Sensitive Data Exposure
Learn about hackers attacking your data, cracks in the shell, AWS key management service, insufficient attack protection, and certificate revocation list.
We'll cover the following...
Cracks in the shell
Valuable information that people can steal or use against us include credit cards, medical records, insurance files, purchasing data, and emails. This is the stuff that makes for headlines and subpoenas. That’s what OWASP means by “sensitive data.” The “exposure” part is probably obvious. Exposure doesn’t mean that a hacker broke our crypto. Hackers don’t attack our strong points. They look for cracks in our shell. It can be as simple as an employee’s stolen laptop with a database extract in a spreadsheet. Maybe our system uses TLS at the edge but REST over plain HTTP internally, another “pie crust.” An attacker can sniff the network to collect credentials and payload data.
Here are some guidelines to help you avoid headlines:
-
Don’t store sensitive information that you don’t need. In retail, use a credit card tokenizer from your payment provider.
-
Use HTTP Strict Transport Security. This is a step beyond HTTPS-first. It prevents clients from negotiating their way to insecure protocols.
-
Stop using SHA-1. Just stop. It’s no longer adequate.
-
Never store passwords in plain text. Read OWASP’s Password Storage Cheat Sheet for guidance on hash algorithms and good salting ...