OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.
Cyber extortion involves attacking or threatening to attack a target and demanding money to stop the attack. Originally, denial of service attacks against websites were common, but now ransomware that encrypts victims' data and demands payment in bitcoin in exchange for the decryption key is prevalent. Cyber extortion can earn attackers millions annually. Most efforts start through malware in emails or websites, so users should be educated on phishing and back up devices regularly to mitigate risks.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Over 1.5 million customer records were stolen from T-Mobile Czech Republic by an employee. The records included names, email addresses, account numbers, but not location or traffic data. T-Mobile claims the perpetrator was caught trying to sell the database.
A hacking group in Russia allegedly used malware called Lurk to steal over 1.7 billion roubles (US $25.4 million) from bank accounts in Russia. Authorities arrested 50 people in connection with the scheme.
Github warned that a number of user accounts had been compromised through a password reuse attack related to recent data breaches at LinkedIn, MySpace, Tumblr and other sites that exposed over 642 million passwords.
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesWayne Huang
Bitcoin's future threats: what’s real and what’s not? Audience votes after panelists release a whitepaper and overview key case studies on: remote exploitation(31), mining resources theft(17), wallet theft(10), fraud or scam(10), crime or terrorism(10), insider threat(8), DDoS(7), phishing(6), coin loss(4), software bug or human error(3), social engineering(1), 51% attack(1), government bans(1). - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1710/bitcoins-future-threats-experts-roundtable-based-on#sthash.MtLRNA1w.dpuf
Exploring DarkWeb For Threat Intelligence (SACON May 2018)Priyanka Aash
This session includes Information Security - basics & protection of information from threats, Cyber Risks & Threats, Targeted & Non-Targeted Attacks, Attack Life Cycle - Kill Chain, Cyber Threat Intelligence, CTI Jargons, Research Ethics, OSINT, OSINT Using Google, Deep Web Search Engine, Image Search Engines, Using Social Media, Phishing URLs, Mailing Lists, RSS Feeds, Operation Security (OPSEC) - Basics & Best Practices, Tor - The Onion Router, Dark Net Forums, Zero Net, Communication Channels & more
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the Ohio Information Security Forum (OISF) Anniversary Conference on 07/14/2018 in Dayton, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Matthew Hughes is a pen tester, coder, blogger, and security consultant who gave a talk on web application security. The talk covered common attacks like XSS, SQL injection, and XSRF. It emphasized that most websites are insecure, secure coding is difficult, and security breaches can be very costly. The talk provided examples of vulnerabilities, encouraged responsible disclosure of issues found, and stressed the importance of defense in depth for security.
I will represent multiple case studies to convey the message that if you think limited, you will be limited. Bug bounty approach has degraded the quality of penetration testing, for both the customers as well as the practitioners. It is hard for the customer to differentiate between a good penetration testing and a quick and dirty top-10 or top-25 approach.
https://nsconclave.net-square.com/pentesters-mindset.html
(SACON) Shomiron das gupta - threat hunting use casesPriyanka Aash
This document summarizes a presentation on using open source tools for threat hunting. It discusses:
1) Triggers that initiate a threat hunt like threat intelligence, outlier detection, or anomaly detection.
2) The threat hunting process including local/remote hunting, building hunting plans, and triaging outcomes.
3) Techniques like enrichment with local context data, using frameworks like ATT&CK to structure hunting, and building playbooks to formalize processes.
4) Examples of open source tools that can be used for threat hunting including ATT&CK Navigator, MITRE ATT&CK framework, and connecting multiple tools in a threat hunting workflow.
This document discusses account takeover (ATO) risks in the digital world. ATO occurs when attackers steal users' personal information or credentials to access their existing accounts. The document outlines how attackers conduct ATOs using tools like credential spraying, botnets, and captcha solving services. It also provides examples of real ATO cases. The key recommendations are for companies to implement login protections like multi-factor authentication and behavior monitoring, and for users to properly manage their personal accounts with strong passwords, breach alerts, and awareness of social engineering tactics. Working together, companies and users can help reduce ATO risks.
