.

Free Rapid7 Webcast: Life's a Breach! Lessons Learned from Recent Breaches

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Jun 12, 2012 12:16 pm

Free Rapid7 Webcast: Life's a Breach! Lessons Learned from Recent Breaches

Here's another free webcast from Rapid7, home of Metasploit and Nexpose, that I thought might be a great help when securing your own environment as well as talking to the higher ups. Good luck with that one.  ;)




In the current threat environment, the chances of getting breached are pretty high. What are the steps you’ve taken to reduce that risk? In the event it does happen, what actions will you take to act quickly?

Join Marcus Carey, Security Researcher at Rapid7, for a free webcast, "Life's a Breach! Lessons learned from recent high profile breaches," on Thursday, June 14 at 2:00 pm EDT. The webcast will discuss what we can learn from recent high profile breaches, including LinkedIn and Global Payments.

Marcus will identify:

• Attacker profiles and their modus operandi
• Common security miscues
• Cryptography and cryptanalysis best practices
• Incident response and business continuity best practices

Attendees of this webcast will gain practical advice on best practice approaches to minimizing the risk and potential business impact of a breach.



Reserve your spot now - space is limited
http://information.rapid7.com/Webcast-l ... 2784&CS=eh


Enjoy,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Jun 12, 2012 2:02 pm

Re: Free Rapid7 Webcast: Life's a Breach! Lessons Learned from Recent Breaches

I'd like to see it, but don't like the idea of having to supply some of the information they're asking for. I don't want them to think I'm a possible sales lead when i'm not.
OSWP, Sec+
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Tue Jun 12, 2012 4:21 pm

Re: Free Rapid7 Webcast: Life's a Breach! Lessons Learned from Recent Breaches

Here's the lesson: use bcrypt.

The reason the LinkedIn hack resulted in so much criticism is that the passwords were all hashed without any sort of password stretching or salting.  Salting prevents precomputation and forces the attacker to guess each password separately; brute force can't scale for multiple users.  Stretching also destroys rainbow tables and makes brute force much slower.  Some people have criticized LinkedIn for using SHA-1 but that's beside the point.  With salting and stretching, even MD5 would be fine (although I'd use SHA-256 or better).

Nobody should design their own scheme here.  Salting and stretching are already implemented in bcrypt, scrypt, and PBKDF2.  Use one of those.  Scrypt is new, but bcrypt has been in OpenBSD for more than a decade and is pretty widely supported.  PBKDF2 is standardized in RSA's PKCS #5 and in RFC 2898.  Bcrypt and Scrypt appear to be the strongest options.
BS in IT, CISSP, MS in IS Management (in progress)

Return to Editor-In-Chief

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software