sensitive data exposure
play

Sensitive Data Exposure Emmanuel Benoist Fall Term 2020/2021 Berner - PowerPoint PPT Presentation

Nov 25, 2022 •389 likes •819 views

Sensitive Data Exposure Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Examples Attacks Recommendations PCI Data

  1. Sensitive Data Exposure Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 1

  2. Table of Contents Examples � Attacks Recommendations � PCI Data Security Standard � Conclusion � Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 2

  3. Sensitive Data Exposure OWASP TOP 10 A3:2017 Where sensitive data can be accessed due to lack of encryption Local Storage Database Transit (LAN) Backups contain sensitive data Backup policy is part of security policy Data stored must be readable ... but not to much! Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 3

  4. Exploitability Attackers typically don’t break crypto directly Break something else Steal keys man-in-the-middle Steal clear text data on the server in transit from user’s browser Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 4

  5. Hard to exploit Simple: no encryption at all the most common flaw When crypto is employed weak key generation weak key management weak algorithm usage Difficult to detect server side flaws limited access hard to exploit Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 5

  6. Impact is Severe Compomises sensitive data Health records credentials personal data credit cards . . . Impact on your business Value of data for competitors Reputation Compliance Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 6

  7. NSA vs. Google Wikileaks showed that NSA was spying on google mail Tons of mails were readable NSA listened to communication between datacenters Communication was cleartext Google strengthtened its systems HTTPS for any client to gmail encryption of data between servers Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 7

  8. Heartbleed Disovered in 2014 Bug in the library Open SSL Implementation of Heartbeat by a PhD student Heartbeat : extension for TLS (Transport Layer Security) Principle Each heartbeat exposed up to 64kB of memory Victims Canada Revenue Agency : theft of 900 taxpayers Social Insurance Numbers in UK, Mumsnet had accounts hijacked (including CEO’s one) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 8

  9. Scenario: encrypted database A Database is stored encrypted Automatic encryption is done Data stored on the disk are unreadable But SQL injection can read Credit Card Numbers Solution Encrypt data with a public key Cards can only be read from back-end using private key Data are “write only” Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 9

  10. Scenario: HTTP vs HTTPS A site has HTTP pages Login occures in HTTPS pages Rest of pages are HTTPS Another part of site is HTTP If cookie is not “secure” SessionID is sent also for HTTP pages / resources (images, css, . . . ) Can be spyed by third party Can be used for inpersonating the victim Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 10

  11. Are you exposed? First define which data are sensitive Health data Credit Card information personal information Credentials (passwords, keys, . . . ) Are they stored clear text? Including Backup Are they transmitted clear text? On the internet Inside the internal network Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 11

  12. Are you exposed? (Cont) Do you use weak or old crypto? Some algorithms are proven weak (MD5 for instance) Configuration is crutial No self made crypto library : details are important Do you use the browser correctly? security directives or headers missing? Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 12

  13. Store sensitive data that you need Credit Card number Many shops use third party payment providers No need to store Credit Card numbers Receives a transaction number certified by the bank Examples Zalando uses “Verified by Visa” or “MasterCard secure code” The bank verifies the validity of the card (using TAN for instance) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 13

  14. Only use strong cryptographic algorithms Use only approved public algorithms AES for symetric encryption, RSA for public key crypto, SHA-256 or better for hash functions Don’t use weak algorithms MD5 SHA1 Classification changes with the time For more details: CAPV program validates crypto algorithms http://csrc.nist.gov/groups/STM/cavp/index.html Configuration is also important Choice of salts Integrity with MAC (HMAC-SHA256 or HMAC-SAH512) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 14

  15. Ensure that random numbers are cryptographically strong Random generators are used for random numbers random file names random userID’s or sessionID’s random strings Should be generated in a cryptographically strong fashion No one should guess Seeded with sufficient entropy Bad example Seed = current time in milliseconds or microseconds Very easy to know (or brute force) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 15

  16. Use only widely accepted implementations of crypto algorithms Do not implement an existing algo on your own No matter how easy it appears Example : heartbleed Ensure that implementation involved crypto specialists For the design and for the review If possible: implementation should be FIPS 140-2 certified Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 16

  17. Always ensure data integrity and authenticity Encryption must be combined with data integrity Otherwise the ciphertext can be changed Especially over an untrusted chanel (e.g. URL or cookie) Use crpytographic cipher modes that offer both confidentiality and authenticity CCM, GCM, OCB If not combine encryption in cipher-block chaining mode CBC with MAC (Message Authentication Code) CBC = Cipher Block Chaining Message Authentication Code : HMAC, UMAC Do not use ECB mode (Electronic codebook) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 17

  18. Store passwords hashed and salted Clear text Vulnerable to SQL injection and the like Just hashed Present in rainbow tables Hashed with a user specific salt A salt is an information added to the value before passing to the hash function. Attack must be conducted for each of the users Use hash functions with work factors Argon2 , scrypt , bcrypt or PBKDF2 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 18

