WEB-DATA-01 & WEB-LOG-01

Data Exposure & Logging

CMU540: Cyber Security - Session 8

Birmingham Newman University

Lecturer: James Williams

Understanding data protection and security logging implementation

3-hour session • 30 slides • 2 interactive tasks

Session Timeline:

10 min: Registration & waiting
20 min: Opening slides
45 min: Task 1
15 min: Break/Catch up
20 min: Secondary slides
45 min: Task 2
Remaining: Self-study

Learning Objectives

Understand OWASP A08: Data Exposure & A09: Logging
Identify data exposure vulnerabilities
Learn secure logging practices
Practice vulnerability discovery using OS³ Studio
Implement secure data protection and logging
Explore career opportunities in data security

OWASP A08: Data Exposure & A09: Logging

A08: Sensitive data exposure occurs when applications don't properly protect sensitive information

A09: Insufficient logging allows attackers to persist undetected

Key Areas:

Data encryption and protection
Logging and monitoring
Data classification
Audit trails

Real-World Impact

Notable Breaches:

Facebook (2019): 540M records stored in plaintext
Marriott (2018): 500M records exposed due to poor logging
Capital One (2019): 100M records exposed via misconfigured logging

Impact: Data breaches, regulatory fines, reputation damage

Common Data Exposure Vulnerabilities

1. Unencrypted Data Storage

<!-- VULNERABLE: Plaintext storage -->

CREATE TABLE users (

  id INT,

  username VARCHAR(50),

  password VARCHAR(50),  -- Plaintext

  ssn VARCHAR(20),       -- Plaintext

  credit_card VARCHAR(20) -- Plaintext
);

<!-- SECURE: Encrypted storage -->

CREATE TABLE users (

  id INT,

  username VARCHAR(50),

  password_hash VARCHAR(255),  -- Hashed

  ssn_encrypted BLOB,         -- Encrypted

  credit_card_encrypted BLOB  -- Encrypted
);

2. Weak Encryption

<!-- VULNERABLE: Weak encryption -->

MD5(password)     // Easily cracked

DES(data)         // 56-bit key

<!-- SECURE: Strong encryption -->

bcrypt(password, 12)  // Adaptive hashing

AES-256-GCM(data)    // Strong encryption

Data Classification

1. Data Sensitivity Levels

<!-- Data classification levels -->

PUBLIC:      No restrictions

INTERNAL:    Company use only

CONFIDENTIAL: Limited access

RESTRICTED:  Highest security

<!-- Implementation -->

if (data.classification === 'RESTRICTED') {

  requireStrongAuthentication();

  requireEncryption();

  logAccess(data, user);
}

2. Data Handling Policies

Encrypt sensitive data at rest
Use secure transmission protocols
Implement access controls
Regular data audits

Common Logging Vulnerabilities

1. Insufficient Logging

<!-- VULNERABLE: No security logging -->

app.post('/login', (req, res) => {

  const { username, password } = req.body;

  if (authenticate(username, password)) {

    res.json({ success: true });

  } else {

    res.json({ success: false });

  }
});

<!-- SECURE: Comprehensive logging -->

app.post('/login', (req, res) => {

  const { username, password } = req.body;

  if (authenticate(username, password)) {

    logger.info('Successful login', { username, ip: req.ip });

    res.json({ success: true });

  } else {

    logger.warn('Failed login attempt', { username, ip: req.ip });

    res.json({ success: false });

  }
});

2. Log Injection

<!-- VULNERABLE: Log injection -->

logger.info('User action: ' + userInput);

<!-- Malicious input -->

userInput = 'admin\n[ERROR] System compromised'

<!-- SECURE: Sanitized logging -->

logger.info('User action: %s', sanitize(userInput));

Secure Logging Practices

1. Structured Logging

<!-- SECURE: Structured logging -->

const winston = require('winston');

const logger = winston.createLogger({

  level: 'info',

  format: winston.format.combine(

    winston.format.timestamp(),

    winston.format.json()

  ),

  transports: [

    new winston.transports.File({ filename: 'security.log' })

  ]
});

logger.info('Security event', {

  event: 'login_attempt',

  user: username,

  ip: req.ip,

  success: false
});

2. Log Retention and Rotation

<!-- SECURE: Log rotation -->

const winston = require('winston');

const logger = winston.createLogger({

  transports: [

    new winston.transports.DailyRotateFile({

      filename: 'logs/security-%DATE%.log',

      datePattern: 'YYYY-MM-DD',

      maxSize: '20m',

      maxFiles: '14d'

