the life of breached data the dark side of security
play

The Life of Breached Data & The Dark Side of Security. Jarrod - PowerPoint PPT Presentation

Feb 18, 2024 •230 likes •1.07k views

The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016 It's more than just massive breaches from large companies, too. It's small continuous, streams of exploitable data 2.2 Billion Leaked

  1. The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016

  7. It's more than just massive breaches from large companies, too.

  8. It's small continuous, streams of exploitable data

  10. 2.2 Billion 
 Leaked credentials in 2016 alone

  11. Every breach adds a piece of you to a criminal's database. Passwords, emails, names, security questions & answers, addresses, and more

  13. Traditional security is like flossing. We know we're supposed to care, but is it really that important?

  14. OWASP Top 10 A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards

  15. OWASP Automated Threats OAT-020 Account Aggregation OAT-006 Expediting OAT-019 Account Creation OAT-004 Fingerprinting OAT-003 Ad Fraud OAT-018 Footprinting OAT-009 CAPTCHA Bypass OAT-005 Scalping OAT-010 Card Cracking OAT-011 Scraping OAT-001 Carding OAT-016 Skewing OAT-012 Cashing Out OAT-013 Sniping OAT-007 Credential Cracking OAT-017 Spamming OAT-008 Credential Stuffing OAT-002 Token Cracking OAT-015 Denial of Service OAT-014 Vulnerability Scanning

  16. These attacks aren't cost effective unless automated BY�EVIL�� ROBOTS

  17. Our user-friendly APIs enable our attackers

  18. Not just these APIs

  19. The APIs we expose unintentionally.

  20. The APIs we expose unintentionally.

  21. The APIs we expose unintentionally.

  22. When you read about breaches, what do you do?

  23. Even if you have the most secure site in the world, you don't usually protect against legitimate user logins.

  24. If your users were robots, could you tell?

  26. What percentage of traffic is from bots?

  27. What percentage of traffic is from bots? 95% ( Current record for automation against a login page, via Shape Security )

  28. Why?

  29. Do you… For example Store a type of currency? actual money, point values, gift cards Sell goods? physical, digital, services Have unique PII? health care, social networks Have user generated content? forums, social networks, blogs, comments Have time sensitive features? tickets, flash sales, reservations Pay for digitally validated behavior? ad clicks, reviews, "uber for X"

  30. If you have value, there is value in exploiting you.

  31. Targeted Fraud can take many forms.

  32. But we have captchas!

  33. But captchas don't work.

  34. * Estimated 200 million+ hours spent every year deciphering squiggly letters. * Luis Von Ahn, creator of captcha

  35. Services have been made making captcha bypass even easier.

  36. Services have been made making captcha bypass even easier.

  37. Ever wonder where these ads go?

  38. There's big money in "Work from Home Data Entry" jobs

  39. So we seek alternatives.

  40. Some rely on simple behavior analysis

  41. Some rely on kittens

  42. Some rely on a love for death metal

  43. Some are very high profile

  44. How?

  45. They use a lot of the same tools we already use.

  52. Once you detect an attacker, they are easy to block. Right?

  53. One attacker from one machine can be blocked by IP.

  54. Many attackers sound dangerous but aren't as common as they are made out to be.

  55. One attacker using proxies to look like thousands of users across the globe is difficult to detect and block.

  56. Spikes of traffic across many IPs are normal, except when they aren't

  57. The devices themselves leave fingerprints

  58. And tools are made to leave no fingerprints

  59. Lots of tools.

  61. We can't patch our way through this.

  62. How would you react if you went from … Legitimate traffic

  63. To this Automation detected and blocked Legitimate traffic

  64. To this Automation detected and blocked Legitimate traffic

  65. To this Automation detected and blocked Legitimate traffic

  66. Not sure if you have a problem? To get an idea, search for : • <your company, service, or CMS> fullz • <your company, service, or CMS> sentrymba • <your company, service, or CMS> carding • <your company, service, or CMS> <tool> tutorial

  67. How do you protect you?

  68. Make every password unique. Really.

  69. Use a password manager. Use a password manager. • LastPass • 1Password • Any locally encrypted db LastPass, 1Password, any locally encrypted database.

  70. Use a password algorithm Use a base password + a site specific string. For example: "hyatt small blue cup "

  71. Turn on Multi-Factor Authentication.

  72. How do you protect your users?

  73. First, throw away the myth that the primary risk to passwords is how crackable they are. The biggest risk to you and your users is reused passwords.