Account takeover has started to become a huge issue in 2016, but it's actually been the number one attack vector for web applications for the past three years.
Learn how this common attack works, why it's so popular with attackers, and how you can defend against it.
This document discusses threat hunting and next generation SIEM use cases. It will cover changing how detection is approached, objectives and strategies for hunting threats, and setting up a threat hunting workshop. The presenter is the founder and CEO of NETMONASTERY, which built DNIF, an integrated threat hunting platform. Over the course of three sessions, attendees can expect to learn strategies and processes for threat hunting, how to think about known and unknown threats, and how to set up the tools and playbooks needed to successfully implement threat hunting in their environment.
Identity theft: Developers are key - JavaZone17Brian Vermeer
Identity theft and cybercrime pose real threats that are growing as organized criminal networks engage in cybercrime as a profitable business. As developers, we must be aware of security risks and integrate protections into our work, including securing passwords, preventing SQL injection, and avoiding cross-site scripting vulnerabilities. The Open Web Application Security Project (OWASP) provides guidance on application security best practices developers should follow.
This document discusses identity theft and cybercrime as growing threats. Developers are urged to integrate security practices like code reviews, using prepared statements to prevent SQL injection, hashing passwords, and preventing cross-site scripting. Following standards like OWASP Application Security Verification Standard (ASVS) can help developers build more secure applications and protect user data and identities. While cybercrime has become very profitable, developers must be aware of security risks and see themselves as part of the solution through secure development.
This document discusses identity theft and cybercrime as growing threats. Developers are urged to integrate security practices like code reviews, using prepared statements to prevent SQL injection, hashing passwords, and preventing cross-site scripting. Following standards like OWASP Application Security Verification Standard (ASVS) can help developers build more secure applications and protect user data and identities. As threats increase, developers must make security a priority in the development process to help address these issues rather than be part of the problem.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the 11th Annual Northern Kentucky University Cybersecurity Symposium on 10/12/2018.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
The document provides tips on how businesses can protect themselves from cyber attacks. It begins by introducing common hacker tactics like phishing, exploiting wireless networks, and scanning for website vulnerabilities. It then discusses the types of attackers and their motives, usually to steal financial information or damage a company's reputation. Several specific attack vectors are outlined, including using default passwords, vulnerable websites, insecure wireless networks, flaws in internet banking, and social engineering through phishing emails. The presentation emphasizes adopting a "protect, detect, correct" mindset and classifying sensitive data, as well as following security best practices like enabling two-factor authentication, using strong unique passwords, and keeping software updated. The key message is that businesses of any size can take
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
Cerdant’s Director of Engineering, Joshua Skeens, presented the best ‘bets’ to increase your security odds. Josh warned customers to stop gambling with their data, and cautioned against weak, guessable passwords stating, “Use 2-Factor Authentication everywhere!” The first step in creating the best security posture possible for your business will always be just getting started, and to keep momentum Josh suggests implementing 1 new security practice each week.
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
The document discusses cybersecurity risks and how developers can help address them. It notes that cybercriminals target developers because they have privileged access and knowledge of systems. Developers are often too trusting and ignore security, installing software without checking for malware or disabling certificate validation. The talk urges developers to take security more seriously by keeping systems updated, using strong authentication, and being wary of suspicious network connections and downloads from untrusted sources. Developers must help address the growing problem of cybercrime by promoting secure development best practices.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
Jarrod Overson discusses the evolution of credential stuffing attacks and where they may go in the future. He summarizes that credential stuffing started as basic automated login attempts but has evolved through generations as defenses were put in place, such as CAPTCHAs and behavior analysis. The next generation involves more sophisticated imitation attacks that flawlessly emulate human behavior using real device fingerprints to blend in. Beyond credential stuffing, malware may start scraping user accounts and environments directly from infected machines. As defenses raise the cost of attacks, fraudsters will diversify methods to preserve the value of valid accounts and user data.
n the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security.
