Encrypt sensitive information
Summary
All stored sensitive information must be encrypted.
Description
Systems usually stores personal data, i.e., Personally Identifiable Information (PII), medical records, credentials and other types of sensitive information. All of these must be encrypted before being stored using safe cryptographic mechanisms. This is also applicable when personal information must be temporarily stored in the client-side storage. The encryption prevents unauthorized actors that may have accessed the storage system from obtaining the information.
Supported In
This requirement is verified in following services:
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CIS-3_11. Encrypt sensitive data at rest
- CWE™-311. Missing encryption of sensitive data
- CWE™-526. Cleartext Storage of Sensitive Information in an Environment Variable
- ePrivacy Directive-4_1a. Security of processing
- GDPR-32_1a. Security of processing
- GDPR-R45. Fulfillment of legal obligations
- NERC CIP-011-2_R1_2. Information protection
- OWASP TOP 10-A2. Cryptographic failures
- SOC2®-C1_1. Additional criteria for confidentiality
- OWASP-M TOP 10-M2. Insecure data storage
- OWASP-M TOP 10-M5. Insufficient cryptography
- BIZEC-APP-APP-05. Directory traversal
- NY SHIELD Act-5575_B_2. Personal and private information
- NY SHIELD Act-5575_B_6. Personal and private information
- MITRE ATT&CK®-M1041. Encrypt sensitive information
- PA-DSS-2_3. Render PAN unreadable anywhere it is stored
- PA-DSS-5_2_3. Insecure cryptographic storage
- PA-DSS-11_2. Render the PAN unreadable
- PA-DSS-12_1. Encrypt all nonconsole administrative access with strong cryptography
- PDPA-5_21. Access to personal data
- PDPA-6_24. Protection of personal data
- POPIA-3A_19. Security measures on integrity and confidentiality of personal information
- PDPO-S1_4. Security of personal data
- CMMC-AC_L2-3_1_19. Encrypt CUI on mobile
- CMMC-MP_L2-3_8_6. Portable storage encryption
- HITRUST CSF-06_d. Data protection and privacy of covered information
- ISA/IEC 62443-DC-4_1. Information confidentiality
- OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
- OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
- FERPA-D_35_b_1. Conditions of prior consent required to disclose information
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- ISSAF-K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)
- PTES-7_2_1. Post exploitation - Rules of engagement (protect the client)
- OWASP SCP-8. Data protection
- BSAFSS-SI_1-5. Avoid architectural weaknesses of authentication failure
- BSAFSS-EN_1-1. Encryption strategy and mechanisms
- OWASP MASVS-V2_14. Security verification requirements
- OWASP MASVS-V8_10. Resilience requirements - Device binding
- CWE TOP 25-798. Use of hard-coded credentials
- SWIFT CSCF-5_4. Physical and logical password storage
- OWASP ASVS-1_8_2. Data protection and privacy architecture
- OWASP ASVS-6_1_1. Data classification
- OWASP ASVS-6_1_2. Data classification
- OWASP ASVS-6_1_3. Data classification
- C2M2-9_5_d. Implement data security for cybersecurity architecture
- PCI DSS-2_2_7. System components are configured and managed securely
- PCI DSS-3_3_2. Sensitive authentication data (SAD) is encrypted using strong cryptography
- PCI DSS-3_3_3. Sensitive authentication data (SAD) is not stored after authorization
- SIG Lite-SL_78. Are applications used to transmit, process or store scoped data?
- SIG Core-D_4_4_2. Asset and information management
- SIG Core-H_3_2. Access control
- SIG Core-H_3_3. Access control
- CWE™-13. Misconfiguration - Password in configuration file
- CAPEC™-694. System Location Discovery
- CASA-1_8_2. Data Protection and Privacy Architecture
- CASA-6_1_1. Data Classification
- CASA-6_1_2. Data Classification
- CASA-6_1_3. Data Classification
- CASA-8_1_6. General Data Protection
- Resolution SB 2021 2126-Art_26_11_b. Information Security
- Resolution SB 2021 2126-Art_26_11_i. Information Security
- Resolution SB 2021 2126-Art_27_5. Security in Electronic Channels
- Resolution SB 2021 2126-Art_27_6. Security in Electronic Channels
- Resolution SB 2021 2126-Art_28_1. Security in Electronic Channels - ATMs
Vulnerabilities
- 020. Non-encrypted confidential information
- 055. Insecure service configuration - ADB Backups
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 164. Insecure service configuration
- 165. Insecure service configuration - AWS
- 245. Non-encrypted confidential information - Credit Cards
- 246. Non-encrypted confidential information - DB
- 247. Non-encrypted confidential information - AWS
- 248. Non-encrypted confidential information - LDAP
- 249. Non-encrypted confidential information - Credentials
- 251. Non-encrypted confidential information - JFROG
- 275. Non-encrypted confidential information - Local data
- 284. Non-encrypted confidential information - Base 64
- 378. Non-encrypted confidential information - Hexadecimal
- 385. Non-encrypted confidential information - Keys
- 386. Cross-Site Leak - Frame Counting
- 406. Non-encrypted confidential information - EFS
- 407. Non-encrypted confidential information - EBS Volumes
- 409. Non-encrypted confidential information - DynamoDB
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.