185 – Encrypt sensitive information

Summary

All stored sensitive information must be encrypted.

Description

Systems usually stores personal data, i.e., Personally Identifiable Information (PII), medical records, credentials and other types of sensitive information. All of these must be encrypted before being stored using safe cryptographic mechanisms. This is also applicable when personal information must be temporarily stored in the client-side storage. The encryption prevents unauthorized actors that may have accessed the storage system from obtaining the information.

Supported In

Essential: True

Advanced: True

References

• CIS-3_11. Encrypt sensitive data at rest
• CWE-311. Missing encryption of sensitive data
• CWE-526. Cleartext Storage of Sensitive Information in an Environment Variable
• EPRIVACY-4_1a. Security of processing
• GDPR-32_1a. Security of processing
• GDPR-R45. Fulfillment of legal obligations
• NERCCIP-011-2_R1_2. Information protection
• OWASP10-A2. Cryptographic failures
• SOC2-C1_1. Additional criteria for confidentiality
• OWASPM10-M2. Insecure data storage
• OWASPM10-M5. Insufficient cryptography
• BIZEC-APP-05. Directory traversal
• NYSHIELD-5575_B_2. Personal and private information
• NYSHIELD-5575_B_6. Personal and private information
• MITRE-M1041. Encrypt sensitive information
• PADSS-2_3. Render PAN unreadable anywhere it is stored
• PADSS-5_2_3. Insecure cryptographic storage
• PADSS-11_2. Render the PAN unreadable
• PADSS-12_1. Encrypt all nonconsole administrative access with strong cryptography
• PDPA-5_21. Access to personal data
• PDPA-6_24. Protection of personal data
• POPIA-3A_19. Security measures on integrity and confidentiality of personal information
• PDPO-S1_4. Security of personal data
• CMMC-AC_L2-3_1_19. Encrypt CUI on mobile
• CMMC-MP_L2-3_8_6. Portable storage encryption
• HITRUST-06_d. Data protection and privacy of covered information
• IEC62443-DC-4_1. Information confidentiality
• OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
• OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
• FERPA-D_35_b_1. Conditions of prior consent required to disclose information
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• ISSAF-K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)
• PTES-7_2_1. Post exploitation - Rules of engagement (protect the client)
• OWASPSCP-8. Data protection
• BSAFSS-SI_1-5. Avoid architectural weaknesses of authentication failure
• BSAFSS-EN_1-1. Encryption strategy and mechanisms
• CWE25-798. Use of hard-coded credentials
• SWIFTCSC-5_4. Password repository protection
• ASVS-1_8_2. Data protection and privacy architecture
• ASVS-6_1_1. Data classification
• ASVS-6_1_2. Data classification
• ASVS-6_1_3. Data classification
• C2M2-9_5_d. Implement data security for cybersecurity architecture
• PCI-2_2_7. System components are configured and managed securely
• PCI-3_3_2. Sensitive authentication data (SAD) is encrypted using strong cryptography
• PCI-3_3_3. Sensitive authentication data (SAD) is not stored after authorization
• SIGLITE-SL_78. Are applications used to transmit, process or store scoped data?
• SIG-D_4_4_2. Asset and information management
• SIG-H_3_2. Access control
• SIG-H_3_3. Access control
• CWE-13. Misconfiguration - Password in configuration file
• CAPEC-694. System Location Discovery
• CASA-1_8_2. Data Protection and Privacy Architecture
• CASA-6_1_1. Data Classification
• CASA-6_1_2. Data Classification
• CASA-6_1_3. Data Classification
• CASA-8_1_6. General Data Protection
• RESOLSB-Art_26_11_b. Information Security
• RESOLSB-Art_26_11_i. Information Security
• RESOLSB-Art_27_5. Security in Electronic Channels
• RESOLSB-Art_27_6. Security in Electronic Channels
• RESOLSB-Art_28_1. Security in Electronic Channels - ATMs
• OWASPMASVS-STORAGE-1. The app securely stores sensitive data
• OWASPMASVS-STORAGE-2. The app prevents leakage of sensitive data
• OWASPMASVS-CRYPTO-1. The app employs current strong cryptography and uses it according to industry best practices
• SANS25-18. Use of hard-coded credentials
• NIST-PR_DS-11. Backups of data are created, protected, maintained, and tested

Weaknesses

• 164 – Insecure service configuration
• 165 – Insecure service configuration - AWS
• 245 – Non-encrypted confidential information - Credit Cards
• 246 – Non-encrypted confidential information - DB
• 247 – Non-encrypted confidential information - AWS
• 248 – Non-encrypted confidential information - LDAP
• 249 – Non-encrypted confidential information - Credentials
• 251 – Non-encrypted confidential information - JFROG
• 275 – Non-encrypted confidential information - Local data
• 284 – Non-encrypted confidential information - Base 64
• 378 – Non-encrypted confidential information - Hexadecimal
• 385 – Non-encrypted confidential information - Keys
• 386 – Cross-Site Leak - Frame Counting
• 406 – Non-encrypted confidential information - EFS
• 407 – Non-encrypted confidential information - EBS Volumes
• 409 – Non-encrypted confidential information - DynamoDB
• 433 – Non-encrypted confidential information - Redshift Cluster
• 441 – Non-encrypted confidential information - Azure
• 020 – Non-encrypted confidential information
• 055 – Insecure service configuration - ADB Backups
• 095 – Data uniqueness not properly verified
• 099 – Non-encrypted confidential information - S3 Server Side Encryption

Last updated

2024/03/05