Download - 3 factors of fail sec360 5-15-13
![Page 1: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/1.jpg)
BARRY CAPL
IN
3 FACTO
RS OF
FAIL
WED. M
AY 1
5, 2013, 2
:35P
![Page 2: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/2.jpg)
WELCOME TO SECURE360 2013
Don’t forget to pick up your Certificate of Attendance at the end of each day.
Please complete the Session Survey front and back, and leave it on your seat.
Are you tweeting? #Sec360
![Page 3: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/3.jpg)
The Authentication Problem
Secure360
Wed. May 15, 2013
[email protected] @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry CaplinChief Information Security Officer
MN Dept of Human Services
![Page 4: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/4.jpg)
http://about.me/barrycaplin
securityandcoffee.blogspot.com
![Page 5: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/5.jpg)
![Page 6: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/6.jpg)
Authentication is Authentication is thethe Challenge Challenge
![Page 7: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/7.jpg)
And The Challenge is…And The Challenge is… People need to:
Enter BuildingsUse SystemsUse Data
![Page 8: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/8.jpg)
And The Challenge is…And The Challenge is…The Right People need to:Enter BuildingsUse SystemsUse Data
![Page 9: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/9.jpg)
Guiding PrincipleGuiding Principle
Minimum Necessary
![Page 10: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/10.jpg)
We Usually Think Of…We Usually Think Of…SS
![Page 11: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/11.jpg)
It was a busy year
And Passwords Get StolenAnd Passwords Get Stolen
![Page 12: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/12.jpg)
And Bad Choices Are MadeAnd Bad Choices Are Made
![Page 13: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/13.jpg)
3 Factors of Authentication3 Factors of Authentication1. Something You Know2. Something You Have3. Something You Are (or Do)
![Page 14: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/14.jpg)
3 Factors of Auth FAIL3 Factors of Auth FAIL1. Something You Forgot2. Something You Lost3. Something You Were (or
Did)
![Page 15: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/15.jpg)
1. Something You Forgot1. Something You ForgotP@sswOrd5PINsCombinations“Secret” PhrasesPicture IdentificationPatterns
![Page 16: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/16.jpg)
Used by…Used by…
![Page 17: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/17.jpg)
Not SimpleNot SimpleCan’t be easily guessableFalse positives
Grant rights to wrong personActions attributable to you!
So not simple/guessable…But simple is memorable…
![Page 18: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/18.jpg)
Complexity RequirementsComplexity RequirementsMake Guessing Difficult
Common: 8 char, upper/lower, numeric, special
Smart Users CircumventNonsense/Random great
But impossible to remember
![Page 19: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/19.jpg)
To Make It WorseTo Make It WorseExpiration
“best practice”Like changing your house locks every 30 days!
Secret Questions – too simple, too guessableAnswers on FacebookRemember… don’ t have to be true!
Help Deskssocial engineering and process hacks (ask Mat
Honan)
![Page 20: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/20.jpg)
3 More Issues3 More IssuesBad Choices
NYG1@nts! meets requirements
Shoulder SurfingComplex => slow to enter
Writing DownNot bad if done well
![Page 21: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/21.jpg)
To Make It WorseTo Make It WorseSocial EngineeringPhishing
![Page 22: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/22.jpg)
![Page 23: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/23.jpg)
SolutionsSolutionsLength
Better than Complexity!Long phrases easier to rememberWhy do some sites have max
length???Vaults
Use ‘em!Don’t forget the main password!
