Transcript
Page 1: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Become a Cybersecurity NinjaA ten-part webinar series

Today’s session:Your Passwords are Broken

How You Can Fix Them With guest Keith Berner, Freedom House

Next session:The @$#’s of Encryption

Communication, Information and Device Encryption Basics

To view information on entire series, please visit ninja.rtt.nyc.

Page 2: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

The Ninja PlanSubject to change

Threat Modeling Threat Modeling and Risk Assessment January 24th

Network Security Basics Firewalls, VPN, Vulnerability Scanning, etc February 7th

Authentication Passwords, Password Managers and 2FA February 21st

The @$#’s of Encryption Communication, Info and Device encryption March 7th

Gone Phishing Phishing, Social Engineering and Ransomware March 21st

On the Move Mobile security April 4th

Digital Privacy VPNs, TOR, reigning in social April 18th

Security Tools Review of our favorites tools and services May 2nd

Now What? Incident Response May 16th

Wrap-up and Quiz Review, wrap-up and Ninja Certification Quiz May 30th

Page 3: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

RoundTable Technology is a team of dedicated technology professionals operating out of Maine and New York.

We help hundreds of organizations achieve their missions through effective use of technology.

Joshua PeskayVice President of Technology Strategy

Page 4: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Keith Berner, Director of ITFreedom HouseKeith Berner has been IT Director with Freedom House for four years and has been in the NGO sector since 2007. Keith’s eclectic career includes degrees in technology management, international relations, and theatre. He has at various times had responsibility for program development, research, writing, editing, financial management, and political organizing. Within IT, Keith’s greatest expertise is being able to locate and leverage the expertise of others. At Freedom House, an international human rights and democracy organization founded in 1941, he plays a key role in keeping the organization and its staff safe from authoritarian governments with hostile intent.

Page 5: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

The first step toward recovery is admitting you have a problem.

Page 6: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Our Learning Objectives today...

● Why Passwords are Broken● Using Password Managers● Single Sign-On and Enterprise Password Managers● Two-Factor Authentication (2FA)

○ Fingerprint○ SMS○ Authenticator○ U2F (Universal 2-Factor)

● Resources for further learning

Page 7: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

What is the average number accounts registered to a single email address in the US?

Page 8: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

123456 is the best password

From Ashley Madison breach From LinkedIn breach

Page 9: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

The best passwords are long, complex and random alphanumeric strings.Such as

7!G2Kq@qyhTfTTQIwlcd82Kt

Or

yHIQHtLp7YoAb^&ib3ZHJt4WP#xCuBZEO3S7tIIe%IhUb7b81

Or

I like to eat donuts on Wednesdays.

Notice anything different about the last one?

Page 10: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Human brains are not good at making and remembering long, complex and random alphanumeric strings.

And wait, it gets worse...

Page 11: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Even Complex Passwords aren’t great

● They can still get phished● They can still be reused in multiple places● They can still be shared in insecure ways (e.g. plain text)● They can still be part of a larger breach● They can still be captured by keystroke loggers

Page 12: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Password Managers to the Rescue

Page 13: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Do you use a password manager in your personal life?

Page 14: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Top Password Managers

Source: Lifehacker January 2015

Page 15: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Password Managers - Basics● Create long, complex and random passwords.

○ It’s literally their job. ● Inexpensive (generally <$30/year/person)● Protects against phishing attacks● Can audit all your passwords

Page 16: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Single Sign-On (SSO)

Password Managers● Used by individuals (can be part of organization)● Generate and manage passwords● Can login automatically (with browser plug-ins)● Share credentials securely● Can store private credentials (not reveal to org)

● Simplifies provisioning and deprovisioning (new staff and departing staff)● Creates a single authentication for key services ● Staff only manage one (1) password for SSO accounts

Page 17: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Key Success FactorsPassword Managers● Strong master passwords

○ 2FA even better● Strong change management and support● Regular reporting and use monitoring● Time

Page 18: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Do you use two-factor authentication in your personal life?

Page 19: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Ways to Authenticate

1. Something you know (username, password)

2. Something you have (smartphone, usb key)

3. Something you are (fingerprint, voice recognition)

Page 20: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Common Methods of 2FA

Fingerprint (something you are)

SMS (something you have)

Authenticator app (something you have)

Page 21: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Universal Two-Factor Authentication (U2F)

Page 22: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Universal Two-Factor Authentication (U2F)

Page 23: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Who’s using U2F?

And lots more: https://www.yubico.com/about/reference-customers/

Page 24: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Key Success FactorsTwo-Factor Authentication● Most critical services first● Testing groups● Authenticator app preferable to SMS

○ Consider U2F ● Training, support, training, support, rinse, repeat.

Page 25: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

What is your biggest challenge around Password Management?

Page 27: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Next Session

To view information on entire series, please visit ninja.rtt.nyc.

The @$#’s of EncryptionCommunication, Information and Device Encryption Basics

Page 28: Communication, Information and Device Encryption Basics ... · Authentication Passwords, Password Managers and 2FA February 21st The @$#’s of Encryption Communication, Info and

Top Related