In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cyber criminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Things that go bump on the web - Web Application SecurityChristian Heilmann
My talk at the Web Directions North conference in Denver, Colorado. It covers basic technologies and methodologies of attacks of web applications, what we can do against them and a plea for making interfaces more educational about security than scaring users.
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
Slides for talk given at PasswordsCon Sweden 2019. Credentials Stuffing is an automated attack that exploits users who reuse passwords by taking breached credentials and replaying them across sites.
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Johnathan Nightingale of Mozilla Corporation presents ideas for improving browser security user interfaces (UI). He argues that existing security UIs like padlocks are sparse, incomprehensible, and not carefully designed. He proposes five rules for good security UI: be meaningful, relevant, robust, available, and brave. As an example, he suggests replacing padlocks with "Larry", an identity indicator that clearly shows website identity and is based on standardized Extended Validation certificates. The presentation concludes by discussing additional aspects of security UI and soliciting further ideas and discussion.
Password and Account Management Strategies - April 2019Kimberley Dray
This document provides a summary of a presentation about password and account management strategies. It discusses the importance of using long passphrases instead of complex passwords. It also recommends using a password manager to generate and store unique passwords for each account. Additionally, it advocates for the use of multi-factor authentication whenever available to add an extra layer of security. The presentation highlights factors to consider regarding who has access, what devices are used, locations, and recommended regularly changing passphrases and monitoring accounts.
For organizations today, cyber security stands as a top priority to keep their information and systems safe from theft, damages, or disruptions. Within the financial industry, cyber security is especially important as it relates to including best practices and procedures that can can help prevent hackers from achieving success. Organizations’ defensive strategies are what will best help them win the game. This presentation reviews how the enemy works, ways to defend your organization from an attack, what hackers are capable of, and more.
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
This document discusses fraud engineering at Etsy. It begins by introducing the author, Nick Galbreath, and his background in security. It then provides context about Etsy as an online marketplace. It outlines different types of risk like fraud, security threats, and business continuity. It emphasizes thinking about risk from both a fraud and security perspective. The document then provides examples of how different parts of the organization like technical operations, quality assurance, product, business operations, engineering, and customer service can work together on fraud prevention and leverages their existing tools and resources. It also provides a case study example of investigating mysterious data center logins. The overall message is about taking a holistic organizational approach to fraud engineering.
This document discusses hackers and software security. It provides examples of past hacks such as those on Sony Pictures and Citigroup. It outlines why software security is important when handling sensitive user information. The document discusses how hackers think and different types of hackers. It recommends following security principles like defense in depth, least privilege, and keeping security simple. It provides references for further reading on application security topics.
Ransomware is a type of malware that encrypts files on an infected device and demands ransom payment to decrypt the files. It works by preying on human emotions like fear of losing important files. For cybercriminals, ransomware is a lucrative business that earned over $24 million from just 2,453 attacks in 2015. There are three main types - encryption ransomware, master boot record ransomware, and lockscreen ransomware. Ransomware poses a big threat to both individuals and businesses alike, though some myths persist that it only targets one group over another. The document discusses whether to pay ransoms or not.
This document discusses cyber ethics and hacking. It begins with an introduction to why security is important and defines hacking. It then discusses different types of hackers like hackers, crackers, phreaks, and script kiddies. The document outlines strategies for ethical hackers and malicious hackers. It also discusses the importance of vulnerability research and provides conclusions about security.
Why is password protection a fallacy a point of viewYury Chemerkin
This document discusses vulnerabilities in password protection and login security. It provides tips for creating strong passwords but notes that passwords are not fully secure due to vulnerabilities like keylogging malware, screen capturing of password entry, and login spoofing attacks. On Windows systems, replacing files like utilman.exe that activate alternate login screens can enable unauthorized password changes. iPhones also had login bugs exposing passwords through unexpected screen transitions. In summary, while passwords provide some protection, they have significant limitations and vulnerabilities that can be exploited by attackers.