    })

  ]
});

Data Encryption Implementation

1. Database Encryption

<!-- SECURE: Database encryption -->

const crypto = require('crypto');

function encryptData(data, key) {

  const iv = crypto.randomBytes(16);

  const cipher = crypto.createCipher('aes-256-gcm', key);

  let encrypted = cipher.update(data, 'utf8', 'hex');

  encrypted += cipher.final('hex');

  return {

    encrypted,

    iv: iv.toString('hex')

  };
}

function decryptData(encryptedData, key, iv) {

  const decipher = crypto.createDecipher('aes-256-gcm', key);

  let decrypted = decipher.update(encryptedData, 'hex', 'utf8');

  decrypted += decipher.final('utf8');

  return decrypted;
}

2. Field-Level Encryption

<!-- SECURE: Field-level encryption -->

// Store encrypted SSN

const encryptedSSN = encryptData(user.ssn, process.env.ENCRYPTION_KEY);

await db.users.create({

  username: user.username,

  ssn_encrypted: encryptedSSN.encrypted,

  ssn_iv: encryptedSSN.iv
});

// Retrieve and decrypt

const user = await db.users.findById(id);

const decryptedSSN = decryptData(user.ssn_encrypted, process.env.ENCRYPTION_KEY, user.ssn_iv);

Career Opportunities in Data Security

Data Security Roles:

Data Protection Officer: £50,000 - £100,000
Privacy Engineer: £45,000 - £90,000
Security Engineer: £40,000 - £80,000
Compliance Specialist: £35,000 - £70,000
Data Analyst: £30,000 - £60,000

Skills Needed: Data protection, Privacy regulations, Encryption, Compliance

OS³ Newman Cyber Security Lab

WEB-DATA-01 & WEB-LOG-01 Lab Environment

Our OS³ Studio provides hands-on experience with:

Applications with data exposure vulnerabilities
Insufficient logging implementations
Secure data protection challenges
Logging and monitoring best practices

Access: Available through university portal

Web Demos and Tools

Data Security Tools:

Burp Suite - Web application security testing
OWASP ZAP - Open source web app scanner
Logstash - Log processing and analysis
Splunk - Security information and event management
Graylog - Open source log management

Case Study: Capital One Breach

2019 Capital One Data Breach

Impact: 100 million records exposed
Cause: Misconfigured logging in AWS S3
Method: Server-side request forgery (SSRF)
Cost: $190 million in settlements

Lesson: Misconfigured logging can lead to massive data exposure

Summary: Common Data & Logging Issues

                    Key Vulnerabilities to Look For:
                    Unencrypted sensitive data storage
Weak encryption algorithms
Insufficient logging and monitoring
Log injection vulnerabilities
Missing data classification
Inadequate access controls
Poor log retention policies

                

Task 1: Data Exposure & Logging Vulnerability Discovery

Objective:

Use OS³ Studio to identify data exposure vulnerabilities and insufficient logging in the lab environment.

Instructions:

Access the OS³ Studio vulnerable application
Look for unencrypted sensitive data
Test for weak encryption implementations
Check for insufficient logging
Test for log injection vulnerabilities
Examine data classification practices
Document all findings with proof of concept
Prepare a vulnerability assessment report

Time: 45 minutes

Focus on systematic testing and thorough documentation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Secure implementation and Task 2

Secure Data Protection

1. Data Encryption at Rest

<!-- SECURE: Database encryption -->

// Enable Transparent Data Encryption (TDE)

ALTER DATABASE MyDatabase

SET ENCRYPTION ON;

// Column-level encryption

CREATE TABLE users (

  id INT PRIMARY KEY,

  username VARCHAR(50),

  ssn VARBINARY(MAX),  -- Encrypted

  credit_card VARBINARY(MAX)  -- Encrypted
);

2. Data Masking

<!-- SECURE: Data masking -->

function maskSensitiveData(data) {

  if (data.type === 'ssn') {

    return data.value.replace(/(\d{3})\d{4}(\d{3})/, '$1-****-$2');

  }

  if (data.type === 'credit_card') {

    return data.value.replace(/(\d{4})\d{8}(\d{4})/, '$1-********-$2');

  }

  return data.value;
}

Secure Logging Implementation

1. Security Event Logging

<!-- SECURE: Security logging -->

const winston = require('winston');

const securityLogger = winston.createLogger({

  level: 'info',

  format: winston.format.combine(

    winston.format.timestamp(),

    winston.format.json()