  19. Ensure that any secret key is protected from unauthorized access Define a key lifecycle Store unencrypted keys away from the encrypted data Use independent keys when multiple keys are required Protect keys in a key vault Document concrete procedures for managing keys through the lifecycle Build support for changing keys periodically Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 19

  20. Insecure Cryptographic Storage Data and Credentials are rarely protected with cryptographic functions Data collected can be used by attackers For Identity Theft or other crimes like Credit Card Fraud Most common problems Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, etc.) Hard coding keys, and storing keys in unprotected stores Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 20

  21. Examples Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 21

  22. Attacks Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 22

  23. E-Commerce Web Site Suppose we manage a e-shop We sell goods and clients pay using their credit cards We have to store the address and references of all our clients for the legal issues. Data stored: name, address, e-mail, phone, Credit Cards Numbers Our web site is attacked Attackers access to our Database They can harvest the whole content of our customer clients Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 23

  24. E-Commerce Web Site (Cont.) Damages? For the Clients Use of Credit Cards Number by attackers Privacy violation Identity Theft . . . For The Web Site Reputation Clients data stolen (can be resold to a competitor) Business secrets stolen For the Credit Card Company Reputation Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

415 views • 17 slides
Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed Presidents Executive Council on 13 Jan: recommended to proceed with deploying a Sensitive Data Manager tool on all UND owned computers to

321 views • 6 slides
Apps data data data learning Locality Filtering PageRank, Recommen sensitive data SVM

Apps data data data learning Locality Filtering PageRank, Recommen sensitive data SVM

High dim. Graph Infinite Machine Apps data data data learning Locality Filtering PageRank, Recommen sensitive data SVM SimRank der systems hashing streams Community Web Decision Association Clustering Detection advertising

1.61k views • 62 slides
Apps data data data learning Locality Filtering PageRank, Recommen sensitive data SVM

Apps data data data learning Locality Filtering PageRank, Recommen sensitive data SVM

High dim. Graph Infinite Machine Apps data data data learning Locality Filtering PageRank, Recommen sensitive data SVM SimRank der systems hashing streams Network Web Decision Association Clustering Analysis advertising

1.36k views • 110 slides
Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore?

Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore?

Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore? Store sensitive parameters of an Ada server : Database connection passwords API secret keys Tool to store sensitive information :

266 views • 24 slides
MoVid 13? Landon Cox Duke University Want to share sensitive data. Devices have sensors and

MoVid 13? Landon Cox Duke University Want to share sensitive data. Devices have sensors and

What would you submit to MoVid 13? Landon Cox Duke University Want to share sensitive data. Devices have sensors and talk to the cloud . Data is often sensitive (e.g., location, images). Mobile sensing services Tremendous opportunities

567 views • 11 slides
Exposure Routes Internal and External Exposure External exposure Internal exposure Body surface

Exposure Routes Internal and External Exposure External exposure Internal exposure Body surface

Exposure Routes Internal and External Exposure External exposure Internal exposure Body surface From outer space contamination and the sun Inhalation Suspended Food and drink matters consumption Lungs From a radiation generator

180 views • 5 slides
Exposure Assessment in Personal Injury Litigation: Challenging the Data however, it is probably

Exposure Assessment in Personal Injury Litigation: Challenging the Data however, it is probably

9 real conclusion as to what level of exposure the person experienced. Although might be established. ExPOSURE ASSESSMENT METHODOLOGIES Personal testimony. A plaintiff may simply say, I ate it, I drank it, or I breathed it.

264 views • 4 slides
data learning Locality Filtering PageRank, Recommen sensitive data SVM SimRank der

data learning Locality Filtering PageRank, Recommen sensitive data SVM SimRank der

Infinite High dim. Graph Machine Apps data data data learning Locality Filtering PageRank, Recommen sensitive data SVM SimRank der systems hashing streams Community Queries on Decision Association Clustering Detection

1.04k views • 91 slides
Replication, Security & Consolidation Solutions SDI for Sensitive Data Intercept

Replication, Security & Consolidation Solutions SDI for Sensitive Data Intercept

Interception, Replication, Security & Consolidation Solutions SDI for Sensitive Data Intercept Enscribe-2-SQL Toolkit protects sensitive data-at-rest. Interception, seamless migration to SQL tables for Enscribe encryption, and

477 views • 29 slides
Computing How to compute with large sensitive data? Biomedical data Proprietary data Secure

Computing How to compute with large sensitive data? Biomedical data Proprietary data Secure

U SING T RUSTED E XECUTION E NVIRONMENTS O N H IGH -P ERFORMANCE C OMPUTING P LATFORMS Ayaz Akram, Anna Giannakou, Venkatesh Akella, Jason Lowe-Power, Sean Peisert Secure High-Performance Computing How to compute with large sensitive data?

