Data Security

Data Security – How Not To Become The Next Headline

By Jeremy Staines 15 November 2018

Even in this post-GDPR era, the news is full of data security breaches. Worryingly, many of these breaches are occurring at major companies.

For example, Facebook is facing a £1.2 billion fine and formal investigation over a breach that affected nearly 50 million user accounts. The breach was discovered in September and gave hackers the ability to take over accounts. It’s the biggest in Facebook’s history – and is despite the seemingly robust measures that social media giant has in place.

The ICO has fined Heathrow Airport for “serious” data protection failings relating to a lost USB stick containing personal data without encryption or password protection. Steve Eckersley, ICO director of investigations, told the BBC: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.”

Those are just 2 recent examples, but to illustrate how difficult it is for companies to protect their systems. Even with robust processes and technology in place, the sheer scale of the task (and the creativity of hackers) can make it feel like an uphill battle.

Common vulnerabilities with simple remedies

Some breaches – like the Heathrow example – are due to lack of encryption and password protection. Others involve exploiting server weaknesses or, like the WannaCry attack that crippled the NHS, innocent-looking email links.

This checklist is a practical starting point for resolving common vulnerabilities.

1. SQL injection:

  • Risk: Form or URL parameters are manipulated to gain access to a database.
  • Remedy: Escape special characters and validate parameters.

2. Click-jacking:

  • Risk: A website user is tricked into clicking on something which has been changed to perform a malicious task.
  • Remedies: Set the Content Security Policy (CSP) frame-ancestors directive (not yet supported by all major browsers); Use X-Frame Options HTTP response headers, which tell the browser whether to render HTML in a frame or an iframe; Use frame breaker script for legacy browsers where X-Frame-Options isn’t supported.

3. Cross-site scripting (XSS):

  • Risk: JavaScript is executed in the victim’s browser, allowing a hacker to modify HTML or read cookie data which could be used to access the system.
  • Remedy: Escape / validate user data displayed on the web page.

4. Error messages:

  • Risk: Too much information is supplied in error messages, giving hackers insight that helps them compromise the system.
  • Remedy: Include detailed information in logs and limit information in the error message displayed in the UI.

5. Client and server validation:

  • Risk: Validating user input in the browser only can be bypassed as a way of gaining unauthorised access.
  • Remedy: Always validate user input on the server, even in cases where JavaScript is appropriate to validate in the browser.

5. Weak password:

  • Risk: Guessable passwords make it easy to log into the system.
  • Remedy: Enforce a complex password policy and store passwords encrypted.

5. File uploads:

  • Risk: Uploaded files can contain malicious scripts which can exploit server vulnerabilities.
  • Remedies: Don’t rely on file extensions to determine file type; Always scan all files for viruses.

For more information and a detailed list of vulnerabilities refer to OWASP.

Ensure your technology has the right protection

The difficulty even major organisations have with data protection highlights the importance of having the right infrastructure in place.

At Engage Hub, we pass a wide range of certifications and compliance tests, and our dedicated data protection team maintains security checks and monitors logs ongoing. Our platform manages all data orchestration for you, so your legacy systems can continue to feed data into the business without the need for additional coding (dramatically reducing risk and cost).

We also comply with our customers’ specific security orders. For example, we help our financial clients like KBC Bank Ireland and MBNA meet with the industry’s rigorous requirements.

But it’s important for companies to address the small vulnerabilities that can open the door to major problems. Simple things like not opening spam emails or using more complex passwords go a long way. And when everyone takes responsibility for data security, the business overall is in a stronger position.

Learn more about how we can help you manage and orchestrate your data to improve security – and the customer experience.

See other posts by Jeremy Staines

Head of IT

As a Senior Developer, Jeremy has worked for Engage Hub for over 18 years. In his role, Jeremy is responsible for developing and maintaining Engage Hub’s core platform. Part of his work involves maintaining platform security features as well as looking after the implementation of various application phases. Jeremy is passionate about creating software that simplifies the life of its users and actively seeks to incorporate this philosophy into Engage Hub’s platform.