Sensitive data deserves extra protection such as encryption at rest or in transit. Failing to do that is known as sensitive data exposure.
- Username & Password
- Debit/Credit Card Information
- Personal Data
- At Rest: If data is in rest, i.e. saved in database and strong cryptography is not applied then if any attacker will get access to the database (like using SQLi) he/she can easily see sensitive data.
- In Transit: If communication is not encrypted, then any attacker can listen it (using Man in the Middle attack / using Packet sniffer) and can see sensitive data.
- Attack on Confidentiality
Exploitability : Difficult
Impact : Severe
- Don't store sensitive data unnecessarily.
- Ensure strong standard algorithm and strong key are used.
- Ensure proper key management is in place.
- Ensure passwords are stored with an algorithm specially designed for password protection (like bcrypt, PBKDF2, scrypt).
- Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
No comments:
Post a Comment