  ),

  transports: [

    new winston.transports.File({ filename: 'security.log' })

  ]
});

// Log security events

securityLogger.warn('Failed login attempt', {

  username: username,

  ip: req.ip,

  userAgent: req.headers['user-agent'],

  timestamp: new Date().toISOString()
});

2. Log Analysis and Monitoring

<!-- SECURE: Log monitoring -->

// Monitor for suspicious patterns

const suspiciousPatterns = [

  /failed login/i,

  /unauthorized access/i,

  /privilege escalation/i
];

function analyzeLogs(logEntry) {

  for (const pattern of suspiciousPatterns) {

    if (pattern.test(logEntry.message)) {

      alertSecurityTeam(logEntry);

    }

  }
}

Data Access Controls

1. Role-Based Access Control

<!-- SECURE: RBAC implementation -->

const roles = {

  admin: ['read', 'write', 'delete'],

  user: ['read'],

  guest: []
};

function checkPermission(userRole, action) {

  return roles[userRole].includes(action);
}

app.get('/sensitive-data', (req, res) => {

  if (!checkPermission(req.user.role, 'read')) {

    return res.status(403).json({ error: 'Forbidden' });

  }

  res.json(sensitiveData);
});

2. Data Anonymization

<!-- SECURE: Data anonymization -->

function anonymizeData(data) {

  return {

    id: hashId(data.id),

    age: data.age,

    gender: data.gender,

    // Remove PII

    // name: data.name,

    // email: data.email

  };
}

Compliance and Regulations

1. GDPR Compliance

<!-- SECURE: GDPR compliance -->

// Right to be forgotten

app.delete('/user/:id', async (req, res) => {

  const userId = req.params.id;

  await anonymizeUserData(userId);

  await deleteUserData(userId);

  res.json({ message: 'User data deleted' });
});

// Data portability

app.get('/user/:id/export', async (req, res) => {

  const userData = await getUserData(req.params.id);

  res.json(userData);
});

2. Audit Trails

<!-- SECURE: Audit trail -->

function logDataAccess(userId, dataType, action) {

  auditLogger.info('Data access', {

    userId: userId,

    dataType: dataType,

    action: action,

    timestamp: new Date().toISOString(),

    ip: req.ip

  });
}

Monitoring and Alerting

1. Real-time Monitoring

<!-- SECURE: Real-time monitoring -->

const monitoring = {

  failedLogins: 0,

  lastReset: Date.now()
};

function checkSecurityMetrics() {

  if (monitoring.failedLogins > 10) {

    alertSecurityTeam('High failed login rate');

    monitoring.failedLogins = 0;

  }
}

setInterval(checkSecurityMetrics, 60000); // Every minute

2. Security Dashboards

Real-time security metrics
Failed login attempts
Data access patterns
Anomaly detection alerts

Career Development in Data Security

Next Steps:

Advanced Certifications: CIPP, CISM, CISA
Specialized Training: Data protection, Privacy regulations
Hands-on Practice: Data security assessments, Compliance audits
Industry Networking: Privacy conferences, Data protection meetups
Research: New privacy regulations, Data protection methods

Resources: IAPP | NIST | GDPR

Task 2: Secure Data Protection & Logging Implementation

Objective:

Use OS³ Studio to implement secure data protection and logging practices.

Instructions:

Access the OS³ Studio secure implementation environment
Implement data encryption for sensitive fields
Add comprehensive security logging
Implement data classification and access controls
Configure log rotation and retention
Add data masking for non-production environments
Test the secure implementation
Document the security improvements

Time: 45 minutes

Focus on implementing industry-standard data protection practices

Further Activity: Code Inspection

Advanced Students - Code Analysis:

For students with additional time, explore the source code to understand:

How data encryption is implemented
Logging and monitoring mechanisms
Data classification and access controls
Compliance and audit trail implementation
Data anonymization and masking

Deliverable: Code review report with data protection recommendations

Session Summary

                    Key Takeaways:
                    Data exposure is a critical security vulnerability
Insufficient logging allows attackers to persist undetected
Data encryption and classification are essential
OS³ Studio provides hands-on vulnerability testing
Secure implementation requires multiple layers of protection
Career opportunities in data security are growing

                

Next Steps

Continue Learning:

Complete the OS³ Studio tasks
Explore additional data security topics
Practice with security testing tools
Consider industry certifications
Join cybersecurity communities

Next Session: WEB-SSRF-01 & WEB-UPLOAD-01 - SSRF & File Upload Security