Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordCamp for Publishers: Security for Newsrooms

50 views

Published on

Hands-on workshop on information security basics:
- how to think about security
- threat modelling / risk assessment
- authentication
- device security

Handouts:
https://drive.google.com/file/d/13FZBhEY2kSsThkq7-5fTXf8eqGaSI5pg/view?usp=sharing

Published in: Technology
  • Be the first to comment

  • Be the first to like this

WordCamp for Publishers: Security for Newsrooms

  1. 1. information SECURITY for publishers
  2. 2. Paul Schreiberpaulschreiber@gmail.com @paulschreiber
  3. 3. tradeoffs
  4. 4. continuum
  5. 5. average people✔
  6. 6. under government surveillance whistleblowers political campaigners activists celebrities victims of stalking and violence
  7. 7. encrypted email (PGP, GPG) messaging (Signal) SecureDrop Physical security VPNs Tor
  8. 8. Tails Social media Airgap Firmware passwords On-premises vs cloud
  9. 9. corporate espionage criminal gangs zero-day exploits Mossad, CIA, MI6, NSA
  10. 10. password reuse✔ password guessing✔ lost and stolen devices✔ phishing✔
  11. 11. threat model
  12. 12. how much they want to know howmuchyoucare $$$$$$ 0 $
  13. 13. assets
  14. 14. adversaries
  15. 15. capabilities
  16. 16. consequences
  17. 17. defenses
  18. 18. memorizing passwords
  19. 19. password managers
  20. 20. Create View Edit Delete Web Sync 2FA Mac Windows Linux iOS Android Chrome ✔ ✔ ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Firefox ✘ ✔ ✔ ✔ ✘ ✔ ✘ ✔ ✔ ✔ ✔ ✔ Safari ✔ ✔ ✔ ✔ ✘ ✔ ✔ ✔ ✘ ✘ ✔ ✘ browser password management
  21. 21. Preferences > Passwords
  22. 22. chrome://flags
  23. 23. chrome://settings/passwords
  24. 24. about:preferences#privacy
  25. 25. security questions
  26. 26. “security” questions
  27. 27. password policies
  28. 28. NIST Special Publication 800-63BDigital Identity Guidelines Authentication and Lifecycle Management
  29. 29. § 5.1.1.2 Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. length
  30. 30. composition § 5.1.1.2 All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
  31. 31. § 5.1.1.2 Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). rotation
  32. 32. password sharing
  33. 33. password resets
  34. 34. know
  35. 35. are
  36. 36. have
  37. 37. backup codes
  38. 38. device migration
  39. 39. WordPress VIP
  40. 40. Many graphics from The Noun Project Bear by Gan Khoon Lay; Computer Fire by Ian Ransley; Computer by Azis; Credit card Gonzalo Bravo; Fingerprint by Ben Davis; Lock with keyhole by Brennan Novak; Marker by Jeff Seevers; Nokia 3310 by Stan Fisher; Notification by vijay sekhar; Shield by Wayne Thayer; Spy by Alen Krummenacher; iPhone by Ross Sokolovski.

×