The OWASP Top 10: Sensitive Data Exposure

Sensitive data exposure is an all too common cyberthreat that endangers businesses and their customers, as well as websites and their visitors. More frequently known as a data breach, sensitive data exposure ranks as one of the top 10 most dangerous cyberthreats by OWASP (Open Web Application Security Project) because of the damage it can do to its victims. Fortunately, you can prevent this threat from affecting your website – we’ll discuss how sensitive data exposure occurs and ways to keep your visitors’ information safe.

What is the OWASP Top 10?

The OWASP Top 10 is a list of the ten most dangerous web application security flaws today. Sensitive data exposure currently ranks sixth on this list. The purpose of OWASP and the Top 10 is to drive visibility and evolution in the safety and security of software.

What is sensitive data exposure and what are the consequences?

As the name suggests, sensitive data exposure occurs when an application or program, like a smartphone app or a browser, does not adequately protect information such as passwords, payment info, or health data. With this information, cybercriminals can make fraudulent purchases, access a victim’s personal accounts, or even personal blackmail. In 2016, 4.8 billion records containing personal data were compromised as a result of data breaches.

Sensitive data exposure can be financially devastating to a website. One data breach costs an average of $3.8 million due to direct costs, such as the cost of investigating the breach, and indirect costs, like reputation damage. While big-name businesses can usually weather a data breach, smaller websites and businesses often can’t afford the fallout.

How to prevent sensitive data exposure

First, you’ll need to determine what data your site collects that could be considered sensitive. This may depend on the type of website you own – if you run an eCommerce site, you’ll need to secure credit card numbers, while forums and customer portals should protect their users’ login credentials. Common information like names, email addresses, and phone numbers should all be considered sensitive information.

Once you’ve taken stock of the sensitive data your site collects, you’ll need to take a number of security measures to protect that information:

Install an SSL certificate on your site, if you haven’t already, to protect data as it transfers from your site to your server. Popular browsers and search engines are flagging sites without SSL as “insecure,” so it’s a measure worth taking to put your visitors’ minds at ease. HTTPS is also one of Google’s ranking signals, so you may see improved search engine visibility as well.

Never store or transmit data in clear text. Always encrypt the data using strong algorithms, and ensure your website application uses hashing for stored passwords.

Keep a backup of the stored data separate from your website’s server. In the event that your server is breached, any data stored on your site will be at risk. Storing the backup separately ensures that if one copy of the data is compromised, the other isn’t, so that you can easily restore your site from a clean and secure copy.

Use strong, unique passwords for your applications and change them regularly.

Use a WAF (web application firewall) to prevent attackers from exploiting common vulnerabilities or accessing your site using automated attack bots.

Use a vulnerability and malware scanner to eliminate backdoor files that could allow cybercriminals to find and expose sensitive data. Some scanners can remove malware patch vulnerabilities automatically.

Prevent browsers from saving sensitive data. Ensure that the browser headers do not cache and save login credentials or other information. Websites, businesses, and victims have a lot to lose from sensitive data exposure. From the high cost of a breach to the criminal consequences, this is a threat you should protect yourself and your visitors from. Fortunately, SiteLock can help – our WAF (web application firewall) blocks attacks and our website scanner automatically finds threats. We also have a blog on choosing the best SSL certificate for your site. If you have any further questions or want to get set up with SiteLock, we’re happy to help anytime 24/7/265 – just give us a call at 855.378.6200.