The document discusses improving security user interfaces (UIs) on web browsers. It proposes replacing the ubiquitous padlock icon with an identity indicator called "Larry" that clearly shows website identity using extended validation certificates. Larry is evaluated against five rules for good security UI ("MRRAB"): meaningful, relevant, robust, available, and brave. The document also considers other aspects of security UI and explores ideas like using social connections and past browsing history to help users identify legitimate websites. It aims to spark discussion on making security indicators more understandable and effective for users.
Similar to The life of breached data and the attack lifecycle (20)
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
This talk was given at AppSec California, January 2020.
Credential stuffing and other automated attacks are evolving passed every defense thrown in their way. CAPTCHAs don't work, Fingerprints don't work, Magical AI-whatevers don't work. The value is just too great.
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...Jarrod Overson
This document summarizes an analysis of an exploited NPM package called event-stream. It describes how an attacker gained control of the package and added malicious code that was downloaded by thousands of projects whenever their dependencies were updated. The malicious code stole cryptocurrency from wallets containing large amounts. It highlights the risks of supply chain attacks and emphasizes the importance of auditing dependencies, locking versions, and thinking carefully before adding new dependencies to avoid compromising entire projects and their users.
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...Jarrod Overson
Jarrod Overson presented on a supply chain attack that occurred in 2018 through the compromise of the event-stream Node.js package. An unauthorized developer gained commit access and introduced malicious code through new dependencies that was then installed by millions of users. The malware harvested cryptocurrency private keys from the Copay wallet app. While the community responded quickly, such attacks demonstrate vulnerabilities in open source software supply chains and dependency management that will continue to be exploited if not properly addressed through changes to practices and tooling.
Deepfakes - How they work and what it means for the futureJarrod Overson
Deepfakes originally started as cheap costing but believable video effects and have expanded into AI-generated content of every format. This session dove into the state of deepfakes and how the technology highlights an exciting but dangerous future.
Workshop slides originally given at the WOPR Summit in Atlantic City. Use JavaScript parsers and generators like Shift combined with Puppeteer and Chrome to reverse engineer web applications
Talk given at Mozilla's first View Source Conference in Portland, 2015. Details out the parallels between graphics and game developments compared to traditional web development.
This was a talk given at HTML5DevConf SF in 2015.
Ever wanted to write your own Browserify or Babel? Maybe have an idea for something new? This talk will get you started understanding how to use a JavaScript AST to transform and generate new code.
This document discusses ECMAScript 2015 (ES2015), also known as ES6. It provides examples of new ES2015 features like arrow functions, template literals, classes, and modules. It also discusses how to set up a development environment to use ES2015, including transpiling code to ES5 using Babel, linting with Eslint, testing with Mocha, and generating coverage reports with Istanbul. The document emphasizes that while ES2015 is fun to explore, proper tooling like linting and testing is needed for serious development. It concludes by noting ES2015 marks a transition and thanks the audience.
The document discusses achieving maintainability in code through examining code quality with linters, generating visual reports on metrics like complexity and coverage, and automating processes like builds, linting, and testing through tools like Grunt and Gulp. It emphasizes setting limits on metrics like complexity, enforcing code style through automation, and treating documentation as important as code.
1) The document discusses achieving maintainability in code through analysis, automation, and enforcement of standards.
2) It recommends setting up linting, code coverage, and other analysis tools to examine code quality and automatically enforcing code style through build processes.
3) The key is to automate as many processes as possible like testing, linting, and documentation to make the code easy to work with and prevent issues from being introduced.
Riot on the web - Kenote @ QCon Sao Paulo 2014Jarrod Overson
Slides for the keynote given at QCon Sao Paulo 2014. Talk goes into the problems scaling Riot and how we've tried to solve them as well as what we've learned from the web and what lies in store next.
