Well-kept secrets – The importance of blocking and masking measures for data leakage prevention
Nowadays organizations are more and more data driven. Thanks to advancements in technology, companies can track and analyze customers’ behavior, collecting a multitude of parameters, and store the information to better offer them a more personal experience. On the positive side, end-users get a customized service adapted to his or her preferences – the bank offers customer customized financial tracks; the HMO shows lab results comparisons based on medical history; the social media site delivers content based on location, keywords, and browsing patterns.
While the benefits are undeniable, the explosion of customers’ data storage and use also brings liability to the organizations housing the data. What information, for example, are they collecting and how do they collect it? How are they using this information? Do they share it? How do organizations secure the information and ensure it is kept private?
By agreeing to let organizations collect and store their data, customers really mean, “I want to give you my data, but keep it safe; do not share it, because it’s mine. I won’t be happy if you share my secrets.” Customer data disclosure brings customer dissatisfaction, legal suits, financial loss and brand damage. To protect the end-users, governments have enacted regulations such as HIPAA, Sarbanes Oxley, the California Online Privacy Protection Act, and standards like PCI-DSS designed to ensure the safe handling of cardholder information at every step.
To avoid data disclosure and make sure the information is secure, organizations should place security controls at multiple levels. Data breaches caused by SQL injection – perhaps the most famous application attack – could seriously harm a company. An SQL injection attack is designed to exploit a web application vulnerability and execute code in the backend database in order to gain access to stored data such as account and credit card numbers or any stored personally identifiable information (PII). An SQL injection attack was used to hack Sony’s Playstation network servers resulting in the theft of millions of users’ passwords, email addresses, home addresses and dates of birth. The attack also managed to take control of Sony admin details, as well as of huge amount of music code. If you add up the damage in terms of customer dissatisfaction, serious brand damage and litigation, experts say the attack may cost Sony $24 billion!
Perhaps the best source for identifying and blocking such attacks is through web application firewalls (WAF), which provide solid security controls to prevent data leakage and privacy infringement scenarios.
But what happens if the WAF can’t block the attack and prevent the data leakage? This is a case in which we may want extra protection on sensitive data. Also, what if there is a requirement for selective display of the sensitive data, like the need to mask the social security numbers display of juveniles while allowing the SSNs display of adults? And last, but not least, the PCI-DSS 3.3 requirement asks for credit card data (PAN – primary account number) masking when account numbers are displayed, a process that is complex and requires costly application modifications.
That’s why a web application firewall, like Radware’s AppWall, becomes so important. It accurately stops a multitude of attacks such as SQL injection, cross-site scripting and more, providing good security coverage for attacks on known and unknown vulnerabilities (zero-minute attacks). In addition, you can mask selective data such as credit card numbers or other sensitive PII. It offers the possibility to define masking policies on specific parameters for particular users or group of users. This way, the organization could decide what data is visible to whom, masking data selectively, and complying with PCI-DSS 3.3 requirements.
Protecting your company’s applications and network against cyber attacks like SQL injection is daunting enough without the added concerns of preventing data leakage and privacy infringement. With all the extra information stored on company servers, a web application firewall becomes critical to keeping customers safe and passing regulations, while still getting the full benefit of big data capabilities.