Oh no! They hacked my password!!!

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

Lecture 6 User Authentication (cont)
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Awareness: Applying Practical Security in Your World
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Biometrics: Voice Recognition
Chapter 10: Authentication Guide to Computer Network Security.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
IT Security Essentials Lesley A. Bidwell, IT Security Administrator.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
Password Security Everything (well… a lot, anyway) you didn’t know, or want to, but really actually need to.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Password Security Review Your password is the last line of defense. Keep your data safe with good password practices. Mikio Olin Kevin Matteson.
1 Data Access Control, Password Policy and Authentication Methods for Online Bank Md. Mahbubur Rahman Alam B. Sc. (Statistics) Dhaka University M. Sc.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
Chris Calderon – February 2016 MIS 534 Information Security Management.
CSCE 201 Identification and Authentication Fall 2015.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
11 SECURITY PLANNING AND ADMINISTRATIVE DELEGATION Chapter 6.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
Computer Security Sample security policy Dr Alexei Vernitski.
By Kyle Bickel. Road Map Biometric Authentication Biometric Factors User Authentication Factors Biometric Techniques Conclusion.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
The Perils of Passwords. Hello! I’m Joe Campbell Principal Security Architect Dell Software.
Challenge/Response Authentication
PASSWORD SECURITY A Melbourne Athenaeum Library
Implementing and Managing Azure Multi-factor Authentication
Identity and Access Management
Protecting PHI & PII 12/30/2017 6:45 AM
To Encrypt or Not Encrypt
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
What Do You Mean My Password Isn’t Enough?!?
System Access Authentication
Chapter 1 Getting Started
Chapter One: Mastering the Basics of Security
Common Methods Used to Commit Computer Crimes
Goodbye to Passwords.
SECURITY PLANNING AND ADMINISTRATIVE DELEGATION
Authentication.
Multifactor Authentication
How to Protect Yourself from ID Theft and Social Engineering
Open, Manage, and Reconcile
Security Barriers Asset Proper Access Attack Security System
Multi-Factor Authentication (MFA)
Passwords.
Get Solution at Trezor Support Phone Number
Office 365 Identity Management
Fun gym Cambridge Nationals R001.
Fun gym Cambridge Nationals R001.
Faculty of Science IT Department Lecturer: Raz Dara MA.
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Computer Security Protection in general purpose Operating Systems
Security in mobile technologies
Chapter Goals Discuss the CIA triad
Company Name | Phone Number | Website | Address
Introduction to the PACS Security
Colorado “Protections For Consumer Data Privacy” Law
Least and Highest Privilege Access - Need to Know
Jerry Wynne, CISA, CISSP, CIRSC Vice President of Security, CISO
Employee Self-Service (ESS) Portal
Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.
Presentation transcript:

Oh no! They hacked my password!!! Jerry Wynne, CISA, CISSP, CIRSC Vice President of Security, CISO

Disclaimer This document and any oral presentation accompanying it are not intended/should not be taken as necessarily representing the policies, opinions, and/or views of Noridian Mutual Insurance Company, Blue Cross Blue Shield of North Dakota, Noridian Healthcare Solutions, any of their component services, or any other affiliated companies. This document and any oral presentation accompanying it has been prepared in good faith. However, no express or implied warranty is given as to the accuracy or completeness of the information in this document or the accompanying presentation

Agenda Who am I? Breach after Breach after Breach It’s a numbers game Cracking a password What is the value? Creatures of Habit Collision of Facts So, If my password is not enough….

Who am I? Currently employed by Noridian Mutual Insurance Company DBA: Blue Cross Blue Shield of North Dakota an independent licensee of the Blue Cross Blue Shield Association DBA: Noridian Healthcare Solutions Assisting: Three other Healthcare plans with Security Vice President of Security, Chief Information Security Officer (CISO) Responsible for both Electronic and Physical Security 3200 employees, 15+ locations coast to coast Staff of 70+, physical and electronic security professionals Certifications include: Certified Information Systems Auditor (CISA) Certified Information System Security Professional (CISSP) Certified in Risk and Information System Control (CRISC) Over twenty years experience in Electronic Security, with over fifteen years of leadership in Electronic Security

Breach after Breach after Breach The Password Breaches keep coming and coming 2013 Yahoo data breach Over I Billion Passwords breached 2015 LinkedIn password 115 Million passwords breached 2017 CloudFire Breach Includes: Uber, Fitbit, OKCupid among 3,400 websites; Unknown number of passwords Users are urged to update all passwords

It’s a numbers game Total Population of USA: 323 Million Total Population of World: 7.5 Billion

It’s a numbers game Approximate total number of passwords stolen in 2016 alone: 4.2 Billion

It’s a numbers game 13 Passwords in 2016 So, if passwords were just stolen from Americans, every American would have lost: 13 Passwords in 2016 If passwords were stolen from everyone in the world Every other person in the world has had a password stolen in 2016!

