Surviving Your Next Data Breach

@aﬁlina
Surviving Your Next
Data Breach
ConFoo, Montreal - March 9, 2017

View Slide

You Will Get Hacked

View Slide

It Happens
• Dropbox
• Adobe
• LinkedIn
• Yahoo!
68 million
152 million
164 million
1.2 billion

View Slide

Anna Filina
• Project rescue expert
• Dev, trainer, speaker
• 1 company
• 2 conferences

View Slide

Way to Get Breached
• Hackers
• Employees
• $5 consultants

View Slide

$5 Consultants?!

View Slide

View Slide

Don't use server passwords

View Slide

Sensitive Data
• Passwords
• Credit cards
• Social security numbers
• Current locations
• IP addresses
• ...

View Slide

Getting Ready for the Breach
• Store less
• Make stolen data useless
• Post-breach procedures

View Slide

Store less sensitive data

View Slide

$5,000 -
$100,000
per month

View Slide

But... recurring billing!

View Slide

View Slide

Vault
Credit card
Token
Amount + token
You
Payment
gateway

View Slide

**** **** **** 0123

View Slide

Sessions!

View Slide

View Slide

**** **** **** 0123
Edit

View Slide

Implementation Effort?
• ~5 hours
• I'll retweet: @aﬁlina

View Slide

Alternative Storage
• Comments

View Slide

Please charge half on  
4111 1111 1111 1111  
(06/17)
and the other half on 
4012 8888 8888 1881 
(10/19)

View Slide

Passwords
• No plaintext.
• No hash.

View Slide

Rainbow tables!

View Slide

How do They Work?
• Create string permutations
• Compute hashes
• Steal password hashes
• Look up in table

View Slide

What Then?
• Salted hash
• Repeated hashing

View Slide

bcrypt

View Slide

Response Plan
• Log out.
• Mark as compromised.
• Force 2nd factor auth.
• Force password change.
• Mark as not compromised.

View Slide

Next Steps
• What else do you not need?
• E-mails?

View Slide

Centralized data is more
vulnerable

View Slide

Let's protect private data

View Slide

@aﬁlina aﬁlina.com

View Slide

Anna Filina
PRO