OTP (One Time Passwords)Fixes many issues except delivery
![Page 24: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/24.jpg)
Something You LostSomething You Losta.k.a. 2-factor auth – id/pw + hard
tokenStatic/Dynamic
![Page 25: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/25.jpg)
OTP DeliveryOTP DeliveryHard Token
Time (RFC 6238) or Sequence-basedAlso Smart Cards, Key Cards
Soft TokensProgram or AppDevice independence
SMSPaper
![Page 26: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/26.jpg)
ChallengesChallengesHard Tokens
Can be lostWorse – often kept with laptopMultiple systems = multiple tokens
Soft Tokens – better because people don’t lose their phones…
… Oh Wait…
![Page 27: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/27.jpg)
SolutionSolutionI still like this when implemented well
Google AuthSMSSmart phonesPaper
![Page 28: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/28.jpg)
Something You WereSomething You WereUsually means biometricsOldest form of IDAnimals, babies, tribes/groups –
sensesMixed reliability
![Page 29: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/29.jpg)
BiometricsBiometricsFalse Positives – bad for securityFalse Negatives – bad for business
![Page 30: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/30.jpg)
BiometricsBiometricsSome common choicesIris/retinal scan, fingerprint, palm print/geometryLess commonVoice, typing cadence, “bottom” print
![Page 31: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/31.jpg)
BiometricsBiometricsBest auth method for use in
movies!
![Page 32: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/32.jpg)
ChallengesChallengesLogisticsRegistration, hardware/people,
“failure to enroll” (FER), contaminants on readers
HygienePerception (movie story)Back-end systems
![Page 33: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/33.jpg)
2 Biggest Issues2 Biggest IssuesCan’t change your biometric when you
need toYour biometric can change when it
wants to
Hard to fake (getting easier)Easy to stealNearly impossible to change/fix
![Page 34: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/34.jpg)
Solutions?Solutions?Not bad if used correctlyLocal physical accessVoice-print for automated pw reset
![Page 35: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/35.jpg)
The 4The 4thth Factor FactorRisk-based, location-based, adaptive
auth“somewhere you are” or “something you
are doing”Key need – “rich” user profileCheck against profile, then:
AllowDenyChallenge
![Page 36: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/36.jpg)
Biggest IssueBiggest IssueEstablishing profile
Takes timeHighly non-trivialNeeds much info and/or long/ongoing
relationship
Otherwise degenerates to 1-factor
Newer but promising
![Page 37: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/37.jpg)
Multi-Factor (MFA)Multi-Factor (MFA)Take 2 bad things and combine them together!That makes sense!
![Page 38: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/38.jpg)
Multi-Factor (MFA)Multi-Factor (MFA)Typically 2-factor
ID/pw + tokenSteal one, you can’t get inEither can be “easily” changed
![Page 39: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/39.jpg)
Multi-Factor (MFA)Multi-Factor (MFA)But…
![Page 40: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/40.jpg)
![Page 41: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/41.jpg)
SolutionsSolutionsTypical
1-factor – id/pw for login ; badges for entryOccasional hard token useBut 1-factor only safe in “controlled”
environments
Challenge:Positively id a personEasy to use
![Page 42: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/42.jpg)
![Page 43: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/43.jpg)
User/UseUser/UseCustomerStaffTech workerNewbie
Hardware/softwareControl over hw/swData classificationRegulatoryThreats/Risks
Replay attackAvailabilityWork-aroundsSingle/multi-useEasy to use?
Then do what makes sense!
![Page 44: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/44.jpg)
ExampleExampleBiometrics for entrance into high-security
areaBadges can be lost or used by anyone
Combine with measures like Keywatcher
OTPGoogle Auth or YubikeySmartPhones – can be lost but are often kept
close and rarely left with computerGood choice for online/web-based services
![Page 45: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/45.jpg)
ExampleExampleOnline BankingSystem auth ->
Preselected word/picture ->Id/pw ->
Reauth for large/unusual transaction
![Page 46: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/46.jpg)
ExampleExampleLong passwords + vault
pw’s – with us for a whilePeople make poor pw choicesLong phrases easier to rememberLong random strings better
Better – Add easy-to-use soft fobRemote access + risk-based auth
We have more info about staff
![Page 47: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/47.jpg)
The FutureThe Future
![Page 48: 3 factors of fail sec360 5-15-13](https://reader036.vdocuments.site/reader036/viewer/2022081414/54b6a8334a7959b5588b4844/html5/thumbnails/48.jpg)