Open Subtitles
Should you ever need to know your customers' plain text password?
No, a well-designed application shouldn't need it. Why would you email it to people?
Name three things that should be in a security incident response plan?
There are many, but here are a few
Who needs to be involved
How to isolate the compromise
Who will write public statements
Tools to use during a compromise
Who is at fault for the data breach?
The State of California
The third party contractor
Ultimately, the state of California bears the responsibility for what happened
What procedures does Route have today if one of our customer's account is compromised?
I don't know, if someone has a good response let me know.
What could have been done to protect login access to the internal admin page?
Two Factor Authentication
Single Sign On
Strong Password Policy
Name two things that Crypto.com did well
There are a lot of good things they did
- Suspend training
- Quickly replace their 2fA
- Have strong detection methods that picked up the issue almost immediately
Name two things that we can do to prevent a database server from being exposed
Peer reviews on changes
Limit who has access to make changes
Proper training
Automatic alerts for new online resources
Architectural review
Name two good controls to prevent credential stuffing attacks
Multi factor authentication
Captchas
Rate limiting
Added scrutiny on suspicious logins (new IPs, device fingerprinting, unusual activity)
What is a strong, modern password hashing algorithm
This isnt' always clear
Argon2 is generally considered one of the best
Scrypt and Bcrypt are generally well regarded, but are aging
What is 1 bitcoin worth today?
$36,942 as of noon today
Which of the following is not an official California state symbol?
State fabric = Denim
State animal = Grizzly bear
State beverage = Milk
Milk is actually the state beverage of Arkansas
Name three English Premier teams
Biggest teams last year
Manchester City
Chelsea
Manchester United
Liverpool
Leicester City
West Ham United