Even in this post-GDPR era, the news is full of data security breaches. Worryingly, many of these breaches are occurring at major companies.
For example, Facebook is facing a £1.2 billion fine and formal investigation over a breach that affected nearly 50 million user accounts. The breach was discovered in September and gave hackers the ability to take over accounts. It’s the biggest in Facebook’s history – and is despite the seemingly robust measures that social media giant has in place.
The ICO has fined Heathrow Airport for “serious” data protection failings relating to a lost USB stick containing personal data without encryption or password protection. Steve Eckersley, ICO director of investigations, told the BBC: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.”
Those are just 2 recent examples, but to illustrate how difficult it is for companies to protect their systems. Even with robust processes and technology in place, the sheer scale of the task (and the creativity of hackers) can make it feel like an uphill battle.
Common vulnerabilities with simple remedies
Some breaches – like the Heathrow example – are due to lack of encryption and password protection. Others involve exploiting server weaknesses or, like the WannaCry attack that crippled the NHS, innocent-looking email links.
This checklist is a practical starting point for resolving common vulnerabilities.
1. SQL injection:
- Risk: Form or URL parameters are manipulated to gain access to a database.
- Remedy: Escape special characters and validate parameters.
- Risk: A website user is tricked into clicking on something which has been changed to perform a malicious task.
- Remedies: Set the Content Security Policy (CSP) frame-ancestors directive (not yet supported by all major browsers); Use X-Frame Options HTTP response headers, which tell the browser whether to render HTML in a frame or an iframe; Use frame breaker script for legacy browsers where X-Frame-Options isn’t supported.
3. Cross-site scripting (XSS):
- Remedy: Escape / validate user data displayed on the web page.
4. Error messages:
- Risk: Too much information is supplied in error messages, giving hackers insight that helps them compromise the system.
- Remedy: Include detailed information in logs and limit information in the error message displayed in the UI.
5. Client and server validation:
- Risk: Validating user input in the browser only can be bypassed as a way of gaining unauthorised access.
5. Weak password:
- Risk: Guessable passwords make it easy to log into the system.
- Remedy: Enforce a complex password policy and store passwords encrypted.
5. File uploads:
- Risk: Uploaded files can contain malicious scripts which can exploit server vulnerabilities.
- Remedies: Don’t rely on file extensions to determine file type; Always scan all files for viruses.
For more information and a detailed list of vulnerabilities refer to OWASP.
Ensure your technology has the right protection
The difficulty even major organisations have with data protection highlights the importance of having the right infrastructure in place.
At Engage Hub, we pass a wide range of certifications and compliance tests, and our dedicated data protection team maintains security checks and monitors logs ongoing. Our platform manages all data orchestration for you, so your legacy systems can continue to feed data into the business without the need for additional coding (dramatically reducing risk and cost).
But it’s important for companies to address the small vulnerabilities that can open the door to major problems. Simple things like not opening spam emails or using more complex passwords go a long way. And when everyone takes responsibility for data security, the business overall is in a stronger position.