Surviving Your Next Data Breach

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked, and client databases get leaked. Let’s look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.

B3b2139e4f2c0eca4efe2379fcebc1c5?s=128

Anna Filina

June 01, 2017
Tweet

Transcript

  1. 3.

    It Happens • Dropbox • Adobe • LinkedIn • Yahoo!

    68 million 152 million 164 million 1.2 billion
  2. 7.
  3. 11.

    Sensitive Data • Passwords • Credit cards • Social security

    numbers • Current locations • IP addresses • ...
  4. 12.

    Getting Ready for the Breach • Store less • Make

    stolen data useless • Post-breach procedures
  5. 16.
  6. 19.
  7. 20.
  8. 25.

    Please charge half on 
 4111 1111 1111 1111 


    (06/17) and the other half on
 4012 8888 8888 1881
 (10/19)
  9. 28.

    How do They Work? • Create string permutations • Compute

    hashes • Steal password hashes • Look up in table
  10. 29.

    Collisions • They are rare • Pick the shortest and

    more obvious • Can just try all matches on a site
  11. 33.
  12. 34.

    Password Policy • Don't limit number and type of characters

    • Harder to generate rainbow tables • Also prevents brute force
  13. 35.

    Security Questions • Known by a wide group of people

    • You're storing more private data • Security questions on other sites
  14. 37.

    Example Procedure • Log out. • Mark as compromised (is_dirty=1).

    • Force 2nd factor auth. • Force password change. • Mark as not compromised.