communication, information and device encryption basics ... authentication passwords, password...

Download Communication, Information and Device Encryption Basics ... Authentication Passwords, Password Managers

Post on 24-Sep-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Become a Cybersecurity Ninja A ten-part webinar series

    Today’s session: Your Passwords are Broken

    How You Can Fix Them With guest Keith Berner, Freedom House

    Next session: The @$#’s of Encryption

    Communication, Information and Device Encryption Basics

    To view information on entire series, please visit ninja.rtt.nyc.

    http://ninja.rtt.nyc

  • The Ninja Plan Subject to change

    Threat Modeling Threat Modeling and Risk Assessment January 24th

    Network Security Basics Firewalls, VPN, Vulnerability Scanning, etc February 7th

    Authentication Passwords, Password Managers and 2FA February 21st

    The @$#’s of Encryption Communication, Info and Device encryption March 7th

    Gone Phishing Phishing, Social Engineering and Ransomware March 21st

    On the Move Mobile security April 4th

    Digital Privacy VPNs, TOR, reigning in social April 18th

    Security Tools Review of our favorites tools and services May 2nd

    Now What? Incident Response May 16th

    Wrap-up and Quiz Review, wrap-up and Ninja Certification Quiz May 30th

    https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114 https://attendee.gotowebinar.com/rt/4507117344961946114

  • RoundTable Technology is a team of dedicated technology professionals operating out of Maine and New York.

    We help hundreds of organizations achieve their missions through effective use of technology.

    Joshua Peskay Vice President of Technology Strategy

    http://www.roundtabletechnology.com

  • Keith Berner, Director of IT Freedom House Keith Berner has been IT Director with Freedom House for four years and has been in the NGO sector since 2007. Keith’s eclectic career includes degrees in technology management, international relations, and theatre. He has at various times had responsibility for program development, research, writing, editing, financial management, and political organizing. Within IT, Keith’s greatest expertise is being able to locate and leverage the expertise of others. At Freedom House, an international human rights and democracy organization founded in 1941, he plays a key role in keeping the organization and its staff safe from authoritarian governments with hostile intent.

    http://www.freedomhouse.org

  • The first step toward recovery is admitting you have a problem.

  • Our Learning Objectives today...

    ● Why Passwords are Broken ● Using Password Managers ● Single Sign-On and Enterprise Password Managers ● Two-Factor Authentication (2FA)

    ○ Fingerprint ○ SMS ○ Authenticator ○ U2F (Universal 2-Factor)

    ● Resources for further learning

  • What is the average number accounts registered to a single email address in the US?

  • 123456 is the best password

    From Ashley Madison breach From LinkedIn breach

  • The best passwords are long, complex and random alphanumeric strings. Such as

    7!G2Kq@qyhTfTTQIwlcd82Kt

    Or

    yHIQHtLp7YoAb^&ib3ZHJt4WP#xCuBZEO3S7tIIe%IhUb7b81

    Or

    I like to eat donuts on Wednesdays.

    Notice anything different about the last one?

  • Human brains are not good at making and remembering long, complex and random alphanumeric strings.

    And wait, it gets worse...

  • Even Complex Passwords aren’t great

    ● They can still get phished ● They can still be reused in multiple places ● They can still be shared in insecure ways (e.g. plain text) ● They can still be part of a larger breach ● They can still be captured by keystroke loggers

  • Password Managers to the Rescue

  • Do you use a password manager in your personal life?

  • Top Password Managers

    Source: Lifehacker January 2015

    https://lastpass.com/how-it-works/ https://www.dashlane.com/passwordmanager

  • Password Managers - Basics ● Create long, complex and random passwords.

    ○ It’s literally their job. ● Inexpensive (generally

  • Single Sign-On (SSO)

    Password Managers ● Used by individuals (can be part of organization) ● Generate and manage passwords ● Can login automatically (with browser plug-ins) ● Share credentials securely ● Can store private credentials (not reveal to org)

    ● Simplifies provisioning and deprovisioning (new staff and departing staff) ● Creates a single authentication for key services ● Staff only manage one (1) password for SSO accounts

  • Key Success Factors Password Managers ● Strong master passwords

    ○ 2FA even better ● Strong change management and support ● Regular reporting and use monitoring ● Time

  • Do you use two-factor authentication in your personal life?

  • Ways to Authenticate

    1. Something you know (username, password)

    2. Something you have (smartphone, usb key)

    3. Something you are (fingerprint, voice recognition)

  • Common Methods of 2FA

    Fingerprint (something you are)

    SMS (something you have)

    Authenticator app (something you have)

  • Universal Two-Factor Authentication (U2F)

  • Universal Two-Factor Authentication (U2F)

  • Who’s using U2F?

    And lots more: https://www.yubico.com/about/reference-customers/

  • Key Success Factors Two-Factor Authentication ● Most critical services first ● Testing groups ● Authenticator app preferable to SMS

    ○ Consider U2F ● Training, support, training, support, rinse, repeat.

  • What is your biggest challenge around Password Management?

  • Resources

    ● Secure Passwords Animation (warning - some bad language) ● Single Sign-On - Solutions and Challenges ● 12 Days of 2FA (from the EFF)

    http://www.vox.com/technology/2016/12/22/14041638/password-secure-manager-cartoon http://www.tomsitpro.com/articles/single-sign-on-solutions,2-853.html https://www.eff.org/deeplinks/2016/12/12-days-2fa-how-enable-two-factor-authentication-your-online-accounts

  • Next Session

    To view information on entire series, please visit ninja.rtt.nyc.

    The @$#’s of Encryption Communication, Information and Device Encryption Basics

    http://ninja.rtt.nyc

Recommended

View more >