Hey, everyone is Canada Hill Master Instructor, A cyber. In this video, we're gonna talk about Web defense.
So just a quick pre assessment question here, like we normally do. Ways to prevent against the exposure of sensitive data include all of the following except which one.
All right, so I guess to answer B, as in, boy, you are correct. So storing unnecessary data is not actually way to reduce our Ricks there. It actually will help increase the risk because its data that an attacker could use or it could be sensitive data that an attacker is able to access. And we don't actually need to store that information
so sensitive data exposure where we're going to see this is primarily the wet like Web applications or even depending on the A p I were using on our Web applications in our sight. And primarily the sensitive data in most cases we're talking about is either gonna be like financial or like health care related data.
Eso has an example. Maybe your bank account information or credit card information
or on the health side of things. Maybe you're so security number your pH eyes what is called protective health information or, you know, maybe things about your surgery that your surgery date or procedures that also is tied into other data like you're so security or, you know, data birds, something like that. So that way,
if I'm an attacker, I could get that information say, Oh, you know, Sally had
the surgery on this state, you know, with this particular vendor. And, you know, now I've got all the information and I can go. Do you know potentially bad things with that
so prevalent, it's actually pretty common. Some of the reasons for that is, you know, of course, Miss Configured, you know, cloud buckets, you know. So Amazon aws buckets is one of the big things you'll see in the media out there in different news stories. Also lack of encryption s o you know, not encrypting data at rest or in transit.
And then also, even though you're encrypting it, you're using weaker encryption, right? So older encryption algorithms
s. So that's kind of the reason why we see it is such a prevalent thing.
So how do we check for that? Well, number one certain laws out there certain laws and standards have guidelines for us to help us kind of determine what data should be encrypted. What should not be encrypted? What sensitive data? What's not sensitive data et cetera of this is some on the screen here, just a side note, kind of a self plug there. I do have a hip, of course,
on the cyber a sight. So if you're kind of interested in
and that angle of it from a health care standpoint, if you work in health care, definitely check that course out. We also have ah PC idea, says course on the site. So definitely check that out as well. If you're interested in and kind of getting more about the legal or standards aspect of things,
sending are clear text data. So you know, certain protocols send data clear text by default. All that means is that clear text means I can read it. There's nothing I have to do to try toe. Look at the data. I just can basically read whatever you've got in there. So whether that's a user name and password, a date of birth, whatever
I can, you know I could basically using what's called a sniffing tool. I could grab that data and look at it directly.
We're not storing it, you know, properly. So again, going back to the encryption aspect. We're not encrypting the data on our database while we're storing it. We're just kind of leaving it there for anybody to take a look at. Already talked about the weaker algorithms or no encryption on Ben. Also not using proper servers certificate. So again, we're not,
um, either using like industry Sanders certificates or even our own security certificates.
We're basically not verifying that this this server that's connecting to us or this device connecting to us is actually somebody on our network or some device on our network versus some outside attacker.
So the impact here, you know, of course, we talked about health and financial records. Also intellectual property, that sensitive data that could be stolen by an attacker, a cz Well, as other types of personal data, you know, it's like employment records, that sort of stuff
to prevent it. You know, we talked about encrypting the data We can, you know, make sure our users are using stronger passwords or even our admin accounts, or using stronger passwords using assaulting, using things like multi factor. Two factor. Authentication monitoring is a big one, especially when we get into talking about things like data loss prevention.
We want to monitor and, you know, even set
controls in place that will help prevent against somebody like export trading a large amount of data specifically like in the financial or healthcare space. You want to make sure somebody is not coming in after hours and stealing a bunch of patient data.
So quick. Post assessment question here Rebecca's been tasked with checking for sensitive did exposure at her particular company. She knows that the following might be indicated indicators of sensitive data exposure except which one of these.
All right, so I guess to answer bur correct so strong and encryption is actually not in indicator that we've got sensitive data exposure again. Sensitive data exposure one of the risk factors there's going to be weaker encryption or not using any encryption at all