H M < >
CMU540

WEB-DATA-01 & WEB-LOG-01 - Data Exposure & Logging

Session 8

James Williams

jwilliams@staff.newman.ac.uk

Learning Objectives

  • Understand OWASP A08: Data Exposure & A09: Logging
  • Identify data exposure vulnerabilities
  • Learn secure logging practices
  • Practice vulnerability discovery using OS³ Studio
  • Implement secure data protection and logging
  • Explore career opportunities in data security

OWASP A08: Data Exposure & A09: Logging

A08: Sensitive data exposure occurs when applications don't properly protect sensitive information

A09: Insufficient logging allows attackers to persist undetected

Key Areas:

  • Data encryption and protection
  • Logging and monitoring
  • Data classification
  • Audit trails

Real-World Impact

Notable Breaches:

  • Facebook (2019): 540M records stored in plaintext
  • Marriott (2018): 500M records exposed due to poor logging
  • Capital One (2019): 100M records exposed via misconfigured logging

Impact: Data breaches, regulatory fines, reputation damage

Common Data Exposure Vulnerabilities

1. Unencrypted Data Storage

<!-- VULNERABLE: Plaintext storage -->
CREATE TABLE users (
  id INT,
  username VARCHAR(50),
  password VARCHAR(50),  -- Plaintext
  ssn VARCHAR(20),       -- Plaintext
  credit_card VARCHAR(20) -- Plaintext
);
<!-- SECURE: Encrypted storage -->
CREATE TABLE users (
  id INT,
  username VARCHAR(50),
  password_hash VARCHAR(255),  -- Hashed
  ssn_encrypted BLOB,         -- Encrypted
  credit_card_encrypted BLOB  -- Encrypted
);

2. Weak Encryption

<!-- VULNERABLE: Weak encryption -->
MD5(password)     // Easily cracked
DES(data)         // 56-bit key
<!-- SECURE: Strong encryption -->
bcrypt(password, 12)  // Adaptive hashing
AES-256-GCM(data)    // Strong encryption

Data Classification

1. Data Sensitivity Levels

<!-- Data classification levels -->
PUBLIC:      No restrictions
INTERNAL:    Company use only
CONFIDENTIAL: Limited access
RESTRICTED:  Highest security
<!-- Implementation -->
if (data.classification === 'RESTRICTED') {
  requireStrongAuthentication();
  requireEncryption();
  logAccess(data, user);
}

2. Data Handling Policies

  • Encrypt sensitive data at rest
  • Use secure transmission protocols
  • Implement access controls
  • Regular data audits

Common Logging Vulnerabilities

1. Insufficient Logging

<!-- VULNERABLE: No security logging -->
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if (authenticate(username, password)) {
    res.json({ success: true });
  } else {
    res.json({ success: false });
  }
});
<!-- SECURE: Comprehensive logging -->
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if (authenticate(username, password)) {
    logger.info('Successful login', { username, ip: req.ip });
    res.json({ success: true });
  } else {
    logger.warn('Failed login attempt', { username, ip: req.ip });
    res.json({ success: false });
  }
});

2. Log Injection

<!-- VULNERABLE: Log injection -->
logger.info('User action: ' + userInput);
<!-- Malicious input -->
userInput = 'admin\n[ERROR] System compromised'
<!-- SECURE: Sanitized logging -->
logger.info('User action: %s', sanitize(userInput));

Secure Logging Practices

1. Structured Logging

<!-- SECURE: Structured logging -->
const winston = require('winston');
const logger = winston.createLogger({
  level: 'info',
  format: winston.format.combine(
    winston.format.timestamp(),
    winston.format.json()
  ),
  transports: [
    new winston.transports.File({ filename: 'security.log' })
  ]
});
logger.info('Security event', {
  event: 'login_attempt',
  user: username,
  ip: req.ip,
  success: false
});

2. Log Retention and Rotation

<!-- SECURE: Log rotation -->
const winston = require('winston');
const logger = winston.createLogger({
  transports: [
    new winston.transports.DailyRotateFile({
      filename: 'logs/security-%DATE%.log',
      datePattern: 'YYYY-MM-DD',
      maxSize: '20m',
      maxFiles: '14d'
    })
  ]
});

