A3: Sensitive Data Exposure

App Specific

Rather than directly attacking crypto, attackers steal keys, execute man-in the-middle attacks, or steal clear text data off the server, while in transit, or from the user's client, e.g. browser. A manual attack is generally required.
Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).

Prevalence

Over the last few years, this has been the most common impactful attack. The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques.

For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest.

Technical

Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards, which often require protection as defined by laws or regulations such as the EU GDPR or local privacy laws.

The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws, e.g. EU's General Data Protection Regulation (GDPR), or regulations, e.g. financial data protection such as PCI Data Security Standard (PCI DSS). For all such data:

Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems.
Is sensitive data stored in clear text, including backups?
Are any old or weak cryptographic algorithms used either by default or in older code?
Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?
Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing?
Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?

How to detect this security problem?

Valency Networks technical team is highly capable of running app scans and also perform manual vulnerability assessment to find this security problem. We can also help you re-design the code component or provide inputs towards successful fixation.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.

Valency Networks is our only preferred vendor because the way they find vulnerabilities in our network is par excellence. We hired them on a long term contract to top up our perimeter and wish to continue with them.

CTO

Fortune 50 Manufaturing Company, Pune

Hardly goes a day when I have not learnt anything new in cyber security space and IT technologies.

Team-mate

for 6+ yrs

Working at Valency Networks helps me gain great knowledge everyday.

Team-mate,

for 3+ yrs

A3: Sensitive Data Exposure

App Specific

Prevalence

Technical

Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems.

Is sensitive data stored in clear text, including backups?

Are any old or weak cryptographic algorithms used either by default or in older code?

Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?

Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing?

Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?

How to detect this security problem?