Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
PHISH-PROOF YOUR USERSNegate Sto len Credent ia ls & Go Beyond 2FA
June 13, 2018
Damon TepeDirector, Product Marketing
WEBINAR HOUSEKEEPING
• All attendee audio lines are muted • Submit questions via Q&A panel at any
time• Questions will be answered during Q&A
at the end of the presentation• Slides and recording will be sent later
this week• Contact us at
AGENDA
1 Humans are weakest link
2 What’s the problem?
3 Why 2FA is not enough
4 Adaptive/No-Trust benefits
5 Scenarios/Use cases
6 Business impact (Savings)
7 Questions & Answers
Billions are spent on network and endpoint security…..
….. but breaches still happen and are on the rise, 40% increase last year!
Network Security
Endpoint Security
Identity Security
$90 Billion
$6 Billion
“In 2018, we will see increased sophistication in the threat landscape with threats being personalized to their target’s weak spots or metamorphosing to take account of defenses that have already been put in place”
—“Global Security Threats Outlook for 2018”, Information Security Forum (IFS) Managing Director, Steve Durbin
Humans are the Weakest Link• Phishing attempts increased 65% last year1
• 76% reported being a phishing victim last year2
• 30% of phishing messages get opened by users3
• 12% of those users click on the malicious
attachment or link3
—
ATTACKER GOAL - Come and go without detection
& exfiltrate the prize without notice
1- http://cofense.com/wp-content/uploads/2017/11/Enterprise-Phishing-Resiliency-and-Defense-Report-2017.pdf
2- https://info.wombatsecurity.com/state-of-the-phish
3- VDBIR 2018 - https://www.verizonenterprise.com/verizon-insights-lab/dbir/
Compromising Your Security
• Humans pick weak passwords
• Everyone re-uses their passwords
• Something to think about…
—
http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/
Compromising Your Security
• Humans pick weak passwords
• Everyone re-uses their passwords
• Something to think about…
—
https://keepersecurity.com/assets/pdf/Keeper-Mobile-Survey-Infographic.pdf
Compromising Your Security
• Humans pick weak passwords
• Everyone re-uses their passwords
• Something to think about…
—
YahooAdult Friend FindereBayEquifax
Total
3 Billion412 Million145 M143 M
3.7 Billion
Population of USA = 323.4 MPop of China = 1.4 BPop of India = 1.3 B
Why is this a problem?• Cyber attackers are walking in your front door
undetected - 81% of breaches involve use of stolen or weak credentials
• 40% of assets are protected by password or less -60% have taken at least a 2FA step
• Attackers go undetected for 99 days - although better that previous years, 3+ months is too much
• Cost of US breach now $7.3 Million - up from ~4 million a couple years ago
• Boardrooms & Brand Erosion
—
SOLUTIONS—
PASSWORDS
• More secure PWs• Change PWs more• Phishing education• Single Sign-on
SOLUTIONS—
2FA/MFAPASSWORDS
• More secure PWs• Change PWs more• Phishing education• Single Sign-on
• Hard tokens - poor UX, expensive
• Phone-based - for everyone?
• Popular methods bypassed
SOLUTIONS—
2FA/MFAPASSWORDS
• More secure PWs• Change PWs more• Phishing education• Single Sign-on
CONTEXT & RISK
• Hard tokens - poor UX, expensive
• Phone-based - for everyone?
• Popular methods bypassed
• More context -more clues
• Additional security layers
• Can be dynamic/ evolving
2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA
One Time Passcodes
Phishing attack (MitM)Malware SMS/Call Intercept (SS7)
Variety of techniques:
2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA
One Time Passcodes
Phishing attack (MitM)
Malware
SMS/Call Intercept (SS7)
Variety of techniques:
Phone # Porting
youtu.be/lc7scxvKQOo
2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA
One Time Passcodes
Phishing attack (MitM)
Malware
SMS/Call Intercept (SS7)
Variety of techniques:
Push-to-Accept
Phone # Porting
youtu.be/lc7scxvKQOo
youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s
2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA
One Time Passcodes
Phishing attack (MitM)
Malware
SMS/Call Intercept (SS7)
Variety of techniques:
Push-to-Accept
Phone # Porting
Knowledge-based Q&A
• Street you grew up on?
