Basically, the internet is a network of connected computers transmitting data from one another. So, if you’re building an application for the world wide web, you’ll be transmitting vast amounts of data and depending on the nature of that application, it might contain data that is sensitive.
This leads to a key question: how do I keep this data safe and don’t expose it to all the computers on this worldwide network?
That’s where secure transmissions come into the mix.
What is a secure transmission? Simply, it’s a data transmission that is sent over a secure channel. But why is it essential to secure transmissions with sensitive data? Firstly, consumers are becoming more interested and concerned about how their personal data is being handled, willing to leave companies if this data is mishandled. Secondly, many new regulations such as GDPR and the CCPA require the personal data of users to be handled carefully and mishandling of this data can result in hefty fines. For a more in-depth look into the importance of protecting sensitive data, read our article about it here.
Secure transmissions are the first step to protecting private information and if it is not implemented, can be one of the most easily exploited vulnerabilities of a web application. There are multiple instances of insecure communication resulting in negative outcomes for companies.
In 2021, one of LinkedIn’s APIs was abused by a threat actor, allowing them to scrape the data of between 500 and 700 million users. Data scraping is a technique where a computer program extracts data from an output generated by another computer, typically into files or spreadsheets. So, in this case, the threat actor scraped the data this API was generating, which happened to be the email addresses, full names, phone numbers, physical addresses, geo-location records, and personal and professional background records of a majority of their user base.
First American Financial Corp.
Due to a lack of authentication, in 2019, First American Financial Corp leaked over 885 million sensitive documents. If you knew where to look on their website, you were able to view these documents, which included bank account numbers, bank statements, social security numbers, and driver’s license photos. Although collecting the data could be a long and slow process, with the use of bots and purposely making fewer requests, data collection was vast and hard to detect.
River City Media
Finally, in 2017, the spam email operator, River City Media, leaked 1.37 billion records due to a backup of their system accidentally being published with no password or user authentication. These records included email addresses, real names, IP addresses, and even physical addresses. Most of these records were also obtained by gathering data from websites affiliated with River City Media, meaning a large portion of people were unaware their records were involved in the leak.
Again, if you would like to learn more about the consequences of these data leaks, read our article about PII.
So how do you secure this data? With a quick Google search on secure transmissions, it’ll speak about encryption which is a great starting point but not the only way to secure transmissions. Authentication is also another huge part of secure transmissions.
For encryption, all transmissions should be held over HTTPS, the secure version of Hypertext Protocol Transfer. This involves using TLS, Transport Layer Security, a protocol that authenticates and encrypts a link between networked computers, the current version of this being TLS 1.3, released in 2018. To do this, you will need an SSL/TLS certificate. This is a digital document that contains a cryptographic key pair that consists of a public and private key. The public key will be included in the certificate and the private key will be kept secure on a server. To ensure the security of the private key, a keystore should be used for the certificate.
However, how do you authenticate transmissions accessing resources from another web app on behalf of the user? This is when OAuth or Open Authorization comes into the mix. This is a standard used by the industry to remediate this issue, also using OpenID Connect to add additional security, which extends OAuth with ID tokens.
Although this seems like a mountain to climb, Darkspark can lend a hand in prioritising any remediations that are required by pinpointing the exact position of insecure transmissions. Features within Darkspark that can accelerate this process include the Environment Comparison and the Action Centre. Environment Comparison will be able to find these issues before they hit production and the Action Centre will help you to prioritise remediations and categorise these issues. If you have any questions about Darkspark, feel free to contact us.
Sources:
https://www.cloudflare.com/en-gb/learning/bots/what-is-data-scraping/
https://scrubbed.net/blog/linkedin-data-leak-what-we-can-do-about-it/
https://about.linkedin.com/
https://www.upguard.com/blog/biggest-data-breaches-us
https://www.forbes.com/sites/ajdellinger/2019/05/26/understanding-the-first-american-financial-data-leak-how-did-it-happen-and-what-does-it-mean/?sh=69e47d40567f
https://www.theguardian.com/technology/2017/mar/06/email-addresses-spam-leak-river-city-media
https://www.cloudflare.com/en-gb/learning/ssl/what-is-https/
https://www.ssl.com/faqs/faq-what-is-ssl/
https://solutionsreview.com/network-monitoring/protect-yourself-five-fundamentals-for-api-security/?utm_source=rss&utm_medium=rss&utm_campaign=protect-yourself-five-fundamentals-for-api-security
https://informationsecuritybuzz.com/10-api-security-best-practices-to-protect-your-organization/
Top comments (0)