Data Security – How Not To Become The Next Headline.

Jeremy Staines
Author: Jeremy Staines
Senior Developer

Even in this post-GDPR era, the news is full of data security breaches. Worryingly, many of these breaches are occurring at major companies.

For example, Facebook is facing a £1.2 billion fine and formal investigation over a breach that affected nearly 50 million user accounts. The breach was discovered in September and gave hackers the ability to take over accounts. It’s the biggest in Facebook’s history – and is despite the seemingly robust measures that social media giant has in place.

The ICO has fined Heathrow Airport for “serious” data protection failings relating to a lost USB stick containing personal data without encryption or password protection. Steve Eckersley, ICO director of investigations, told the BBC: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.”

Those are just 2 recent examples, but to illustrate how difficult it is for companies to protect their systems. Even with robust processes and technology in place, the sheer scale of the task (and the creativity of hackers) can make it feel like an uphill battle.

Common vulnerabilities with simple remedies

Some breaches – like the Heathrow example – are due to lack of encryption and password protection. Others involve exploiting server weaknesses or, like the WannaCry attack that crippled the NHS, innocent-looking email links.

This checklist is a practical starting point for resolving common vulnerabilities.

Vulnerability Risk Remedies
SQL injection Form or URL parameters are manipulated
to gain access to a database
Escape special characters and validate parameters
Click-jacking A website user is tricked into clicking on something
which has been changed to perform a malicious task
Set the Content Security Policy (CSP) frame-ancestors directive (not yet supported by all major browsers).
Use X-Frame-Options HTTP response headers, which
tell the browser whether to render HTML in a frame or an iframe.
Use frame breaker script for legacy browsers where X-Frame-Options isn’t supported.
Cross-site scripting (XSS) JavaScript is executed in the victim’s browser,
allowing a hacker to modify HTML or read
cookie data which could be used to access the system
Escape / validate user data displayed on the web page
Error messages Too much information is supplied in error messages,
giving hackers insight that helps them compromise the system
Include detailed information in logs and limit information
in the error message displayed in the UI
Client and server validation Validating user input in the browser
only can be bypassed as a way of gaining unauthorised access
Always validate user input on the server,
even in cases where JavaScript is appropriate
to validate in the browser
Weak passwords Guessable passwords make it easy
to log into the system
Enforce a complex password policy and store passwords encrypted
File uploads Uploaded files can contain malicious scripts
which can exploit server vulnerabilities
Don’t rely on file extensions to determine file type.
Always scan all files for viruses

 
For more information and a detailed list of vulnerabilities refer to OWASP.

Ensure your technology has the right protection

The difficulty even major organisations have with data protection highlights the importance of having the right infrastructure in place.

At Engage Hub, we pass a wide range of certifications and compliance tests, and our dedicated data protection team maintains security checks and monitors logs ongoing. Our platform manages all data orchestration for you, so your legacy systems can continue to feed data into the business without the need for additional coding (dramatically reducing risk and cost).

We also comply with our customers’ specific security orders. For example, we help our financial clients like KBC Bank Ireland and MBNA meet with the industry’s rigorous requirements.

But it’s important for companies to address the small vulnerabilities that can open the door to major problems. Simple things like not opening spam emails or using more complex passwords go a long way. And when everyone takes responsibility for data security, the business overall is in a stronger position.

Learn more about how we can help you manage and orchestrate your data to improve security – and the customer experience.

Jeremy Staines
About the author: Jeremy Staines

As a Senior Developer, Jeremy has worked for Engage Hub for over 18 years. In his role, Jeremy is responsible for developing and maintaining Engage Hub’s core platform. Part of his work involves maintaining platform security features as well as looking after the implementation of various application phases. Jeremy is passionate about creating software that simplifies the life of its users and actively seeks to incorporate this philosophy into Engage Hub’s platform.