Security

How to Prevent Data Leaks Through Security Testing  

How to Prevent Data Leaks Through Security Testing  

In the digitally driven world with enormous and growing data warehouses, the importance of data security is growing at an unprecedented rate. 

From organizations incorporating the latest technological advancements such as machine learning and artificial intelligence, to improve the customer experience with AI, data plays a crucial role in various aspects of business models. 

With customer interactions taking place every day, we have a lot of data at our disposal. That data needs to be managed and analyzed on a regular basis. It also needs to be secured and handled in a manner that prevents security breaches.

Facebook, one of the biggest social media platforms, failed to properly store the passwords of more than 600 million users. These passwords were stored in plain text, which made them vulnerable in a data breach. 

They were readily accessible to about 2,000 employees, which greatly increased the risk of data leaks. Facebook admitted in their recent press release that not only did this impact users negatively on Facebook, but it also had a significant effect on millions of Instagram users.

To the organization, it was a data breach, but to the millions of users, it was a breach of their privacy. This data security vulnerability exposed the company’s insecure application security testing methodology.  

Another example of a data security breach is the one that cost Boeing more than $2 billion when their internal security systems were attacked. The company is facing the ramifications of the breach even today.

Learning from Facebook’s tale, it’s clear that having a secure application is extremely important if you want to build trust and credibility with your users. 

There are no shortcuts for application security testing, and you should take preventive measures to avoid unforeseen security attacks. As an organization, you should consider spending reasonable resources to maintain a robust strategy for application security testing.

Some Interesting Statistics About Data Leaks

  • About 57% of companies, in general, have 1000 folders with inconsistent permissions.
  • Only a mere 3% of the company folders are protected.
  • 22% of data leaks that occurred in 2017 had to do with stolen credentials.
  • About 27% of security breaches happen due to human error.

Reasons for Data Leaks

If your server is full of confidential client data you have to make sure that the data is locked up safe and secure. Despite being cautious, some companies have loose ends compromising data security. 

Some of the most common causes for data leaks are:

  • Weak passwords are considered one of the biggest reasons for data leaks. According to the 2019 Verizon Data Breach report,  48% of the data leakages are due to stolen passwords.
  • Employee carelessness is also amongst the most common reasons for data leaks. According to a survey by Egress, most IT leaders (about 60%) believe that employee carelessness was one of the leading causes of data leaks. Employee carelessness can be as simple as leaving their workstation unlocked while they take a break. It can also be as severe as not implementing proper security measures in their software. 
  • Attackers exploiting vulnerabilities in a system (especially  SQL Injection vulnerabilities) is also one of the most common causes of data leaks. It is important to incorporate scanning applications that run quick background checks and help identify possible security threats or errors. 
  • Malevolent attacks can put your company and its confidential data at risk. These kinds of attacks are either a result of an employee trying to leak confidential data, or a malicious attacker hacking their way inside the company’s software. Hackers often hold large amounts of data for ransom, which puts the concerned organizations in a risky position. 
  • Phishing is one of the most common ways of gaining information. Phishing schemes routinely allow attackers to compromise user accounts or inject malware, and with that, they can easily access your data.

Security Testing

The ultimate goal of security testing is to identify various threats to the system and measure the potential risks. 

There are 3 major types of security testing. They are different forms of testing systems that can be easily embedded in your organization’s current security program to take it up a notch and tighten security.

The 3 types of security testing are:

  1. Vulnerability Scanning: Automated software helps perform vulnerability scanning, which increases the chances of identifying possible security threats at an early stage. 
  2. Penetration Testing: Replicates an attack from a hacker, which can give you an overview of what your security systems lack and how you can strengthen them. Penetration testing can be used to develop stronger security systems that are much more reliable and less prone to cyber-attacks.
  3. Vulnerability / Risk Assessment: Automated and manual methods are used to identify vulnerabilities and the corresponding risks are rated.  Vulnerability / Risk assessments do a great job at identifying errors or weak security systems, in pilot projects and production applications alike. 

Takeaway

There are many reasons for security breaches and errors, which might put a company’s data and the data of their users at risk of security threats. 

From creating complex passwords that are less prone to hackers, to building robust security systems with enhanced features, organizations can take preventive measures to prevent data leaks. 

One of the best methods to ensure a proper security system is to incorporate early detection systems that identify errors or possible security threats. With the rapidly growing technology, companies are not just acknowledging the power of relentless advancements but also embedding stronger security systems.


Author Bio: Aaron Cure is the Principal Security Consultant at Cypress Data Defense and an instructor and contributing author for the Dev544 Secure Coding in .NET course. 

After 10 years in the U.S. Army, I decided to switch my focus to developing security tools and performing secure code reviews, penetration testing, static source code analysis, and security research.