Free Rapid7 Webcast: Life’s a Breach! Lessons Learned from Recent Breaches

Viewing 2 reply threads
  • Author
    Posts
    • #7633
      Don Donzal
      Keymaster

      Here’s another free webcast from Rapid7, home of Metasploit and Nexpose, that I thought might be a great help when securing your own environment as well as talking to the higher ups. Good luck with that one.  😉

      [align=center:2twq1y7a]Life's a Breach! Lessons Learned from Recent High Profile Breaches[/align:2twq1y7a]

      In the current threat environment, the chances of getting breached are pretty high. What are the steps you’ve taken to reduce that risk? In the event it does happen, what actions will you take to act quickly?

      Join Marcus Carey, Security Researcher at Rapid7, for a free webcast, “Life’s a Breach! Lessons learned from recent high profile breaches,” on Thursday, June 14 at 2:00 pm EDT. The webcast will discuss what we can learn from recent high profile breaches, including LinkedIn and Global Payments.

      Marcus will identify:

      • Attacker profiles and their modus operandi
      • Common security miscues
      • Cryptography and cryptanalysis best practices
      • Incident response and business continuity best practices

      Attendees of this webcast will gain practical advice on best practice approaches to minimizing the risk and potential business impact of a breach.

      Reserve your spot now – space is limited
      http://information.rapid7.com/Webcast-lessonslearned-breaches-registration.html?LS=1152784&CS=eh

      Enjoy,
      Don

    • #47667
      rattis
      Participant

      I’d like to see it, but don’t like the idea of having to supply some of the information they’re asking for. I don’t want them to think I’m a possible sales lead when i’m not.

    • #47668
      unicityd
      Participant

      Here’s the lesson: use bcrypt.

      The reason the LinkedIn hack resulted in so much criticism is that the passwords were all hashed without any sort of password stretching or salting.  Salting prevents precomputation and forces the attacker to guess each password separately; brute force can’t scale for multiple users.  Stretching also destroys rainbow tables and makes brute force much slower.  Some people have criticized LinkedIn for using SHA-1 but that’s beside the point.  With salting and stretching, even MD5 would be fine (although I’d use SHA-256 or better).

      Nobody should design their own scheme here.  Salting and stretching are already implemented in bcrypt, scrypt, and PBKDF2.  Use one of those.  Scrypt is new, but bcrypt has been in OpenBSD for more than a decade and is pretty widely supported.  PBKDF2 is standardized in RSA’s PKCS #5 and in RFC 2898.  Bcrypt and Scrypt appear to be the strongest options.

Viewing 2 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?