SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsEntry #10 on the CWE/SANS Top 25 is CWE-311: Missing Encryption of Sensitive Data [1].
In a previous post [2] we discussed how we obtained command line access to the server. As a result, we could now conduct any number of malicious activities. But, our primary goal was to retrieve confidential customer information. Navigating around the server revealed that the LDAP and JDBC passwords were stored in a simple properties file. The credentials used to connect to these databases were stored unencrypted. We simply fired up a client and connected directly to the database with these credentials (remember that this was an internally deployed application and we could see these databases on the network). Once we connected to the database we could see all the customer information for the organization (also unencrypted). Game over.
There were a number of things that should have been done to protect this application and that you can do to protect your applications as well. A number of insecure configurations could have been addressed by doing the following:
Frank Kim is the Founder of ThinkSec, a security consulting and CISO advisory firm. He leads the Cybersecurity Leadership and Cloud Security curricula at SANS, as well as authors and instructs multiple SANS courses.
Read more about Frank Kim