OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
24

Video Transcription

00:00
Hey, everyone, welcome back to the course. So in the last video, we wrapped apart lab on broken authentication.
00:06
In this video, we're gonna talk about sensitive data exposure.
00:11
A quick pre assessment question here. Wastes and prevent the exposure of sensitive data Include all of the following except which one of these.
00:21
All right, so if you just answered B, you are correct. So storing unnecessary data is not actually a way that we can prevent against exposing our sensitive data.
00:32
Answer a classifying the data answer, See encrypting the data in transit and rest and then also using strong encryption encryption algorithms. All those are correct ways that we can use to prevent against the exposure of our sensitive data.
00:47
So learning objectives for this video, we're to talk about things like the risk rating for sensitive data exposure. Washington Talk about ways we can check for it and waste. We can prevent or mitigate against it.
00:58
So the rating scale here, if you remember from the last module we talked about red is a bad thing. So we see here that it's a more than likely a pretty common top of occurrence as far a sensitive data exposure as well as it may have a significant technical impact.
01:12
So what is sensitive data exposure? Well, Neil, the name gives it away, right? We're exposing sensitive, sensitive data, but what does that actually mean? Well, many web applications and also a p I ease our application programming interfaces. They don't properly protect sensitive data. So,
01:26
you know, things like our financial data. So credit card information or health care data. So, you know, if you got a surgery back in the day and they talk about that or, you know, even like if if you, you or someone you know had an STD or something, Dad, it shows your health history, right? That type of information can be taken
01:44
as well as personally identifiable information. So things like you're so security. Your date of birth,
01:48
phone number, address e mail addresses, all that good stuff
01:53
so isn't prevalent. Well, yes. You know, it's actually probably the most common impactful attack in the past couple of years. You'll see this a lot. You know, as far as like, you're, you know, like, just think of the Equifax breach, right? So your information from your credit report all your information right. You're still a security number. Potentially your passport information,
02:13
date of birth, all that good stuff Attackers have. No,
02:15
um, the more than likely had it already, but they've got, you know, pretty much everybody stuff now. So that's that's where this is the most one of the most common things.
02:25
And, you know, the most common flaw associated with that as actually not encrypting data. You know, a lot of companies want to save money, and so they, you know, it may be a money thing, and they also want toe, you know, keep systems fast for customer. So
02:42
if you're encrypting data, obviously that slows things down that you know, costs more money to do. That sort of stuff takes more. Resource is so, you know, it is kind of that balancing act. Obviously, sensitive data should always be encrypted, right? But a lot of companies don't do that. Unfortunately,
02:58
or they're using weak encryption. Right. So we have seen with Equifax.
03:02
Uh, actually, it wasn't Equifax. It was a different company. And the name escapes me now I believe was a hotel. But anyways, what they did is they, You know, number one. They lost the data,
03:15
but then also the used weak encryption. So the attacker was basically, you know, if they do it, they were able to access the encrypted data, so it doesn't really make any sense
03:23
to do that sort of thing.
03:27
So it's speaking of encryption now, we're not gonna dive in encryption. We've actually got several courses related to encryption and cryptography on cyber is if you want to check those out if you're want to take a deep dive into it, um, this example I'm gonna talk about his defeat helmet on. We'll talk about eventually a key exchange here. So we're gonna talk about how Alison Bob using these p
03:46
this paint example.
03:49
We're going to talk about how they derive a common key that they're going to use for communication. So what? We talk about encryption. We've got asymmetric and symmetric, so symmetric encryption. And again, we're not gonna do dive into this by any means. Symmetrically encryption were basically using the same. We're using a the same key, the public, he everyone's got access to it,
04:06
whereas asymmetric it slower. But I've got, like, a private key. You've got a private creaky.
04:12
So when we and We've got a shared public. He's women encrypt data and we sent it to each other. We can decrypt it with our private key.
04:19
So in this example here, Alison Bob, they will start off with that bass, you know, color of yellow. And then Alice puts her secret color in, or her secret key in there. Looks like red here on. Then Bob puts in his secret key with his yellow mixture there. What kind of looks like a tool color
04:35
and then where he might be actually green. Um, it might just be that bad vision. There s oh, Bob ends up with blue, right. However, that mixture works out. He ends up with blue is his public mixture, and then Alice ends up with kind of like a light brown color. It looks like they're
