[SingCERT] Protection of Data

Published on Tuesday, 16 September 2014 17:48

[ Background ]

A group, by the name of “The Knowns”, posted the personal data of customers from a Singapore company online to express their displeasure over recent policy changes.

[ Recommendations ] 

  • Conduct regular vulnerability assessments and penetration tests on the web applications.
  • Promptly patch the vulnerabilities found in the web applications.
  • Validate the inputs for each of the field.
  • Deploy a web application firewall to protect the web application against known threats.
  • Add random data (salt) to the password and hash the salted password before writing it to the database.
  • Keep the database server and the web server separate.
  • Only store the required information in the database.
  • Encrypt the database where possible and implement SSL to encrypt the network communications to mitigate data theft.

[ References ]