  74. Don't add unnecessary password rules 8 char minimum, >64 char maximum, allow ANY character (including spaces)

  75. Do prevent users from using common passwords • 123456 • 1234567 • master • password • baseball • monkey • 12345678 • welcome • letmein • qwerty • 1234567890 • login • 12345 • abc123 • princess • 123456789 • 111111 • qwertyuiop • football • 1qaz2wsx • solo • 1234 • dragon • passw0rd Maintain and use a banned password list

  76. Don't expire passwords unless necessary Expire when accounts are compromised or a user's credentials are leaked.

  77. Offer Multi-Factor Authentication. There any many options and services that make this easy and tolerable.

  78. How do you protect your business?

  79. Use single flows for important transactions. Login widget Regular Login Old login flow Login on VS Login shopping cart 2.x login Login at CC entry Reduce the attack surface area as much as possible.

  80. Ask and be ready for tough questions You may need to re-evaluate costs & value with new parameters.

  81. Get help. You're not alone. Reduce the attack surface area as much as possible. - Helen Keller

  82. The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of Leadership Dr Holly Andrews Worcester Business School Global Business Conference Sibenik 2015 Overview What is the issue? Introducing psychopathy

372 views • 18 slides
The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and

The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and

Cambridge Cybercrime Centre: Fourth Annual Cybercrime Conference The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and Cybercrime Institute for Criminal Justice Studies (ICJS) University of Portsmouth

780 views • 24 slides
How the Bright and Dark Side of Self-Determination Theory Relate to Students Life Skills

How the Bright and Dark Side of Self-Determination Theory Relate to Students Life Skills

How the Bright and Dark Side of Self-Determination Theory Relate to Students Life Skills Development Within Physical Education LO RC A N C RO N IN 1 , D A V ID M A RC HA N T 1 , JUSTIN E A LLEN 2 , C LA IRE M ULV EN N A 3 , D A V ID C

294 views • 18 slides
Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark

Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark

Whats ? Alexander Kusenko (UCLA/IPMU) Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark matter candidate observed neutrino masses imply the existence of right-handed singlets, which can

1k views • 31 slides
BEWARE THE DARK SIDE OF METRICS! Agile Arizona 2019 Barbara Anderson Unrestricted Content

BEWARE THE DARK SIDE OF METRICS! Agile Arizona 2019 Barbara Anderson Unrestricted Content

BEWARE THE DARK SIDE OF METRICS! Agile Arizona 2019 Barbara Anderson Unrestricted Content 11/27/19 1 This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations

509 views • 21 slides
The Dark Side of Ajax Jacob West Fortify Software Mashup Pink Floyd AJAX all purpose cleaner

The Dark Side of Ajax Jacob West Fortify Software Mashup Pink Floyd AJAX all purpose cleaner

The Dark Side of Ajax Jacob West Fortify Software Mashup Pink Floyd AJAX all purpose cleaner Dark Side of the Moon Ajax Fancier and easier-to-use web applications using: A synchronous Web 1.0 J avaScript Server Web page A nd

993 views • 52 slides
Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit

Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit

Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit di L Aquila and LNGS Gran Sasso, Italy Dark Matter Connection .... , GGI, Florence, 16-20 May 2010 Dark Side as parallel sector, etc ... - p.

796 views • 45 slides
ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of

ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of

ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of property damage 1 Always by your side. WATER FIRE CLIMATE All crucial for human life. At the same time posing an unpredictable threat to valuable

829 views • 57 slides
Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About It) Wade Trappe Agenda Agenda Tales from the Dark Side of Security Wireless in Particular Decomposing the Problem into Problems

697 views • 40 slides
The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42

The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42

The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42 Review Announcements Final exam: Monday 12/12, 2:30-4:20 pm Same length/format as previous exams (but you can have 2 hrs) Kyle Armour is

516 views • 22 slides
THE PHI PROJECT THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A

THE PHI PROJECT THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A

THE PHI PROJECT THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A BUSINESS CASE FOR ENHANCED PHI SECURITY THE PHI PROJECT REQUIRED: Enhanced programs for safeguarding Protected Health Information (PHI) WHO:

436 views • 29 slides
Side-by-Side Box Beam Bridge Life-Cycle Cost Analysis For or Better Inv nvestment nt and nd

Side-by-Side Box Beam Bridge Life-Cycle Cost Analysis For or Better Inv nvestment nt and nd

Side-by-Side Box Beam Bridge Life-Cycle Cost Analysis For or Better Inv nvestment nt and nd Engi ngine neering ng Decisions ons By Nabil Grace, Ph.D., PE Elin Jensen, Ph.D. University Distinguished Professor Associate Professor

