding the definition of what is sensitive, confidential or public. Each data, whether it concerns clients, employees or the company, can easily be classified according to a criticality level. From this simple point, it becomes easier to have a policy adapted to each of the defined levels. Even if it seems trivial, it is an unavoidable starting point, too often forgotten.
- The applicative rights linked to users accounts must be reinforced in the right way and the rights applied to the files and directories must also be strictly configured in order to avoid “directory traversals”.
- Then, you should stock on exposed machines only what must be stocked. Why keeping clients’ credit card numbers data if a payment gateway takes care of your transactions? Why keeping it uselessly? This same simple logic applies to every data (IP, email…) on a server. Must it be there, must I protect if with a login/password, or keep this information? The “store only what you need” policy is vital.
- Simultaneously, encrypt what must be encrypted. Passwords, emails, sensitive data can sometimes be stored encrypted, which allows for instance in the case of an SQL Injection, to have no risk of losing clear information. This policy saved numerous companies whose servers were hacked, because pirates could not use the encrypted data.
- Favor HTTPS and, generally, encrypted protocols (SFTP, SCP, etc…). The interesting data is not always in a database, it is sometimes transmitted on the fly, from browser to server. The SSL encryption protocol and encryption, in general, widely complicate things for attackers. Only use safe encryption protocols (SHA1 or minimum 256 bits keys). Typically, the encryption protocol WIFI WEP is vulnerable.
- Regularly change your passwords and use strong ones (with lower case and upper case letters, numbers and punctuation).
- Never rely on a security on the client’s side (here, the browser), since out of principle it can be compromised or a pirate can alter what is transmitted to the server.
CerberHost’s answers to data exposure
CerberHost will protect the access to files that are not supposed to be accessible by imposing strict rights on these files. Also, it protects your website against SQL Injections with its WAF (Web Application Firewall) NAXSI, which prevents from losing the databases’ content. Finally, transfers are all secured with the SSL protocol (HTTPS, SFTP, SCP) and the given passwords are always strong. Lastly, all the transfers are logged, so it will be detected if a file is leaked.
The applications being manually tested against applicative vulnerabilities, and at the level of their rights, it is unlikely that data that should not be accessible could be available under CerberHost hosting.
CerberHost protects your website against all OWASP Top 10 vulnerabilities, and much more.
To discover CerberHost in pictures, take a look at its presentation video HERE.