• Name of first pet?
• 1st grade teacher’s name?
• Mother’s maiden name?
We over share on Social Media
youtu.be/lc7scxvKQOo
youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s
2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA
One Time Passcodes
Phishing attack (MitM)
Malware
SMS/Call Intercept (SS7)
Variety of techniques:
Push-to-Accept
Phone # Porting
Knowledge-based Q&A
• Street you grew up on?
• Name of first pet?
• 1st grade teacher’s name?
• Mother’s maiden name?
We over share on Social Media
youtu.be/lc7scxvKQOo
youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s
HUMAN ARE THE WEAKEST LINK
TRUST NOTHING – CHECK EVERYTHINGTHE MORE YOU KNOW – THE MORE PROTECTED
DEVICE
• Access device (PC)• Authentication device
(Phone)
ACCOUNT
• Attributes?• Segregation of duties?• Priviliged/Sensitive?
LOCATION
• Known?• Permitted?
BEHAVIOR
• Irregularities –Attempts? Times? Apps?
IP ADDRESS
• Known?• Anonymous network?• Multiple threat feeds
3RD PARTY
• 3rd Party Risk Score –SIEM? UEBA? IGA?
SECURITY IN LAYERSNot a New Concept…
BUILDING SECURITY• Fences• Door locks• Key cards/ID badge(s)• Security guard(s)• Cameras
POLICE PROTECTION• Many layers of woven or laminate
fibers• No one layer stops a bullet• Some have metal or ceramic plates
for added protection
IDENTITY PROTECTION• Can’t rely on just a password• Attackers can bypass 2FA• IDs need more security
‘layers’• The more we know, the
better
More Checks = More Secure
PASSWORD
Traditional Authentication
2-FACTOR AUTHENTICATION
THE PRIZE
ATTACKERAdaptive Authentication
ATTACKER
THE PRIZE
Password
Device Recognition
Anonymous proxy
Threat services
Directory attributes
Sensitive/privileged
Segregation of duties
Irregular Behavior
3rd party risk sccore
2-factor auth
IP white/black list
Geography
Phone type
Phone carrier
Phone porting status
AllowMFA Step
PW-Reset
DenyRedirect
DenyRedirectPW-Reset
AllowMFA Step
Allow
DenyRedirect
MFA Step
PW-Reset
Device Recognition
Geo-Location
IP White/Black List
Attributes & Profile Check
Anonymous Proxy (e.g. Tor)
IP Checked - Multiple Threat DBs
Phone # Recently Ported
Phone Type
Phone # Carrier
High Risk Account - Privileged
High Risk Account - Sensitive
High Risk Account - SoD
Behavior Analysis - Machine Learning
Geo-Velocity
Bring Any 3rd Party Risk Score
• 617 Million Authentications - 90% did not have to take MFA step
• Confidence to go passwordless
• Protected even if credentials are known and attacker can get past MFA
Adaptive Authentication Risk/Context Checks
Normal DayStolen
CredentialsCreated ID
Enrolled in MFA
or
or
Authent icat ion Scenar ios
Calculating Business ValueRemoving Disruptions Has Benefits5000 User Organization
• Save 2 minutes/day (240 x 2mins = 8 hrs/yr)
• $24/hr x 8 hrs/yr = $192/yr
• $192/yr x 5000 employees
= $960,000 in saved labor costs/productivity gains
www2.secureauth.com/SSO_Calculator
Cost Savings Calculator
Calculating Business ValuePasswords Can Be Expensive5000 User Organization• 7500 Password Reset Calls/year• $20/call= $150,000 spent annually on password resetswww2.secureauth.com/Password_Calculator
Cost Savings Calculator
• Cyber attacks are increasing despite increasing security investment• Cyber attackers are often taking path of least resistance and mis-using valid credentials• 2FA is not enough and attackers are increasingly figuring out ways past it• Security in layers has proven effective• Context around any given access attempt/authentication improves security without
causing undue disruptions to users
What Have We Covered Today?
PHISH-PROOF USERS
Q U E S T I O N S& A N S W E R S
© 2018 by SecureAuthAll rights reserved
T H A N K YO U