Data Encryption Implementation

1. Database Encryption

<!-- SECURE: Database encryption -->
const crypto = require('crypto');
function encryptData(data, key) {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipher('aes-256-gcm', key);
  let encrypted = cipher.update(data, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  return {
    encrypted,
    iv: iv.toString('hex')
  };
}
function decryptData(encryptedData, key, iv) {
  const decipher = crypto.createDecipher('aes-256-gcm', key);
  let decrypted = decipher.update(encryptedData, 'hex', 'utf8');
  decrypted += decipher.final('utf8');
  return decrypted;
}

2. Field-Level Encryption

<!-- SECURE: Field-level encryption -->
// Store encrypted SSN
const encryptedSSN = encryptData(user.ssn, process.env.ENCRYPTION_KEY);
await db.users.create({
  username: user.username,
  ssn_encrypted: encryptedSSN.encrypted,
  ssn_iv: encryptedSSN.iv
});
// Retrieve and decrypt
const user = await db.users.findById(id);
const decryptedSSN = decryptData(user.ssn_encrypted, process.env.ENCRYPTION_KEY, user.ssn_iv);

Career Opportunities in Data Security

Data Security Roles:

  • Data Protection Officer: £50,000 - £100,000
  • Privacy Engineer: £45,000 - £90,000
  • Security Engineer: £40,000 - £80,000
  • Compliance Specialist: £35,000 - £70,000
  • Data Analyst: £30,000 - £60,000

Skills Needed: Data protection, Privacy regulations, Encryption, Compliance

OS³ Newman Cyber Security Lab

WEB-DATA-01 & WEB-LOG-01 Lab Environment

Our OS³ Studio provides hands-on experience with:

  • Applications with data exposure vulnerabilities
  • Insufficient logging implementations
  • Secure data protection challenges
  • Logging and monitoring best practices

Access: Available through university portal

Web Demos and Tools

Data Security Tools:

  • Burp Suite - Web application security testing
  • OWASP ZAP - Open source web app scanner
  • Logstash - Log processing and analysis
  • Splunk - Security information and event management
  • Graylog - Open source log management

Case Study: Capital One Breach

2019 Capital One Data Breach

  • Impact: 100 million records exposed
  • Cause: Misconfigured logging in AWS S3
  • Method: Server-side request forgery (SSRF)
  • Cost: $190 million in settlements

Lesson: Misconfigured logging can lead to massive data exposure

Summary: Common Data & Logging Issues

Key Vulnerabilities to Look For:

  1. Unencrypted sensitive data storage
  2. Weak encryption algorithms
  3. Insufficient logging and monitoring
  4. Log injection vulnerabilities
  5. Missing data classification
  6. Inadequate access controls
  7. Poor log retention policies

Task 1: Data Exposure & Logging Vulnerability Discovery

Objective:

Use OS³ Studio to identify data exposure vulnerabilities and insufficient logging in the lab environment.

Instructions:

  1. Access the OS³ Studio vulnerable application
  2. Look for unencrypted sensitive data
  3. Test for weak encryption implementations
  4. Check for insufficient logging
  5. Test for log injection vulnerabilities
  6. Examine data classification practices
  7. Document all findings with proof of concept
  8. Prepare a vulnerability assessment report

Time: 45 minutes

Focus on systematic testing and thorough documentation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Secure implementation and Task 2

Secure Data Protection

1. Data Encryption at Rest

<!-- SECURE: Database encryption -->
// Enable Transparent Data Encryption (TDE)
ALTER DATABASE MyDatabase
SET ENCRYPTION ON;
// Column-level encryption
CREATE TABLE users (
  id INT PRIMARY KEY,
  username VARCHAR(50),
  ssn VARBINARY(MAX),  -- Encrypted
  credit_card VARBINARY(MAX)  -- Encrypted
);

2. Data Masking

<!-- SECURE: Data masking -->
function maskSensitiveData(data) {
  if (data.type === 'ssn') {
    return data.value.replace(/(\d{3})\d{4}(\d{3})/, '$1-****-$2');
  }
  if (data.type === 'credit_card') {
    return data.value.replace(/(\d{4})\d{8}(\d{4})/, '$1-********-$2');
  }
  return data.value;
}

Secure Logging Implementation

1. Security Event Logging

<!-- SECURE: Security logging -->
const winston = require('winston');
const securityLogger = winston.createLogger({
  level: 'info',
  format: winston.format.combine(
    winston.format.timestamp(),
    winston.format.json()
  ),
  transports: [
    new winston.transports.File({ filename: 'security.log' })
  ]
});
// Log security events
securityLogger.warn('Failed login attempt', {
  username: username,
  ip: req.ip,
  userAgent: req.headers['user-agent'],
  timestamp: new Date().toISOString()
});

2. Log Analysis and Monitoring

<!-- SECURE: Log monitoring -->
// Monitor for suspicious patterns
const suspiciousPatterns = [
  /failed login/i,
  /unauthorized access/i,
  /privilege escalation/i
];
function analyzeLogs(logEntry) {
  for (const pattern of suspiciousPatterns) {
    if (pattern.test(logEntry.message)) {
      alertSecurityTeam(logEntry);
    }
  }
}

Data Access Controls

1. Role-Based Access Control

<!-- SECURE: RBAC implementation -->
const roles = {
  admin: ['read', 'write', 'delete'],
  user: ['read'],
  guest: []
};
function checkPermission(userRole, action) {
  return roles[userRole].includes(action);
}
app.get('/sensitive-data', (req, res) => {
  if (!checkPermission(req.user.role, 'read')) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  res.json(sensitiveData);
});

2. Data Anonymization

<!-- SECURE: Data anonymization -->
function anonymizeData(data) {
  return {
    id: hashId(data.id),
    age: data.age,
    gender: data.gender,
    // Remove PII
    // name: data.name,
    // email: data.email
  };
}

Compliance and Regulations

1. GDPR Compliance

<!-- SECURE: GDPR compliance -->
// Right to be forgotten
app.delete('/user/:id', async (req, res) => {
  const userId = req.params.id;
  await anonymizeUserData(userId);
  await deleteUserData(userId);
  res.json({ message: 'User data deleted' });
});
// Data portability
app.get('/user/:id/export', async (req, res) => {
  const userData = await getUserData(req.params.id);
  res.json(userData);
});

2. Audit Trails

<!-- SECURE: Audit trail -->
function logDataAccess(userId, dataType, action) {
  auditLogger.info('Data access', {
    userId: userId,
    dataType: dataType,
    action: action,
    timestamp: new Date().toISOString(),
    ip: req.ip
  });
}

Monitoring and Alerting

1. Real-time Monitoring

<!-- SECURE: Real-time monitoring -->
const monitoring = {
  failedLogins: 0,
  lastReset: Date.now()
};
function checkSecurityMetrics() {
  if (monitoring.failedLogins > 10) {
    alertSecurityTeam('High failed login rate');
    monitoring.failedLogins = 0;
  }
}
setInterval(checkSecurityMetrics, 60000); // Every minute

2. Security Dashboards

  • Real-time security metrics
  • Failed login attempts
  • Data access patterns
  • Anomaly detection alerts

Career Development in Data Security

Next Steps:

  • Advanced Certifications: CIPP, CISM, CISA
  • Specialized Training: Data protection, Privacy regulations
  • Hands-on Practice: Data security assessments, Compliance audits
  • Industry Networking: Privacy conferences, Data protection meetups
  • Research: New privacy regulations, Data protection methods

Resources: IAPP | NIST | GDPR

Task 2: Secure Data Protection & Logging Implementation

Objective:

Use OS³ Studio to implement secure data protection and logging practices.

Instructions:

  1. Access the OS³ Studio secure implementation environment
  2. Implement data encryption for sensitive fields
  3. Add comprehensive security logging
  4. Implement data classification and access controls
  5. Configure log rotation and retention
  6. Add data masking for non-production environments
  7. Test the secure implementation
  8. Document the security improvements

Time: 45 minutes

Focus on implementing industry-standard data protection practices

Further Activity: Code Inspection

Advanced Students - Code Analysis:

For students with additional time, explore the source code to understand:

  • How data encryption is implemented
  • Logging and monitoring mechanisms
  • Data classification and access controls
  • Compliance and audit trail implementation
  • Data anonymization and masking

Deliverable: Code review report with data protection recommendations

Session Summary

Key Takeaways:

  • Data exposure is a critical security vulnerability
  • Insufficient logging allows attackers to persist undetected
  • Data encryption and classification are essential
  • OS³ Studio provides hands-on vulnerability testing
  • Secure implementation requires multiple layers of protection
  • Career opportunities in data security are growing

Next Steps