Part 4:5 Storing Data as Clear Text
Storing data in the clear
During a pen test, our InfoSec experts usually report the same security dangers, whatever the client size or type.
In this weekly series, we explore five common vulnerabilites and share practical advice you can follow today. In this 4th part, we address the risks of storing passwords and other sensitive data as clear text.
Want to know more? Get in touch with one of our experts today
We use encrypted hard drives, data must be protected, right?
Once a foothold is established on the network, it’s common for attackers to move laterally within the environment and attempt to compromise other systems – including end-user devices – to harvest sensitive data: passwords, financial reports, network diagrams, HR records, and everything in between.
On internal network engagements, we often find passwords for critical systems such as firewalls stored in text files or spreadsheets on staff computers. This accelerates our attack as we don’t have to perform time-costly password guessing.
With the wide deployment of hard disk encryption for end user devices and storage devices, it would be easy to assume that data is adequately protected. However, anytime a system is online and connected to the internal network, there’s a risk that compromised credentials or vulnerabilities could be used to access the system over the network for stealing sensitive details.
To keep passwords out of hackers’ hands, it’s best to use a password manager – either running on the local machine, such as KeePass (1) or online services (2) with enterprise level features.
The passwords are stored encrypted and protected by a master password or phrase. For extra peace of mind, some services support multi-factor authentication.
Another advantage is that long and complex passwords can be created and stored for every service that needs securing, reducing password re-use across systems. This greatly impedes password guessing and cracking attacks.
As well as passwords, documents are also exposed when stored on users’ devices. Protecting them will vary, from password-protecting reports and spreadsheets on a case-by-case basis, to a secure file storage solution.
If possible, store local copies of sensitive documents encrypted, and decrypt as needed.
If an attacker gains access to a system, they may be able to compromise files in use, but not the entire collection. If local storage isn’t desirable, it’s possible to store these documents remotely using a service such as Microsoft OneDrive (3), Box (4) or Dropbox (5).
If even greater security and privacy is needed, encrypt documents before they’re synched to the cloud, using something like Boxcryptor (6).
Conclusions and advice for protecting your data
It’s worth remembering that using hard disk encryption on end user devices is only effective when the devices are not in use, and not connected to a network which may have hostile elements present.
Once privileged credentials are compromised, or a vulnerability exploited, an attacker could connect stealthily to other devices and look for sensitive information. This is why it’s important to use additional measures for keeping passwords and sensitive documents safe.
(2) Online services