Cracking a password From the UK Daily Mail, 2013: A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449  - as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'. Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online In several cases they identified the user, and used plain text passwords and created a hash from the plain text password

Cracking a password From the 2016 Verizon report: Verizon found that “63% of confirmed data breaches involved leveraging weak, stolen or default passwords.” Further, the 2018 Verizon reported: that 93% of data breaches occurred within minutes, while 63% weren’t discovered for months.

What is the value of these passwords? So many passwords have been stolen and resold/published that: It is estimated that enough passwords have been “stolen” that at least the equivalent of two passwords for every computer user have been stolen Billions of Passwords and user codes are available for free on the dark web Passwords and user codes are only worth money when they have just recently been stolen and news of the theft have not been made public

Creatures of Habit Grace Boyle (an online blogger) summed up creatures of habit in a guest article where she wrote: We are creatures of habit. We find comfort in regularity. When something out of the ordinary comes along, forces us to dig deep and make a U-Turn instead of keep going straight, it’s jarring. All of a sudden the comfort and familiarity are gone and we’re alone-not quite sure what to do next. People reuse passwords Most software does not stop this from happening Reused passwords typically only vary slightly No software can stop password reuse on different systems

Creatures of Habit More Reasons users reuse passwords: Typical Password policies that state things like: You must have at least 10-12 characters with letters (upper and lower case), Numbers Special characters Time restrictions like forced resets every 30 days. Some websites won’t let you paste your password in, you have to type it.

Collision of facts Facts: People reuse passwords Everyone leaves some type of digital fingerprint (social media) Billions of Passwords are available for free on the dark web

So if my password is not enough… Definition: Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi- factor authentication.

So if my password is not enough… Understanding slang versus fact: What is Multifactor authentication? Is Usercode / password Multifactor authentication? Why or Why Not? However, how is Multifactor authentication typically defined? Typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).

So if my password is not enough… Some options for multifactor authentication include but are not limited to: Hard Tokens Soft Tokens Biometrics PINs Passwords User IDs Smart Cards

So if my password is not enough… Hard Tokens Hard tokens (also known as hardware tokens, security tokens, authentication tokens) are a common method of deploying two-factor authentication (2FA), popularized by RSA in the late 80s / early 90s Soft Tokens A software token (a.k.a. soft token) is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated.

So if my password is not enough… Biometrics Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database. If both samples of the biometric data match, authentication is confirmed. PINs Passwords A secret word or phrase that must be used to gain admission to something, a string of characters that allows access to a computer, interface, or system.

So if my password is not enough… User IDs User identification (user ID) is a logical entity used to identify a user on a software, system, website or within any generic IT environment. It is used within any IT enabled system to identify and distinguish between the users who access or use it. A user ID may also be termed as username or user identifier. Smart Cards A plastic card with a built-in microprocessor, used typically for electronic processes such as financial transactions and personal identification.

So if my password is not enough… How many factors should you use? The number of factors should be appropriate to risk Three factors is now a default minimum Factors should be from different categories Remote Access: User ID, Password, PIN, and Token generated security number

So if my password is not enough… How many factors should you use? High Risk accounts: Admin Accounts with Remote Access 6 factors? User ID Password PIN Token generated security number Different ID Different Password

So if my password is not enough… Security is a factor of Risk Companies should base factors of authentication based on determined risk of access Companies should have Data tied to risk

Top Breaches

Resources Checking to see if your account or domain has been compromised in a data breach https://haveibeenpwned.com/

Questions? Jerry.a.Wynne@gmail.com

References Slide 7, Lastpass for Enterprise, Marking Materials, 2017 Slide 9, http://www.dailymail.co.uk/sciencetech/article-2331984/Think- strong-password-Hackers-crack-16-character-passwords-hour.html Slide 12, http://www.lifewithoutpants.com/theinconvenience-of-change- we-are-creatures-of-habit-grace-boyle/ Slide 16, https://en.wikipedia.org/wiki/Multi-factor_authentication Slide 19, http://searchsecurity.techtarget.com/definition/biometric- authentication Slide 24, https://www.csoonline.com/article/2130877/data-breach/the- biggest-data-breaches-of-the-21st-century.html