Cyber criminals can gain access to sensitive data through unauthorized access. Learn how to use security standards to set up preventative measures.
The traditional data center has gone through many fundamental changes over the years. There once was the concept of a self-contained data center and internal network that was protected at the external-facing boundaries by network and web application firewalls. In this scenario, within the physical building, corporate-owned endpoints were trusted so they could easily access data via the internal network.
With corporate data and applications moving to the cloud, the bring-your-own-devices (BYOD) paradigm, and growing adoption of remote work, the traditional security perimeter has disappeared. Organizations must now face the challenge of defining new security policies to mitigate the risks associated with a perimeter-less network: sensitive data leakage, and data privacy and regulatory compliance breaches.
With the increasing use of BYOD smartphones and tablets/laptops, and the rapidly growing number of employees working from home, all devices and users must be authenticated and validated before they can access corporate SaaS apps and internal data. There are many security tools that can perform multifactor authentication (including biometrics) or correlate multiple devices with the specific identity of a single user to ensure authorized access and keep out cyber attackers. Other security tools (e.g., SIEMs/UEBAs and CASBs for cloud apps) can use factors such as device location (or IP address), time of day, and volume and types of file downloads to flag anomalous behavior that could lead to data leakage. Critical applications can also be isolated or shielded from unauthorized access.
Web applications can serve as a conduit for hackers to gain access to sensitive data. The OWASP Top 10 outlines the 10 most- critical security risk categories for web applications. For example, in a SQL injection attack, hackers try to get access to sensitive data in a database without proper authorization by executing unintended commands through a web input form. Another danger to web applications is sensitive-data exposure. According to Open Web Application Security Project (OWASP), “Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.” Similarly, the OWASP Mobile Top 10 outlines the top risk categories for mobile applications.
The CWE Top 25 is a community-developed list spearheaded by MITRE. This list catalogs the most dangerous software and hardware weaknesses that are often easy to find and exploit, and that can allow cyber attackers to completely take over a system, steal data, or prevent an application from working. The CWE team created the 2020 list by leveraging the common vulnerabilities and exposures (CVE) data in the National Vulnerability Database (NVD), as well as the common vulnerability scoring system (CVSS) scores associated with each CVE. Some of the top 10 weaknesses include both quality issues (e.g., out-of-bounds memory buffer, use after free, out-of-bounds read or write) and security issues (e.g., cross-site scripting, improper input validation, SQLI, cross-site request forgery, and exposure of sensitive information to an unauthorized actor).
The Consortium for Information & Software Quality (CISQ) has coordinated a new OMB standard, the Automated Source Code Data Protection Measure. According to CISQ, the measure is “based on a collection of relevant CWEs that can be used to support enterprise and supply chain needs in protecting data, confidential information, intellectual property, and privacy. These CWEs are currently available for use. This new standard is highly relevant to GDPR, CCPA, and Cybersecurity Maturity Model Certification (CMMC) for controlled unclassified information protection.”
The standard seeks to spotlight CWEs that can enable data leakage—those that have CWSS technical impacts that allow unauthorized access to read/modify data. CISQ notes that “Scanning code that will run or is running in enterprises (on systems and devices that process or transmit data) would determine if the systems or devices enable data leakage. If so, then such a scan would reveal if the data protection/privacy controls associated with the process assessment were inadequately implemented.”
Static application security testing (SAST) tools along with other AppSec tools (e.g., interactive application security testing (IAST), software composition analysis (SCA), and dynamic application security testing (DAST) can help development teams automate the identification and remediation of security vulnerabilities and weaknesses in the top categories listed by standards, such as the OWASP Top 10 and CWE Top 25.