Surviving Your Next Data Breach

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked and client databases get leaked. Let's look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.

B3b2139e4f2c0eca4efe2379fcebc1c5?s=128

Anna Filina

March 09, 2017
Tweet

Transcript

  1. @afilina Surviving Your Next Data Breach ConFoo, Montreal - March

    9, 2017
  2. You Will Get Hacked

  3. It Happens • Dropbox • Adobe • LinkedIn • Yahoo!

    68 million 152 million 164 million 1.2 billion
  4. Anna Filina • Project rescue expert • Dev, trainer, speaker

    • 1 company • 2 conferences
  5. Way to Get Breached • Hackers • Employees • $5

    consultants
  6. $5 Consultants?!

  7. None
  8. Don't use server passwords

  9. Sensitive Data • Passwords • Credit cards • Social security

    numbers • Current locations • IP addresses • ...
  10. Getting Ready for the Breach • Store less • Make

    stolen data useless • Post-breach procedures
  11. Store less sensitive data

  12. $5,000 - $100,000 per month

  13. But... recurring billing!

  14. None
  15. Vault Credit card Token Amount + token You Payment gateway

  16. **** **** **** 0123

  17. Sessions!

  18. None
  19. **** **** **** 0123 Edit

  20. Implementation Effort? • ~5 hours • I'll retweet: @afilina

  21. Alternative Storage • Comments

  22. Please charge half on 
 4111 1111 1111 1111 


    (06/17) and the other half on
 4012 8888 8888 1881
 (10/19)
  23. Passwords • No plaintext. • No hash.

  24. Rainbow tables!

  25. How do They Work? • Create string permutations • Compute

    hashes • Steal password hashes • Look up in table
  26. What Then? • Salted hash • Repeated hashing

  27. bcrypt

  28. Response Plan • Log out. • Mark as compromised. •

    Force 2nd factor auth. • Force password change. • Mark as not compromised.
  29. Next Steps • What else do you not need? •

    E-mails?
  30. Centralized data is more vulnerable

  31. Let's protect private data

  32. @afilina afilina.com