2. Agenda
• Cybercrime Statistics
• Cybercrime Causes
• Password Complexity Myth
• User name & password paradigm overused
• Forfeiting of personal data
• End user malpractice
• Ideal Technology scenario
• AUTHENWARE, the solution.
3. Cybercrime Statistics- Digital era
•
1.5 Billion wired individuals (over 10 passwords each)
•
6.8 Trillion e-mails sent every day
•
1 Million new Facebook subscribers per day
•
375 Million wireless networks
•
10 Million new web-pages per day
•
Every “second” 3 babies are born and 28 mobiles purchased
•
Global internet usage growth 356%
4. Cybercrime Statistics- Hacking Impact
•
$ 1.8 trillion in damages to the global economy
•
$ 4.6 million loses per company on intellectual property
•
US pentagon hacked via Northrop Grumman (29,000)
•
RSA (division of EMC) hacked on 3/17 ($ 500M)
•
Sony hacked on 4/6…and the list goes on….
•
……14 people hacked per second
•
In the US we spend $ 40 dollar on coffee/person and $ 0,025
on security…
5. Cybercrime Main Causes
1- Credentials Complexity & changing
1- Credentials Complexity & changing
2- Username & password paradigm is overused
2- Username & password paradigm is overused
3- Forfeiting of personal identification data
3- Forfeiting of personal identification data
4- End-user malpractice
4- End-user malpractice
5- Lack of innovation
5- Lack of innovation
7. Authentication bypassing- Password complexity
plays no role
“The stronger the password the less secure the system”
The list below is not exhaustive, but it shows the pattern.
Passwords are not the only means of bypassing
authentication. There are several popular techniques, and
password complexity plays no role in defending against
them…”
#
Techniques to bypass
authentication
Are complex
passwords a
defense?
Is AuthenWare a
defense?
1
Steal Passwords
Sometimes
YES
2
SQL Injection
No
YES
3
Cross Site Scripting
No
YES
4
Steel Data from the browser
No
YES
5
Privileged Escalation
No
YES
8. (1) Steal Password (from previous slide)
“Password complexity plays no role”
#
Techniques to steal
passwords
Are complex
passwords a
defense?
Is AuthenWare
a defense?
1
Brute force guessing
Sometimes
YES
2
Intelligent guessing
Sometimes
YES
3
Phishing
No
YES
4
Sniffing
No
YES
5
Social engineering
No
YES
6
Keystroke loggers
No
YES
7
From browser memory
No
YES
8
From browser history
No
YES
9
From Browser refresh
No
YES
10
Crack database locally
Sometimes
YES
To a Hacker passwords are strings of characters, if he can access a simple string
he can access a complex one just as easily
9. The argument for complex passwords hold little
water (from previous slide)
•
(1) Brute force guessing
– Antiquated, most systems will only allow a set number of tries before
accounts get locked out. Lockout forces resets and users have hard
time recalling new passwords
•
(2) Intelligent guessing
– While password complexity helps with intelligent guessing the stats
show users need to write down the passwords which significantly
decreases security. Guessing windows is small, due to set number of
password tries.
•
(10) Crack a database locally
– If the hacker get a local copy of the database he has all the time in the
world and all tools at his disposal so complexity will only cause a delay
in time.
The advantages are few but the decrease in security due to
the human factor is high
10. Gartner - Authentication: Myths and Misconceptions
Debunked (see report attached).
“Passwords must be changed every 90 (or even 30) days
password aging is a major reason users have difficulty remembering their
passwords, yielding operational and security problems namely, a high help desk
call volume for password resets (typically peaking in the days just after the
change) and the increased likelihood that users will write down their passwords”
Other justifications for this practice are based on weaknesses in other processes
or controls that are better remediated in other ways (see the previously cited
research and "Management Update: Eight Security Practices Offer More Value
Than Password Aging").
Nevertheless, regulations often parrot it, and auditors continue to enforce it,
whether or not any germane regulation explicitly requires it. Therefore, it's hard to
avoid being a slave to this myth. A few clients report successfully rebutting
auditors by quoting the Gartner research cited”
12. User ID and password overused
•
User ID and Password it’s a paradigm we inherited from the mainframe times when
systems would only be accessed within the firewall.
