, 29 tweets, 22 min read
My Authors
Read all threads
We are just starting our session @hasgeek. @abh1sek talking about data breaches and how they happen.


Join the live stream on the webpage.

Thank you @hasgeek for giving us this amazing platform to talk about what we love most #datasecurity #appsec
Agenda for the session
Amazing graphic from #InformationIsBeautiful


@abh1sek starts with telling us that databreaches are far more common than understood.
3 Stories of massive #databreach incidents.

#CapitalOne #Equifax #CSC_Bhim
Attacker in the case of #capitalone #databreach used a vulnerability known as #SSRF to get in and steal a lot and lot of records ($1,000,000+)

@abh1sek calls this a case of app and platform (mis)trust
In case of #Equifax a neglected application was exploited using a known weakness of #StrutsFramework. There was no 0day involved in this breach.

147,000,000+ records were stolen causing massive identity theft.
Personally Identifiable Information found due to a basic #awscloud misconfiguration of millions of Indian citizens.

7,000,000 records were leaking.
Now @abh1sek trying to get the root causes of why #databreach incidents happen over and over again.

Root causes include

1⃣Lack of visibility of online exposed assets
2⃣Weaknesses in Identity and Access Management
3⃣Lack of patching process and managing vulnerabilities
Because of various reasons and limitations, defenders sometimes have gaps. Attackers exploit such gaps and are always looking for these especially in the cloud environments.
The main takeaway slide.

What can be done and safeguards to reduce risks of #databreach incidents?

Start by asking these questions
1⃣Who are the attackers
2⃣What are they after

According to @abh1sek doing #ThreatModel should be the first step towards any kind of defence
As part of the #ThreatModel understand #risks and #threats against our data #assets.

Using the model look for security controls. This applies to both #infrastructuresecurity and #appsec.

Look at #rapidriskasessment developed by the browser people @mozilla.
Using #containers can mitigate the need for complicated #patchmanagement & make #vulnerability management easier.

A great point for all the defenders out there.

If you want to learn how to #audit your #docker and #Kubernetes clusters start here
The Q and A has started.

Nitish asks - Should we be reporting data breaches to the authorities if we come across on @shodanhq @binaryedgeio.

@abh1sek says this is very useful. Reach out the countries Computer Emergency Response Team (CERTs)

What if the org doesn't have a dedicated email address to report security issues?

@abh1sek says try and find senior people of the orgs on #LinkedIn etc. and report.

Defenders also look at this securitytxt.org to get an idea on how to make it easy to report issues.
Half and hour into the session @abh1sek breaks out #IANAL 😀😃.

Unfortunately there is no standard way to report security issues.
@abh1sek A short and hopefully sweet session full of information for #defenders to discuss all things related to #databreach incidents and #datasecurity.

And we have one more question from Arun.

Arun would like to know is approaching companies directly to report #bugs is that alright?
Our speaker @abh1sek talking starts the answer with

Once upon a time there was only 1 CVE issuing authority. He is reminiscing about a time when there was no concept of #bugbounties.

Betraying his age a bit here. 🤪🤪
Wow the question gets lobbed to @zainabbawa of @hasgeek if they have a security team for reporting issues.

Her answer is that talk to @jackerhack
Start with #IncidentResponse playbooks.

For your company start here


Part of the NIST CyberSecurity Framework.
For #Defenders in the #AWSCloud read the AWS Security Incident Response document.

Arun asks what should a startup do. The founders are unlikely to be aware of #security and #incidentresponse.

Arun here is a really nice blog post for you to read and share.

Aditi is asking What measures do journalists need to take when reporting about #databreaches.

@abh1sek as always starts by saying it depends. He warns about fake data dumps that may be created to mislead and damage the reputation of the organisations.

There is no generic way.
A good reasource from our founder @makash talking about starting with security and staying secure for startups

What stratups need to worry about for #DataSecurity
According to @abh1sek #FullDisclosure can be a way to get companies to act on #databreach reports.

It used to work for software vendors and should work now.
As per @abh1sek , claiming #BugBounty reward essentially means that the company now owns the vulnerability issue and details. Which means they can ask that details may never be made public.
VJD on YouTube asking for suggestions on implementing #SAST and #ThreatModelling.

@abh1sek mentions @owasp.

For threat modelling get started with #OWASP Threat Modelling practice.

To create Data Flow Diagrams try out
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Appsecco

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!