OWASP Privacy Risks: Operator-sided Data Leakage

The Open Web Application Security Project (OWASP) details a list of the top 10 web application privacy risks in 2015 in this PowerPoint presentation. Each one illustrates a way that software security testing can better benefit a company that prepares. In this post, we’ll take a closer look at the second item on the list: operator-sided data leakage.


“Operator-sided data leakage is one of the highest privacy risks for applications.”

Operator-sided data leakage may sound complicated, but it simply refers to unintentional data exposure that occurs as a result of internal causes. It’s a wide-ranging category, and includes personal information that has been shared with users as well as a lost electronic device.

The categories of vital data exposed in this sort of event include everything from Social Security and credit card numbers to trade secrets, legal documents and anything confidential.

Within any company there are likely not only multiple types of data at risk but multiple ways that it might be exposed. The danger is compounded when the company makes multiple unnecessary copies of important items.

Risk level and impact

According to the OWASP presentation, operator-sided data leakage is one of the highest privacy risks for applications, second only to web application vulnerabilities. Impact level was listed as “very high” and the source noted numerous ways that data might get leaked: the company’s employees could be unaware of the potential problems, or have poor access management.

“It’s not enough to simply try to anonymize user information.”

Furthermore, it’s not enough to simply try to anonymize user information. For one, this isn’t necessarily enough to keep personal data safe, since it might be poorly done and still leave hackers some way to identify individuals.

Another issue is the way hackers identify the most vulnerable “points of entry” among the work force, as this Credit Union Times article points out. Simple forms of accessing company systems, such as phishing emails can prey on the unaware. Whatever measures companies take to counter hackers have to be suitably wide-reaching and reduce possible “weak points.”

Ways to respond

With this in mind, here are five tactics to handle operator-sided data leakage in your organization. Because this represents such a widespread problem, the answer requires a long list of strategies, not just one:

  • Traditional malware protection: That same Credit Union Times article notes that data breaches are expected to increase next year, with ransomware attacks in particular poised to spike. Don’t neglect to cover the basics as part of your data leakage remedy.
  • Strict access controls: Putting tight checks in place helps safeguard against unwanted intrusions to data. The OWASP presentation advises companies to restrict access management as part of a successful countermeasure plan.
  • Encryption: For many different cyber data concerns, encryption is an obvious but effective solution. As mentioned above, the problem comes when businesses don’t spread their efforts widely enough, leaving aspects of the enterprise still exposed. A “State of Encryption Today” survey from Sophos found that financial and HR information for employees were often overlooked and left unencrypted. Employee and customer data needs to be handled equally well.
  • Educating: With proper training, users will avoid perpetuating bad practices. Hacking practices like spear phishing depend on employee input, so creating a culture where users know how to respond to threats is crucial. Companies can also make the effort to raise awareness within their organization through targeted campaigns.  
  • Filtering sensitive data sent by an organization: Businesses owe it to themselves to take sensitive information seriously, and that includes filtering. This can come from a strong firewall and other network safeguards that protect all devices being used, mobile as well as desktop.

Guarantee software security with a testing plan in response to the most severe threats. PSC can establish a baseline for your business to work off of through security practices that prevent damaging internal leakage.


About the Author:

Rob Cross is currently an executive with PSC.
  Related Posts
  • No related posts found.