•
During those days only known and registered individuals would be able to access
systems an applications which were just few at the time.
•
During the mainframe era there were many users for every single terminal (1 to N), any
user who wanted to access a system had to come to a terminal an type a set of “never
changing” credentials.
•
With the advent of personal computers organizations evolved to one computer for every
user (1 to 1), then the internet came along and we opened the back door of our systems
so people could access these from the outside…..and still we are sticking with user id
and password for accessing these systems!
•
Nowadays not only we have a proliferations of systems and applications, we also have
proliferations of credentials for every one of these systems but what is worst we got to a
situation where every user has a myriad of devices for accessing these systems (N to 1
user)
13. Cybercrime Main Causes
3- Forfeiting of personal identification data
3- Forfeiting of personal identification data
14. Forfeiting of personal identification data
•
It is easy to remember credentials when they are related to something natural like for
example:
•
•
user id: peterjohns password: 01031966,
Then due to a “miss-interpretation” of a SOX Guideline on COBIT information security
topics (under section Access & Authentication) we interpreted that we had to change
user id’s and passwords every 90 days so credentials got something like this:
•
User Id: Pet*)5$2 Password: Lftrd132^@054
•
The problem with those unnatural credentials is that we can not possibly remember them
so we are forced to write them on papers or files, same that we can easy loose and when
we do our security and our Organization’s security gets compromised.
•
Security experts from companies like Google, Microsoft, Unisys, CSC, Amazon, just to
mention few, agree that changing credentials too often only benefits hackers.
•
Changing credentials too often is not only inconvenient but also INSECURE!
•
Most Organizations have the “default” Administrator credentials for their Systems and
Hardware what makes hacking very easy even to non-experts.
16. End user malpractice
•
Users do share credentials with friends, family and co-workers what compromises their
security and eventually the Organization’s they work for.
•
Users accidentally leave sessions open when they leave their desk for lunch, leave for
the day or go for a break (according to Mac -Affee 60% of security breaches happen from
within our own organizations).
•
Users do not encrypt the files where they store their credentials.
•
Users do forget these “unnatural credentials “ we forced them to have, what creates
another problem which is PASSWORD RESETING.
•
Users trend to access Corporate systems and applications from any device they deem
appropriate which we not always can control security (smart phones, tablets, PC’s,
Laptops, etc).
•
Users care less about security and more about usability therefore they forget to run
system checks, anti-virus updates, do timely backups, access through controlled and
authorized resources, etc.
18. Lack of Innovation
“If you keep doing the same things over and over, you will keep getting the same
results over and over”….Albert Einstein
•
Changing credentials every 90 or 60 days is not innovation, it’s just pretending to solve a
problem with the wrong tools.
•
A computer with a digital certificate it’s a passport for whomever get there to do whatever
he/she wants, same as granting access to a known device…how do you know that the
person behind the device is the rightful user???
•
A single point of entry could be a single point of failure (SSO), unless you really have
“innovative security”.
•
A thief who can not brake into a lock (innovative lock) very quick will most likely go still
somewhere else, hacker do the same when they find innovative technology that makes
their lives miserable simply because most Companies don’t!!
•
Hackers do innovate by nature….do we??
19. Ideal Technology
•
One where the longer we keep the same credentials the more
secure the system becomes.
•
The less complex the credentials the harder the security to be
bridged (user adoption is key for security).
•
Security based on the users themselves (who you are instead
of something you have –tokens, certificates, otp’s,etc-) no
matter where they are coming from.
•
Truly identify the person typing the credentials (biometrically).
•
Increase security without affecting usability (user friendly).
•
Multiple device capabilities for user authentication (mobility) .
•
Comply with government regulations (PCI-DSS, SOX, etc).
20. Ideal Technology (cont)
•
Non-invasive architecture (SOA)
•
Configurable security levels based on: application, user,
transaction
•
No need to deploy any type of device, card or even software.
•
Easy to integrate with existing applications (web services)
•
Transparent enrollment process
•
Scalable to millions of users without adding complexity
•
Extremely accurate (low False Acceptance Rate and low False
Rejection Rate).