Managing JavaScript Complexity in Teams - FluentJarrod Overson
This document discusses managing complexity in JavaScript projects. It addresses coming to terms with the challenges of dynamic languages being messy, having an immature tooling ecosystem, and rapid evolution. It emphasizes respecting code style conventions, enforcing linting rules, documenting code, and using metrics like cyclomatic complexity to reduce testing difficulty. The overall message is that perseverance is needed to tame JavaScript's complexity through automation, visualization, honesty and acceptance of its challenges and opportunities.
The document discusses web components, which include HTML templates, custom elements, shadow DOM, and HTML imports. Web components allow the creation of reusable custom elements with their own styles and DOM structure. They provide encapsulation and help avoid issues with global namespaces. While browser support is still emerging for some features, polyfills exist and frameworks like Polymer make web components accessible today. Web components represent an important evolution of the web that will improve how code is structured and shared.
This talk was given on Oct 23 at HTML5DevConf in San Francisco. The topic was Continuous Delivery as it relates to JavaScript applications, using tools like grunt and jenkins.
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsexgf28
Jarren Duran Fuck EM T shirts
https://www.pinterest.com/youngtshirt/jarren-duran-fuck-em-t-shirts/
Happy to Pay Fine for Expletive shirt,Happy to Pay Fine for Expletive T shirts,Jarren Duran Fuck EM T shirts Grabs yours today. tag and share who loves it.
Book dating , international dating phgrathomaskurtha9
International dating programhttps: please register here and start to meet new people todayhttps://www.digistore24.com/redir/384521/godtim/.
get started. https://www.digistore24.com/redir/384521/godtim/
How to Choose the Right UIUX Design Service for Optimal Customer Experience
The life of breached data and the attack lifecycle
1. The Life of Breached Data
August 2018
Jarrod Overson, Director of Engineering at Shape Security
The Dark Side of Security
9. It’s more than just mega-breaches from large companies
Web forums contributed many spills in 2017
Though web forums contributed a smaller number of credentials
12. Every breach adds a piece of you to a criminal's database.
Passwords, emails, names, security questions & answers, addresses, and more
13. The downstream path from breach to fraud
Fraud &
Exploitation
Account
Takeovers
Credential
Stuffing Attacks
Credential SpillsData Breaches
Within your controlOutside of your control
14. Credential stuffing attacks
Bank 0 + =
Retailer
x
Bank
y
Airline
z
bob@gmail.com:p@ssw0rd1 ✅ ❌ ✅
sally@yahoo.com:qwerypoiu ❌ ✅ ❌
donna@company.com:norah2012 ✅ ❌ ❌
15. The tiers of attacker sophistication
Tier 1 - The original attacker
Tier 2 - The attacker’s private network
Tier 3 - The dark web
Tier 4 - Public
16. Credential spills decrease in value over time
CredentialSpillValue
Day 0
Data Breach
Tier 1 attacks
Attacker
Tier 2 attacks
Attacker’s
Associates
Tier 3 attacks
Dark Web
Day 456
Avg time before
breach is reported
Tier 4 attacks
Public
24. If you have value,
there is value in attacking you.
25. - Store any actual or virtual currency?
- Sell goods?
- Have ANY unique PII?
- Have user generated content?
- Have time sensitive features?
- Pay for digitally validated behavior?
- Have a social aspect to your service?
Do you…
60. • LastPass
• 1Password
• Any locally encrypted db
Use a password manager.
Use a password manager.
LastPass, 1Password, any locally encrypted database.
61. Use a base password + a site specific string.
For example: "hyatt small blue cup"
Use a password algorithm
71. Use single flows for important transactions.
Reduce the attack surface area as much as possible.
Login widget
Old login flow
Regular Login
Login at CC entry
2.x login
Login on
shopping cart
VS
Login
72. Ask and be ready for tough questions
You may need to re-evaluate costs & value with new parameters.
73. Get help. You're not alone.
Reduce the attack surface area as much as possible.
- Helen Keller
74. The Life of Breached Data
August 2018
Jarrod Overson, Director of Engineering at Shape Security
The Dark Side of Security