Download presentation
Presentation is loading. Please wait.
1
What Do You Mean My Password Isn’t Enough?!?
Jerry Wynne, CISA, CISSP, CIRSC Vice President of Security, CISO
2
Disclaimer This document and any oral presentation accompanying it are not intended/should not be taken as necessarily representing the policies, opinions, and/or views of Noridian Mutual Insurance Company, Blue Cross Blue Shield of North Dakota, Noridian Healthcare Solutions, any of their component services, or any other affiliated companies. This document and any oral presentation accompanying it has been prepared in good faith. However, no express or implied warranty is given as to the accuracy or completeness of the information in this document or the accompanying presentation
3
Agenda Who am I? Breach after Breach after Breach It’s a numbers game
Cracking a password What is the value? Creatures of Habit Collision of Facts So, If my password is not enough….
4
Who am I? Currently employed by Noridian Mutual Insurance Company
DBA: Blue Cross Blue Shield of North Dakota an independent licensee of the Blue Cross Blue Shield Association DBA: Noridian Healthcare Solutions Assisting: Three other Healthcare plans with Security Vice President of Security, Chief Information Security Officer (CISO) Responsible for both Electronic and Physical Security 3200 employees, 20+ locations coast to coast Staff of 70+, physical and electronic security professionals Certifications include: Certified Information Systems Auditor (CISA) Certified Information System Security Professional (CISSP) Certified in Risk and Information System Control (CRISC) Over twenty years experience in Electronic Security, with over fifteen years of leadership in Electronic Security
5
Breach after Breach after Breach
The Password Breaches keep coming and coming 2013 Yahoo data breach Over I Billion Passwords breached 2015 LinkedIn password 115 Million passwords breached 2017 CloudFire Breach Includes: Uber, Fitbit, OKCupid among 3,400 websites; Unknown number of passwords Users are urged to update all passwords
6
It’s a numbers game Total Population of USA: 323 Million
Total Population of World: 7.5 Billion
7
It’s a numbers game Approximate total number of passwords stolen in 2016 alone: 4.2 Billion
8
It’s a numbers game 13 Passwords in 2016
So, if passwords were just stolen from Americans, every American would have lost: 13 Passwords in 2016 If passwords were stolen from everyone in the world Every other person in the world has had a password stolen in 2016!
9
Cracking a password From the UK Daily Mail, 2013:
A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449 - as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'. Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online In several cases they identified the user, and used plain text passwords and created a hash from the plain text password
10
Cracking a password From the 2016 Verizon report:
Verizon found that “63% of confirmed data breaches involved leveraging weak, stolen or default passwords.” Further, Verizon reported that 93% of data breaches occurred within minutes, while 83% weren’t discovered for weeks.
11
What is the value of these passwords?
So many passwords have been stolen and resold/published that: It is estimated that enough passwords have been “stolen” that at least the equivalent of two passwords for every computer user have been stolen Billions of Passwords and user codes are available for free on the dark web Passwords and user codes are only worth money when they have just recently been stolen and news of the theft have not been made public
12
Creatures of Habit Grace Boyle (an online blogger) summed up creatures of habit in a guest article where she wrote: We are creatures of habit. We find comfort in regularity. When something out of the ordinary comes along, forces us to dig deep and make a U-Turn instead of keep going straight, it’s jarring. All of a sudden the comfort and familiarity are gone and we’re alone-not quite sure what to do next. People reuse passwords Most software does not stop this from happening Reused passwords typically only vary slightly No software can stop password reuse on different systems
13
Creatures of Habit More Reasons users reuse passwords:
Typical Password policies that state things like: You must have at least characters with letters (upper and lower case), Numbers Special characters Time restrictions like forced resets every 30 days. Some websites won’t let you paste your password in, you have to type it.
14
Collision of facts Facts: People reuse passwords
Everyone leaves some type of digital fingerprint (social media) Billions of Passwords are available for free on the dark web
15
So if my password is not enough…
Definition: Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi- factor authentication.
16
So if my password is not enough…
Understanding slang versus fact: What is Multifactor authentication? Is Usercode / password Multifactor authentication? Why or Why Not? However, how is Multifactor authentication typically defined? Typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).
17
So if my password is not enough…
Some options for multifactor authentication include but are not limited to: Hard Tokens Soft Tokens Biometrics PINs Passwords User IDs Smart Cards
18
So if my password is not enough…
Hard Tokens Hard tokens (also known as hardware tokens, security tokens, authentication tokens) are a common method of deploying two-factor authentication (2FA), popularized by RSA in the late 80s / early 90s Soft Tokens A software token (a.k.a. soft token) is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated.
19
So if my password is not enough…
Biometrics Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database. If both samples of the biometric data match, authentication is confirmed. PINs Passwords A secret word or phrase that must be used to gain admission to something, a string of characters that allows access to a computer, interface, or system.
20
So if my password is not enough…
User IDs User identification (user ID) is a logical entity used to identify a user on a software, system, website or within any generic IT environment. It is used within any IT enabled system to identify and distinguish between the users who access or use it. A user ID may also be termed as username or user identifier. Smart Cards A plastic card with a built-in microprocessor, used typically for electronic processes such as financial transactions and personal identification.
21
So if my password is not enough…
How many factors should you use? The number of factors should be appropriate to risk Three factors is now a default minimum Factors should be from different categories Remote Access: User ID, Password, PIN, and Token generated security number
22
So if my password is not enough…
How many factors should you use? High Risk accounts: Admin Accounts with Remote Access 6 factors? User ID Password PIN Token generated security number Different ID Different Password
23
So if my password is not enough…
Security is a factor of Risk Companies should base factors of authentication based on determined risk of access Companies should have Data tied to risk
24
Top 10 breaches
25
Resources Checking to see if your account or domain has been compromised in a data breach
26
Questions?
27
References Slide 7, Lastpass for Enterprise, Marking Materials, 2017
Slide 9, strong-password-Hackers-crack-16-character-passwords-hour.html Slide 12, we-are-creatures-of-habit-grace-boyle/ Slide 16, Slide 19, authentication Slide 24,
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.