Sensitive Data Exposure is #3 in OWASP's top ten web application security risks. We've already examined database exposure through lack of access controls – which still usually means passwords. Here we look at managing the dynamic between passwords and users.
The 2017 Verizon Data Breach Investigations Report (DBIR) said that 81% of hacking-related data breaches involved stolen passwords. The more recent 2018 DBIR separates stolen credentials into different categories, diluting the overall number. Nevertheless, on web application attacks, it comments
“The number of breaches in this pattern are reduced due to the ﬁltering of botnet-related attacks on web applications using credentials stolen from customer-owned devices. Use of stolen credentials is still the top variety of hacking in breaches involving web applications, followed by SQLi.”
Key to securing sensitive data is limiting access to authorized users only. Despite repeated proof that passwords are not enough, and predictions of their demise, they remain the primary method of access control.
It follows that less data will be exposed if better password hygiene is observed.
Better password design comes from understanding the concept of user experience friction (UXF, or as it is more commonly known, friction). Friction can be viewed as the degree of hassle felt by the user – greater friction leads to less content users who will go elsewhere or try to bypass the restrictions (by, for example, using the same easily-remembered password on multiple accounts).
From a design perspective, the perfect app has a friction factor of zero. The inescapable truth, however, is that security always increases friction; and the greater the security, the greater the friction.
The design conundrum for better password hygiene is to increase security without increasing friction.
App developers can improve the quality of passwords by simply disallowing the use of weak passwords with their apps. The password registration process should require a minimum length of 16 characters comprising a mix of upper/lowercase characters, numbers and special characters.
This will inevitably improve security, but at the cost of a higher friction factor. Where the developer is instructed to keep friction as low as possible, it could still be improved by rejecting the top fifty (or more if possible) most common passwords. There’s a list of the .
This can be supported by limiting the number of login failures to, say, three or five before locking the account for an hour or so. Since hackers often use scripts to cycle through the most popular passwords, these two elements will stop many low-level automated brute force attacks against passwords.
Many users simply do not understand the danger in using and re-using weak easily-remembered passwords. A conspicuous password advice page written in simple English would help. It could explain why weak passwords are dangerous (attackers using dictionaries and rainbow tables); and why re-using passwords should be avoided (attackers can spend time on stolen databases from other sites, crack the passwords, and then sell them to other hackers).
The passphrase versus password option could be explained. Passphrases are relatively hard to crack, but eminently easy for the user to remember. It’s an option favored by the UK government: it increases security over simple word passwords while reducing the friction of long, complex passwords.
The page could also give advice, with examples, on the use of password managers to generate strong, unique passwords and keep them safe.
Multi-factor authentication requires the use of additional identifying factors. If a password is the first factor (it’s something you know), a second factor could be something you have (say, a physical or virtual token), or something you are (a biometric factor, such as a fingerprint, voice or facial image).
Imposing multi-factor authentication is usually considered to be a basic requirement today – but it is not as simple as it may seem. Firstly, it usually dramatically increases user friction. It is difficult to impose MFA on customers that you wish to welcome to your website – with high user friction, they will simply go somewhere else.
Secondly, some experts consider biometrics to be ultimately less secure. If biometric templates are stolen, users cannot change what they are in the same way that they can change a stolen password.
Thirdly, almost all biometric MFA systems have been broken or spoofed over time.
And finally, the most common form of MFA – a virtual token sent to a phone – can no longer be considered secure at all. Reddit was breached in June 2018 after attackers intercepted a second factor being sent to a mobile phone. At the time, F-Secure’s Sean Sullivan commented, “At this point, the use of SMS-based MFA for administrators should be considered negligent.”
Behavioral biometrics is a technology improving rapidly with advances in machine learning and artificial intelligence. For the moment it should be used to support passwords; but there may come a time when it gets close to replacing them.
At its simplest level, a behavioral biometric could be geolocation. If a user always logs in from Kansas, and then suddenly logs in from China with a different browser, then you can question whether it is the correct user.
For in-house applications where the machine learning has continuous access to staff users, behavioral biometrics are already able to recognize users by their typing patterns, their mouse movements, their linguistic patterns and many more characteristics.
The great advantage of behavioral biometrics is that it creates a zero-friction factor – and is something to watch for the future.
Two other key principles should be observed. The first is least privilege. No user password should allow that user any more privilege than is needed for that user’s function. For example, websites that allow users to post articles or comments should make sure that those users can do nothing more to the site.
If administrator rights are temporarily required, they must be removed when the need has passed. It is difficult to do this and adequately manage all privileged accounts manually (except, perhaps, for the very smallest companies).
A survey of 500 global IT security professionals published by Thycotic in March 2018 found 62% of organizations fail at processes for privileged access; 70% fail to fully discover privileged accounts (while 40% do nothing at all to discover these accounts); and 55% fail to revoke access after an employee is terminated.
The implication is that to ensure least privilege is applied, organizations need to consider adopting privileged access management (PAM) technology.
There are two aspects to testing your company’s password culture: password strength and user behavior. The first can be done through a penetration tester, and the second through simulated and measured phishing and spear-phishing simulation.
Pentesters can be employed to test any part of your security. In this instance the instruction would be to test the strength and resilience of your passwords. But it is important to learn from and act on the results. If a pentester can defeat your passwords – even just one of them – so can a hacker.
It doesn’t matter how strong your password policy may be in theory, it is worth nothing if your users can be tricked by phishing emails into handing over their passwords to criminals. New AI-based phishing filters are beginning to filter out phishing emails but are not perfect. Phishing is a human problem that cannot yet be solved by technology alone.
One of the best approaches, but again not adequate on its own, is to teach staff how to recognize a phish. The best way to do this is to perform surprise simulated phish attacks against your own staff. By monitoring and measuring the results you will be able to see who is likely to be most at risk. This whole process, however, must be done with a high degree of sensitivity – and it may be best to contract the process to a specialist phishing training firm.
The most important point to understand is that there is no silver bullet that will guarantee only authorized users can access sensitive data. The purpose of security is not to make a breach impossible (that itself is impossible) but to make attacking you less attractive than attacking someone else. The purpose of security is to increase the pain experience for the attacker.
Nothing discussed in this blog can prevent a breach. However, multiple technologies used together to provide security in depth will keep you safer than many of your competitors – and that is a useful position to occupy.
“These days, data breaches have become a sad daily routine,” says Ilia Kolochenko, High-Tech Bridge founder and CEO. “...The more breaches occur, the more successful further attacks become as cybercriminals accumulate a huge amount of data about us. To minimize the domino effect of unavoidable breaches, users shall use strong and unique passwords, and provide as little sensitive, or confidential, information about themselves as reasonable in all their online accounts. While companies, should better tackle application security, giving particular attention to continuous monitoring and advanced application security testing, not just automated vulnerability scanning.”
In a future blog, we’ll discuss the problem of protecting sensitive data from the attacker who has already got through your password defenses and is on the inside of your infrastructure.