Prevent Sensitive Data Exposure with ASM
Attack surface management can help security teams spot vulnerable assets and reduce the risk of sensitive data exposure.
Organizations, from financial institutions to K-12 schools, collect and use sensitive data daily. When an organization breaks the trust clients or service users place in them to keep their data safe, the damage can be immense.
- The average cost of a data breach grew by 2.6% in 2022 to over $4.35M.
- After a 2017 data breach leaked customers’ sensitive data, Uber’s customer perception fell by 141%.
As a result of growing reputational damage, fines, and remediation costs, sensitive data exposure is a core cybersecurity risk for almost every organization.
Here’s how ASM Cyber Security can help mitigate it.
What Is Sensitive Data?
Sensitive data includes information its owners would rather keep private, i.e., it is data that should never become publicly accessible or shared with third parties without the data owner’s consent.
There are various regulatory definitions of what types of data can be classified as “sensitive” data.
In countries or states covered by data protection legislation, exposing sensitive data can lead to fines, reputation damage, compromised accounts, and other bad outcomes.
For example, the EU’s General Data Protection Regulation (GDPR) classifies sensitive data as information that refers to an individual’s:
- Race/ethnicity, religious/philosophical beliefs, opinions on politics.
- Trade-union membership.
- Genetic data.
- Biometric data processed for the sole reason to identify a human being.
- Health data.
- Sexual orientation or sex life.
Other regulatory frameworks—for example, Colorado Privacy Act (CPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA)—define sensitive data similarly and also include:
- Precise geolocation data (VCDPA, CPA, and CPRA);
- A consumer’s account log-in, debit card, credit card number, or financial account in combination with any required security or access code or credentials allowing access to an account (CPRA).
Industry-specific regulations such as Health Insurance Portability and Accountability Act (HIPAA) use even more categories.
For organizations covered by these and other regulations, allowing sensitive data to be exposed leads to a range of fines.
For example, due to HIPAA, US healthcare organizations can receive fines of up to $1.9 million per year (during which the violation occurs) for allowing sensitive patient health data to be exposed.
These varying regulations mean that classifying what is and is not sensitive data is a significant challenge for organizations.
For example, a picture of someone’s face may not be considered sensitive information. However, if a headshot is used for logging into an application via facial recognition, it will be regarded as sensitive data by some regulators, including the GDPR.
In general, sensitive data is data that creates risks for its owners if it is exposed.
These risks can be financial (having your account details stolen), personal (becoming subject to harassment by having your home address leaked), or social (being discriminated against based on your sexual identity or personal life). They can also be organizational (i.e., leaked corporate IP).
Organizations that collect and process sensitive data have an inherent, and often legal, duty to protect it from exposure.
Data breach versus sensitive data exposure
Data breaches can lead to data exposure, but data exposure can happen without a data breach.
Data breaches mean that a third party (i.e., a hacker) has accessed your systems and accessed data stored or processed somewhere in your environment.
Data exposure happens when a hacker posts data, often from a data breach, on the dark web or somewhere else online. However, data exposure can also occur by accident and without a cyberattack, i.e., when a misconfigured cloud bucket allows anyone with an internet connection to access sensitive data.
Since the rise of remote working, it is getting harder for IT teams to keep track of who has access to what data and where sensitive data is being stored. As a result, sensitive data can sometimes just disappear.
According to a 2022 report by Splunk, 44% of security teams say they’ve “lost” confidential data. This is almost double 2021’s figure.
With both data breaches and data exposure, sensitive data ends up being accessed by someone who shouldn’t be able to access it.
How Sensitive Data Is Exposed
“We have been made aware that sensitive data from our servers have been exposed during a recent cyber attack.”
Telling customers, clients, or regulators that their sensitive data has been exposed to unauthorized third parties is a mess no executive wants.
Sensitive data exposure events range from a TV broadcast showing a sticky note with someone’s password written on it to a misconfigured cloud database leaking millions of health records or company secrets.
Sensitive data exposure happens when an organization allows customer or employee data to be:
- Altered either by accident or intentionally by unauthorized individuals.
- Disclosed without authorization.
- Destroyed or made inaccessible, either temporarily or permanently.
Sensitive data exposure can happen through negligence (human error caused 21% of data breaches last year) but is most often the result of cyber threats, including:
Man-in-the-middle (MITM) attacks
Threat actors can use a technique such as IP spoofing or SSL hijacking to misdirect sensitive data while it is in transit (i.e., being sent from one place to another).
A MITM attack might also involve a threat actor intercepting traffic within an unsecured network, i.e., a public Wi-Fi network.
SQL injection attacks
Threats can exploit SQL vulnerabilities to access data from SQL databases. This can happen when an attacker inserts malicious queries into a web form.
Sensitive data is a frequent target for ransomware attackers. During ransomware attacks, sensitive data is often exfiltrated and used as leverage to get victims to pay up—a process known as double extortion.
Threat actors can use phishing and other social engineering attacks to convince an organization’s employees to directly transfer sensitive data to them or give them access to off-limits databases.
As per the Open Web Application Security Project’s annual round-up of top application security risks (top 10), sensitive data exposure is often the result of data either not being encrypted or an encryption method failing.
Cryptographic failures can make it easy for threat actors to access data by creating direct pathways between an attack vector (such as an API vulnerability) and sensitive data.
For example, an application might use automatic encryption to encrypt social security numbers in a database.
This keeps the data hidden at rest. However, when this data is retrieved, decryption also happens automatically. As a result, a threat actor using a SQL injection attack to retrieve data would receive it in a clear text format.
Using ASM to Prevent Sensitive Data Exposure
Attack surface management (ASM) can help security teams find and remove vulnerabilities that give threat actors access to sensitive data.
ASM is a continuous process of asset discovery and hardening. Through ASM, security teams can understand their attack surface better and find the pathways third parties could take to access their organization’s sensitive data.
For example, ASM is a powerful process for finding exposed cloud assets. This is critical because almost 90% of organizations host sensitive data in the cloud.
To get at this data, threat actors constantly search your external attack surface for vulnerabilities such as misconfigured cloud identity and access management (IAM) accounts—an extremely common vulnerability created by organizations migrating to the cloud. Cybercriminals often find their mark. In 2022, misconfigurations were the leading cause of cloud asset compromise.
Finding and fixing misconfigurations, especially those that might have emerged during recent cloud migrations, is an urgent task for almost every security team. However, fixing cloud security gaps is anything but a straightforward process.
Asset registers rarely account for all the cloud assets connected to your environment. This means that before security teams can fix vulnerable assets, they often have to find them too.
Using Randori Recon to Protect Sensitive Data
Randori Recon is an easy-to-use ASM tool for finding exposed internet-facing assets and prioritizing remediation.
With only an email address, Randori can give you an attacker’s eye view of your attack surface and show you what assets might put your sensitive data at risk.
Get a demo of your attack surface today with Randori Recon.