We are just starting our session @hasgeek. @abh1sek talking about data breaches and how they happen.
hasgeek.com/rootconf/data-…
Join the live stream on the webpage.
#datasecurity
hasgeek.com/rootconf/data-…
Join the live stream on the webpage.
#datasecurity
Thank you @hasgeek for giving us this amazing platform to talk about what we love most #datasecurity #appsec
#cloudsecurity
#cloudsecurity
Agenda for the session
Amazing graphic from #InformationIsBeautiful
informationisbeautiful.net/visualizations…
@abh1sek starts with telling us that databreaches are far more common than understood.
informationisbeautiful.net/visualizations…
@abh1sek starts with telling us that databreaches are far more common than understood.
Attacker in the case of #capitalone #databreach used a vulnerability known as #SSRF to get in and steal a lot and lot of records ($1,000,000+)
@abh1sek calls this a case of app and platform (mis)trust
@abh1sek calls this a case of app and platform (mis)trust
In case of #Equifax a neglected application was exploited using a known weakness of #StrutsFramework. There was no 0day involved in this breach.
147,000,000+ records were stolen causing massive identity theft.
147,000,000+ records were stolen causing massive identity theft.
Personally Identifiable Information found due to a basic #awscloud misconfiguration of millions of Indian citizens.
7,000,000 records were leaking.
7,000,000 records were leaking.
Now @abh1sek trying to get the root causes of why #databreach incidents happen over and over again.
Root causes include
1⃣Lack of visibility of online exposed assets
2⃣Weaknesses in Identity and Access Management
3⃣Lack of patching process and managing vulnerabilities
Root causes include
1⃣Lack of visibility of online exposed assets
2⃣Weaknesses in Identity and Access Management
3⃣Lack of patching process and managing vulnerabilities
Because of various reasons and limitations, defenders sometimes have gaps. Attackers exploit such gaps and are always looking for these especially in the cloud environments.
The main takeaway slide.
What can be done and safeguards to reduce risks of #databreach incidents?
Start by asking these questions
1⃣Who are the attackers
2⃣What are they after
According to @abh1sek doing #ThreatModel should be the first step towards any kind of defence
What can be done and safeguards to reduce risks of #databreach incidents?
Start by asking these questions
1⃣Who are the attackers
2⃣What are they after
According to @abh1sek doing #ThreatModel should be the first step towards any kind of defence
As part of the #ThreatModel understand #risks and #threats against our data #assets.
Using the model look for security controls. This applies to both #infrastructuresecurity and #appsec.
Look at #rapidriskasessment developed by the browser people @mozilla.
Using the model look for security controls. This applies to both #infrastructuresecurity and #appsec.
Look at #rapidriskasessment developed by the browser people @mozilla.
Using #containers can mitigate the need for complicated #patchmanagement & make #vulnerability management easier.
A great point for all the defenders out there.
If you want to learn how to #audit your #docker and #Kubernetes clusters start here
github.com/appsecco/attac…
A great point for all the defenders out there.
If you want to learn how to #audit your #docker and #Kubernetes clusters start here
github.com/appsecco/attac…
The Q and A has started.
Nitish asks - Should we be reporting data breaches to the authorities if we come across on @shodanhq @binaryedgeio.
@abh1sek says this is very useful. Reach out the countries Computer Emergency Response Team (CERTs)
en.wikipedia.org/wiki/Computer_…
Nitish asks - Should we be reporting data breaches to the authorities if we come across on @shodanhq @binaryedgeio.
@abh1sek says this is very useful. Reach out the countries Computer Emergency Response Team (CERTs)
en.wikipedia.org/wiki/Computer_…
What if the org doesn't have a dedicated email address to report security issues?
@abh1sek says try and find senior people of the orgs on #LinkedIn etc. and report.
Defenders also look at this securitytxt.org to get an idea on how to make it easy to report issues.
@abh1sek says try and find senior people of the orgs on #LinkedIn etc. and report.
Defenders also look at this securitytxt.org to get an idea on how to make it easy to report issues.
@abh1sek A short and hopefully sweet session full of information for #defenders to discuss all things related to #databreach incidents and #datasecurity.
And we have one more question from Arun.
Arun would like to know is approaching companies directly to report #bugs is that alright?
And we have one more question from Arun.
Arun would like to know is approaching companies directly to report #bugs is that alright?
Our speaker @abh1sek talking starts the answer with
Once upon a time there was only 1 CVE issuing authority. He is reminiscing about a time when there was no concept of #bugbounties.
Betraying his age a bit here. 🤪🤪
Once upon a time there was only 1 CVE issuing authority. He is reminiscing about a time when there was no concept of #bugbounties.
Betraying his age a bit here. 🤪🤪
Wow the question gets lobbed to @zainabbawa of @hasgeek if they have a security team for reporting issues.
Her answer is that talk to @jackerhack
Her answer is that talk to @jackerhack
Start with #IncidentResponse playbooks.
For your company start here
nist.gov/cyberframework…
Part of the NIST CyberSecurity Framework.
For your company start here
nist.gov/cyberframework…
Part of the NIST CyberSecurity Framework.
For #Defenders in the #AWSCloud read the AWS Security Incident Response document.
d1.awsstatic.com/whitepapers/aw…
d1.awsstatic.com/whitepapers/aw…
Arun asks what should a startup do. The founders are unlikely to be aware of #security and #incidentresponse.
Arun here is a really nice blog post for you to read and share.
medium.com/starting-up-se…
Arun here is a really nice blog post for you to read and share.
medium.com/starting-up-se…
Aditi is asking What measures do journalists need to take when reporting about #databreaches.
@abh1sek as always starts by saying it depends. He warns about fake data dumps that may be created to mislead and damage the reputation of the organisations.
There is no generic way.
@abh1sek as always starts by saying it depends. He warns about fake data dumps that may be created to mislead and damage the reputation of the organisations.
There is no generic way.
A good reasource from our founder @makash talking about starting with security and staying secure for startups
slideshare.net/IIMBNSRCEL/how…
slideshare.net/IIMBNSRCEL/how…
What stratups need to worry about for #DataSecurity
According to @abh1sek #FullDisclosure can be a way to get companies to act on #databreach reports.
It used to work for software vendors and should work now.
It used to work for software vendors and should work now.
As per @abh1sek , claiming #BugBounty reward essentially means that the company now owns the vulnerability issue and details. Which means they can ask that details may never be made public.
VJD on YouTube asking for suggestions on implementing #SAST and #ThreatModelling.
@abh1sek mentions @owasp.
For threat modelling get started with #OWASP Threat Modelling practice.
To create Data Flow Diagrams try out
owasp.org/www-project-th…
@abh1sek mentions @owasp.
For threat modelling get started with #OWASP Threat Modelling practice.
To create Data Flow Diagrams try out
owasp.org/www-project-th…
@threadreaderapp unroll
