Information Security Buzz
By Security Experts
Felix Rosbach, Product Manager, COMFORTE AG
To find a balance between fast adoption and data protection can be a tough job.
This is a classic example for taking user experience over cyber-security. Especially in the online world, consumers are requesting new innovative, streamlined ways to manage their accounts and bookings and companies have to be on-par with their demands to retain market share. To find a balance between fast adoption and data protection can be a tough job. While it’s always easier to implement new solutions without taking security into consideration, the growing risk of breaches along with new and stricter regulations all around the world, make sophisticated data protection a must.
Saryu Nayyar, CEO, Gurucul
This incident, so soon after the devastating data breach that British Airlines recently suffered.
This incident, so soon after the devastating data breach that British Airlines recently suffered, shows that many companies are still not getting the cybersecurity basics right. To protect their data, companies should – at the least – encrypt all sensitive data and the keys to decrypt the data should not be stored with the solution or host database itself. Organisations should also consider modern cybersecurity technology that uses artificial intelligence (AI) and machine learning (ML) to identify behavioral anomalies that are indicative of an illicit user on the network. With machine learning algorithms, it’s possible to spot behaviour that’s outside the range of normal activities and intervene before it’s too late.
Javvad Malik, Security Awareness Advocate, KNOWBE4
Sending unencrypted emails with authentication data in the URL is certainly far from good security practice.
Sending unencrypted emails with authentication data in the URL is certainly far from good security practice and, given the recent British Airways fines proposed by the ICO, it does not paint a good picture.
However, in order for this attack to be successful, the attacker needs to be connected to the same WiFi network as the victim in order to intercept the email and view the booking. Because of this, the threat is reduced somewhat.
British Airways will likely fix the issue soon, but it\’s a reminder to users that they should exercise caution when connecting to public wifi hotspots.
Hugo van den Toorn, Manager, Offensive Security, OUTPOST24
This is a classic example of what is described as Sensitive Data Exposure in the OWASP top ten.
This is a classic example of what is described as Sensitive Data Exposure in the OWASP top ten. It is not just at risk of being captured in-transit, but it could well be that this data is also stored in plain text on systems that process the request. Meaning the data could have been stored in for example logs, waiting for an attacker to find it.
Cesar Cerrudo, CTO , IOACTIVE
Employing an experienced third party, one that can think like a hacker, will help to ensure any such vulnerabilities are discovered in the test phase.
When building a customer facing application, the focus is too often on usability, scalability and performance, and security can be a bit of an afterthought. Yet what is forgotten is just how sensitive the data being stored is – after all, your passport is one of, if not THE most, expensive and trusted government documents you own. Yet while it is common practice for airlines to use third party penetration testing for their hardware and critical flight services, they often test their online services and applications in-house using teams that are often under pressure from IT to meet strict time deadlines; meaning things slip through the gaps. Employing an experienced third party, one that can think like a hacker, will help to ensure any such vulnerabilities are discovered in the test phase, before any customers have started to use it – helping companies to avoid embarrassment and more importantly ensuring customer data remains safe.