04:50
What they do then is a swap those cans of paint. And then so Bob now has Alice's can of paint, and Alice has Bob's can of paint on. Then what they both do is they just mix that new can of paint. So Alice mixes bonds can of paint, and she mixes it with her secret color. So that red again and she ends up with that kind of brown color that we see there.
05:10
And then what Bob does is the exact same thing, right? He takes palaces, campaign. He mixes it with his secret key or his secret color of paint, and then he should get the same results. So they all now they both now have a common secret key. Or, you know, that common pink can that they're sharing. So that way, when they do communication, they have a common key to use.
05:29
Now, of course, Diffie Hellman is a vulnerable
05:30
thing, the key for the key change. But this was a good example. I always like to use the pain example when I talk about encryption because it's a good gives you a good idea of, like, kind of how encryption works. So if I
05:43
and Alistair Bob, now that I've got that you're that common that public key that we're using, I've also still got my private key, right? I still as if I'm Bob. I've still got my yellow can of paint,
05:51
and so I could still mix that with, you know, the shared key on get information back. You know, I could get the I could basically decrypt the information.
06:01
So how do we check for sensitive data exposure? Well, um
06:05
number one clear text data transmission rights. If you're seeing data transmitted in clear text, then that's a strong indicator that you're vulnerable to this particular thing on and you'll see you may see that a lot with, like, SMTP simple male transfer protocol FTP or filed French for protocol. A lot of people are probably familiar with that than http
06:25
hypertext transfer protocol on. You'll see websites now use. We'll see http S in the oral, right. So that means it's got some kind of security or encryption in place
06:34
that it's using
06:36
storage, you know, so
06:39
are restoring sensitive data, right? Are restoring unnecessary data again, Going back to that pre assessment question there are restoring into unnecessary data week algorithms, no encryption. And are we using service side certificate? So are we verifying that this is actually a good server? This is actually the server
06:57
for when we establish our communication
07:00
impact. You again? I mentioned you know, the health information financial. Our intellectual property could be taken, and then other personal data is Well,
07:10
so how do we prevent or mitigate against this particular thing. Well, we want to classify our data, right? So we wantto classified data that we are processing any data we're storing or transmitting. So we want to talk about we want to basically figure out, like, Is this actually sensitive data is a critical data, you know? Are there any regulatory requirements you know? So, like, hip
07:28
socks? PC idea says, you know, GPR
07:31
Are we worried about any regulations that may cover this particular data
07:35
applying controls, you know, based off that particular classification that we give it
07:40
again, not keeping any unnecessary data. We don't wanna have unnecessary dead, because that makes a bigger attack service for the criminal attacker.
07:48
We always want encrypt data, uh, at rest as well as in track in trance sense. You know, in transit and transit. Excuse me years and secure protocols like T l s. You know, or something like that.
08:01
Disabled, cashing, using strong passwords and then also salting the password. So, basically taking a bunch of random characters and then, you know, putting that with the password and doing a hash again a has his hash is in one way function and so potentially that could make it a lot more difficult for, Ah, an attacker to get your password
08:18
and then monitoring any type of things that we put in place, right? So for using if we classify our data that we put in, we implement controls. We want to monitor the make sure those controls are effective, right? If we use insulting and our passions, we want to monitor to make sure it's effective.
08:33
If we're using encryption, we want to monitor and make sure the encryption is still a strong algorithm. Make sure it's still working properly. So again, just that monitoring that in the military we called him after action reports. So after you doing things,
08:46
review it, talk about it, make sure everything's still working properly, if not adjust things to where you need them to be to make sure your data safe.
08:54
So just a quick post assessment question here, Perfect has been tasked with checking for sensitive data exposure at his company. He knows that all of the following might be indicators of sensitive data exposure, except which one of these
09:09
all rights, If you guessed answer, be strong encryption, you are correct. So that's not an indicator of sensitive data exposure. Strong encryption is something we want to do to prevent against sensitive data exposure.
09:22
All right, so in this video, we talked about sensitive data exposure. We kind of went over it at a high level. And the next video, we're gonna do a lab so you can take a look and see what that actually looks like.

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor