The UK's Information Commissioner's Office (ICO) published a report in mid May about the most common classes of IT security vulnerabilities in online systems that result in failures to secure personal data.
The seventh data protection principle requires organisations to take appropriate measures to safeguard personal data. It states "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
Protecting Personal Data in Online Services: Learning From the Mistakes of Others describes the issues most commonly found to have been the root causes of inadequate protection of personal data in online systems.
There are some issues clearly related to poor management control such as incorrect decommissioning of business processes and inappropriate locations for processing of data. The other issues are more technical but are all the types of things well-organised and careful organisations ought to be getting right already.
I was interested to check which of these relate to infrastructure (I/S) components and which to applications (Apps). For the latter, also whether the latter appear in the OWASP Top Ten most critical risks.
|Issue ICO Security Report||Component||OWASP Top Ten 1013|
|Failure to keep software security up to date||Y||Y||A9||Using components with known vulnerabilities|
|Lack of protection from SQL injection||Y||A1||Injection|
|Exposure of unnecessary protocols & services||Y||-||-|
|Exposure of decommissioned software/services||Y||Y||-||-|
|Insecure storage of passwords||Y||A6||Sensitive data exposure|
|Failure to encrypt online communications||Y||Y||A6||Sensitive data exposure|
|Processing data in inappropriate locations||Y||-||-|
|Use of default credentials including passwords||Y||Y||A5||Security misconfiguration|
We can see there is a mixture of infrastructure and application security issues, and that some issues span both of these categorisations.
Tomorrow, I will list the security controls for each issue, as discussed in the report.
Posted on: 02 June 2014 at 07:40 hrs