427 views • 28 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
Build A Wall Perimeter wall 1 // Guardicore Spoiler Alert: Wall Will be Breached 2 //

Build A Wall Perimeter wall 1 // Guardicore Spoiler Alert: Wall Will be Breached 2 //

Security Common Practice: Build A Wall Perimeter wall 1 // Guardicore Spoiler Alert: Wall Will be Breached 2 // Guardicore The answer: Micro-segmentation Welcome To Zero Trust 3 // Guardicore Micro-segmentation : Walls don t work

531 views • 17 slides
#MicroFocusCyberSummit Preparing for When Your Organization Will be Breached: Prioritizing and

#MicroFocusCyberSummit Preparing for When Your Organization Will be Breached: Prioritizing and

#MicroFocusCyberSummit Preparing for When Your Organization Will be Breached: Prioritizing and Protecting Paulo Veloso Shogo Cottrell #MicroFocusCyberSummit Whats happening in the market? Approximately 40,000 Tesco Bank accounts were

501 views • 36 slides
Pons Developed 0-5 months of life Automatic functions In charge of vision: side vision, eye

Pons Developed 0-5 months of life Automatic functions In charge of vision: side vision, eye

Pons Developed 0-5 months of life Automatic functions In charge of vision: side vision, eye tracking, saccadic eye jumps Perception of danger Emotional security, bonding, trust Perception of hunger Heart rate and respiration

951 views • 10 slides
Software Security Presentation Dr. E. Benoist Spring Semester 2011 Software Security

Software Security Presentation Dr. E. Benoist Spring Semester 2011 Software Security

Berner Fachhochschule - Technik und Informatik Software Security Presentation Dr. E. Benoist Spring Semester 2011 Software Security Presentation 1 Presentation Emmanuel Benoist email: emmanuel.benoist(at)bfh.ch PhD at the

368 views • 9 slides
Fortify Integration &amp; User Experience Fortify Partner Integration Integration with both

Fortify Integration &amp; User Experience Fortify Partner Integration Integration with both

Fortify Integration &amp; User Experience Fortify Partner Integration Integration with both Fortify on Demand and Software Security Center (v18.2). Get Training provides Fortify User with real-time interactive training in Secure

527 views • 31 slides
Embedding of External Content from Non-trusted Sources Alexandre Miguel Ferreira University of

Embedding of External Content from Non-trusted Sources Alexandre Miguel Ferreira University of

Embedding of External Content from Non-trusted Sources Alexandre Miguel Ferreira University of Amsterdam Research Project II July 5, 2012 Agenda Introduction Research Question Background How to embed content? Most

434 views • 17 slides
As global commodity super-cycle ends, Africans continue uprising against Africa Rising By

As global commodity super-cycle ends, Africans continue uprising against Africa Rising By

As global commodity super-cycle ends, Africans continue uprising against Africa Rising By Patrick Bond presented to Mapungubwe Institute for Strategic Reflection (Mistra) Great Recession Colloquium, University of South Africa, Pretoria,

344 views • 21 slides
Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor

Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor

Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor Agenda n History n Nic.PR Case Study q Registrar Perspective q Registry Perspective n Future solutions History n Over the past few years

643 views • 26 slides
Project Plan Connected Appliances Analytics Dashboard The Capstone Experience Team Whirlpool

Project Plan Connected Appliances Analytics Dashboard The Capstone Experience Team Whirlpool

Project Plan Connected Appliances Analytics Dashboard The Capstone Experience Team Whirlpool Derrick Neier Jim Solce Zach Taylor Joe Tuohey Department of Computer Science and Engineering Michigan State University Fall 2012 From Students

447 views • 17 slides
Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE

Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE

HOW TO EMBED SECURITY INTO AGILE? Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE WHO AM I SLIDE) Momchil Karov, MSc., CISSP Principal Security Architect Enterprise Risk and Compliance Best

777 views • 44 slides
CYBERSECURITY: EMERGING THREATS AND MITIGATION STRATEGIES Gogwim , Joel Godwin, B. Tech (Hons),

CYBERSECURITY: EMERGING THREATS AND MITIGATION STRATEGIES Gogwim , Joel Godwin, B. Tech (Hons),

CYBERSECURITY: EMERGING THREATS AND MITIGATION STRATEGIES Gogwim , Joel Godwin, B. Tech (Hons), MPhil. (SA), CCNA, CCDA, CCAI, CCNP, CCDP, CEH, MNCS, MCPN, MNiRA, MCFIN ICT Directorate University of Jos, Nigeria email : gogwim[at]unijos.edu.ng

236 views • 10 slides

More recommend