514 views • 13 slides
Making Programs Forget: Enforcing Lifetime for Sensitive Data Jayanthkumar Kannan (Google Inc),

Making Programs Forget: Enforcing Lifetime for Sensitive Data Jayanthkumar Kannan (Google Inc),

Making Programs Forget: Enforcing Lifetime for Sensitive Data Jayanthkumar Kannan (Google Inc), Gautam Altekar (UC Berkeley), Petros Maniatis (Intel Labs), Byung-Gon Chun (Intel Labs) 1 The Problem: Lingering Data Sensitive Data How long is

437 views • 12 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides
Technology Evaluation for Tim e Sensitive gy Data Transport Report and status for subtask in

Technology Evaluation for Tim e Sensitive gy Data Transport Report and status for subtask in

Technology Evaluation for Tim e Sensitive gy Data Transport Report and status for subtask in JRA1 GN3 JRA1 Workshop, 20st-22nd of November, Copenhagen Henrik Wessing, Task leader Tim e Sensitive Transport - Agenda Motivation and

292 views • 17 slides
Data Races are Bad Race: two threads access memory without synchronization and at least one is a

Data Races are Bad Race: two threads access memory without synchronization and at least one is a

C ONTEXT - SENSITIVE C ORRELATION A NALYSIS FOR D ETECTING R ACES Polyvios Pratikakis Jeff Foster Michael Hicks University of Maryland, College Park Context-sensitive Correlation Analysis for Detecting Races p.1/ ?? Data Races are Bad

1.28k views • 76 slides
Collection and Dissemination of Exposure Data for Risk Screening of Formulated Consumer Products

Collection and Dissemination of Exposure Data for Risk Screening of Formulated Consumer Products

Collection and Dissemination of Exposure Data for Risk Screening of Formulated Consumer Products Presented By: Dr. Paul C. DeLeo Senior Director, Environmental Safety 21 st Annual Meeting of the International Society of Exposure Science

1k views • 23 slides
Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural

Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural

Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In many problems they

1.57k views • 124 slides
Casimir effect and 3d QED from machine learning Harold Erbin Universit di Torino & Infn

Casimir effect and 3d QED from machine learning Harold Erbin Universit di Torino & Infn

Casimir effect and 3d QED from machine learning Harold Erbin Universit di Torino & Infn (Italy) In collaboration with: M. Chernodub (Tours), V. Goy, I. Grishmanovky, A. Molochkov (Vladivostok) [ 1911.07571 + to appear] 1 / 49 Outline: 1.

609 views • 58 slides
What are the emerging technologies? 1- Machine Learning (ML) 2- Block Chain Technologies (BCT)

What are the emerging technologies? 1- Machine Learning (ML) 2- Block Chain Technologies (BCT)

What are the emerging technologies? 1- Machine Learning (ML) 2- Block Chain Technologies (BCT) 3- Big Data Analytics (BDA) 4- Small Data Analytics (SDA) 5- Internet of Things (IoT) 6- Wearables Technology (WT) 7- Artificial Intelligence (AI)

1.07k views • 45 slides
CS 309: Autonomous Intelligent Robotics FRI I Lecture 2: Introduction to AI Instructor: Justin

CS 309: Autonomous Intelligent Robotics FRI I Lecture 2: Introduction to AI Instructor: Justin

CS 309: Autonomous Intelligent Robotics FRI I Lecture 2: Introduction to AI Instructor: Justin Hart http://justinhart.net/teaching/2019_spring_cs309/ Today What is Artificial Intelligence? Part 1 What is (Artificial) Intelligence?

281 views • 25 slides
Hardware Observability Framework Hardware Observability Framework Hardware Observability

Hardware Observability Framework Hardware Observability Framework Hardware Observability

Hardware Observability Framework Hardware Observability Framework Hardware Observability Framework Hardware Observability Framework Hardware Observability Framework Hardware Observability Framework Hardware Observability Framework Hardware

743 views • 22 slides
1 3 In Intro: God often uses His creatures to teach us lessons: Isa. 1:3; Psa. 32:9; Job

1 3 In Intro: God often uses His creatures to teach us lessons: Isa. 1:3; Psa. 32:9; Job

1 3 In Intro: God often uses His creatures to teach us lessons: Isa. 1:3; Psa. 32:9; Job 12:7 Solomon uses little foxes : Song of Solomon 2:15 little foxes can spoil our spiritual fruit: ref: John. 15:1-8; Gal.

593 views • 31 slides
Paraphrase generation: adversarial examples / data augmentation CS 685, Fall 2020 Advanced

Paraphrase generation: adversarial examples / data augmentation CS 685, Fall 2020 Advanced

Paraphrase generation: adversarial examples / data augmentation CS 685, Fall 2020 Advanced Natural Language Processing Mohit Iyyer College of Information and Computer Sciences University of Massachusetts Amherst stuff from last time HW1

692 views • 53 slides
Mining Topics in Documents Standing on the Shoulders of Big Data Zhiyuan (Brett) Chen and Bing

Mining Topics in Documents Standing on the Shoulders of Big Data Zhiyuan (Brett) Chen and Bing

Mining Topics in Documents Standing on the Shoulders of Big Data Zhiyuan (Brett) Chen and Bing Liu Topic Models Widely used in many applications Most of them are unsupervised However, topic models Require a large amount of docs Generate

689 views • 43 slides

More recommend