Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Surviving Your Next Data Breach

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked and client databases get leaked. Let's look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.

Anna Filina
PRO

March 09, 2017
Tweet

More Decks by Anna Filina

Other Decks in Programming

Transcript

  1. @afilina
    Surviving Your Next
    Data Breach
    ConFoo, Montreal - March 9, 2017

    View Slide

  2. You Will Get Hacked

    View Slide

  3. It Happens
    • Dropbox
    • Adobe
    • LinkedIn
    • Yahoo!
    68 million
    152 million
    164 million
    1.2 billion

    View Slide

  4. Anna Filina
    • Project rescue expert
    • Dev, trainer, speaker
    • 1 company
    • 2 conferences

    View Slide

  5. Way to Get Breached
    • Hackers
    • Employees
    • $5 consultants

    View Slide

  6. $5 Consultants?!

    View Slide

  7. View Slide

  8. Don't use server passwords

    View Slide

  9. Sensitive Data
    • Passwords
    • Credit cards
    • Social security numbers
    • Current locations
    • IP addresses
    • ...

    View Slide

  10. Getting Ready for the Breach
    • Store less
    • Make stolen data useless
    • Post-breach procedures

    View Slide

  11. Store less sensitive data

    View Slide

  12. $5,000 -
    $100,000
    per month

    View Slide

  13. But... recurring billing!

    View Slide

  14. View Slide

  15. Vault
    Credit card
    Token
    Amount + token
    You
    Payment
    gateway

    View Slide

  16. **** **** **** 0123

    View Slide

  17. Sessions!

    View Slide

  18. View Slide

  19. **** **** **** 0123
    Edit

    View Slide

  20. Implementation Effort?
    • ~5 hours
    • I'll retweet: @afilina

    View Slide

  21. Alternative Storage
    • Comments

    View Slide

  22. Please charge half on 

    4111 1111 1111 1111 

    (06/17)
    and the other half on

    4012 8888 8888 1881

    (10/19)

    View Slide

  23. Passwords
    • No plaintext.
    • No hash.

    View Slide

  24. Rainbow tables!

    View Slide

  25. How do They Work?
    • Create string permutations
    • Compute hashes
    • Steal password hashes
    • Look up in table

    View Slide

  26. What Then?
    • Salted hash
    • Repeated hashing

    View Slide

  27. bcrypt

    View Slide

  28. Response Plan
    • Log out.
    • Mark as compromised.
    • Force 2nd factor auth.
    • Force password change.
    • Mark as not compromised.

    View Slide

  29. Next Steps
    • What else do you not need?
    • E-mails?

    View Slide

  30. Centralized data is more
    vulnerable

    View Slide

  31. Let's protect private data

    View Slide

  32. @afilina afilina.com

    View Slide