SlideShare a Scribd company logo

Marcos de Pedro Neoris authenware_cybersecurity step1

Download as PPT, PDF
Marcos De Pedro
Marcos De Pedro

Marcos de Pedro Neoris Authenware Cibersecurity

Technology
1 of 21
Credential changing policies and complex passwords are decreasing security
Agenda • Cybercrime Statistics • Cybercrime Causes • Password Complexity Myth • User name & password paradigm overused • Forfeiting of personal data • End user malpractice • Ideal Technology scenario • AUTHENWARE, the solution.
Cybercrime Statistics- Digital era • 1.5 Billion wired individuals (over 10 passwords each) • 6.8 Trillion e-mails sent every day • 1 Million new Facebook subscribers per day • 375 Million wireless networks • 10 Million new web-pages per day • Every “second” 3 babies are born and 28 mobiles purchased • Global internet usage growth 356%
Cybercrime Statistics- Hacking Impact • $ 1.8 trillion in damages to the global economy • $ 4.6 million loses per company on intellectual property • US pentagon hacked via Northrop Grumman (29,000) • RSA (division of EMC) hacked on 3/17 ($ 500M) • Sony hacked on 4/6…and the list goes on…. • ……14 people hacked per second • In the US we spend $ 40 dollar on coffee/person and $ 0,025 on security…
Cybercrime Main Causes 1- Credentials Complexity & changing 1- Credentials Complexity & changing 2- Username & password paradigm is overused 2- Username & password paradigm is overused 3- Forfeiting of personal identification data 3- Forfeiting of personal identification data 4- End-user malpractice 4- End-user malpractice 5- Lack of innovation 5- Lack of innovation
Cybercrime Main Causes 1- Credentials Complexity & changing 1- Credentials Complexity & changing
Authentication bypassing- Password complexity plays no role “The stronger the password the less secure the system” The list below is not exhaustive, but it shows the pattern. Passwords are not the only means of bypassing authentication. There are several popular techniques, and password complexity plays no role in defending against them…” # Techniques to bypass authentication Are complex passwords a defense? Is AuthenWare a defense? 1 Steal Passwords Sometimes YES 2 SQL Injection No YES 3 Cross Site Scripting No YES 4 Steel Data from the browser No YES 5 Privileged Escalation No YES
(1) Steal Password (from previous slide) “Password complexity plays no role” # Techniques to steal passwords Are complex passwords a defense? Is AuthenWare a defense? 1 Brute force guessing Sometimes YES 2 Intelligent guessing Sometimes YES 3 Phishing No YES 4 Sniffing No YES 5 Social engineering No YES 6 Keystroke loggers No YES 7 From browser memory No YES 8 From browser history No YES 9 From Browser refresh No YES 10 Crack database locally Sometimes YES To a Hacker passwords are strings of characters, if he can access a simple string he can access a complex one just as easily
The argument for complex passwords hold little water (from previous slide) • (1) Brute force guessing – Antiquated, most systems will only allow a set number of tries before accounts get locked out. Lockout forces resets and users have hard time recalling new passwords • (2) Intelligent guessing – While password complexity helps with intelligent guessing the stats show users need to write down the passwords which significantly decreases security. Guessing windows is small, due to set number of password tries. • (10) Crack a database locally – If the hacker get a local copy of the database he has all the time in the world and all tools at his disposal so complexity will only cause a delay in time. The advantages are few but the decrease in security due to the human factor is high
Gartner - Authentication: Myths and Misconceptions Debunked (see report attached). “Passwords must be changed every 90 (or even 30) days password aging is a major reason users have difficulty remembering their passwords, yielding operational and security problems namely, a high help desk call volume for password resets (typically peaking in the days just after the change) and the increased likelihood that users will write down their passwords” Other justifications for this practice are based on weaknesses in other processes or controls that are better remediated in other ways (see the previously cited research and "Management Update: Eight Security Practices Offer More Value Than Password Aging"). Nevertheless, regulations often parrot it, and auditors continue to enforce it, whether or not any germane regulation explicitly requires it. Therefore, it's hard to avoid being a slave to this myth. A few clients report successfully rebutting auditors by quoting the Gartner research cited”
Cybercrime Main Causes 2- User ID & Password overused 2- User ID & Password overused
User ID and password overused • User ID and Password it’s a paradigm we inherited from the mainframe times when systems would only be accessed within the firewall. • During those days only known and registered individuals would be able to access systems an applications which were just few at the time. • During the mainframe era there were many users for every single terminal (1 to N), any user who wanted to access a system had to come to a terminal an type a set of “never changing” credentials. • With the advent of personal computers organizations evolved to one computer for every user (1 to 1), then the internet came along and we opened the back door of our systems so people could access these from the outside…..and still we are sticking with user id and password for accessing these systems! • Nowadays not only we have a proliferations of systems and applications, we also have proliferations of credentials for every one of these systems but what is worst we got to a situation where every user has a myriad of devices for accessing these systems (N to 1 user)
Cybercrime Main Causes 3- Forfeiting of personal identification data 3- Forfeiting of personal identification data
Forfeiting of personal identification data • It is easy to remember credentials when they are related to something natural like for example: • • user id: peterjohns password: 01031966, Then due to a “miss-interpretation” of a SOX Guideline on COBIT information security topics (under section Access & Authentication) we interpreted that we had to change user id’s and passwords every 90 days so credentials got something like this: • User Id: Pet*)5$2 Password: Lftrd132^@054 • The problem with those unnatural credentials is that we can not possibly remember them so we are forced to write them on papers or files, same that we can easy loose and when we do our security and our Organization’s security gets compromised. • Security experts from companies like Google, Microsoft, Unisys, CSC, Amazon, just to mention few, agree that changing credentials too often only benefits hackers. • Changing credentials too often is not only inconvenient but also INSECURE! • Most Organizations have the “default” Administrator credentials for their Systems and Hardware what makes hacking very easy even to non-experts.
Cybercrime Main Causes 4- End User malpractice 4- End User malpractice
End user malpractice • Users do share credentials with friends, family and co-workers what compromises their security and eventually the Organization’s they work for. • Users accidentally leave sessions open when they leave their desk for lunch, leave for the day or go for a break (according to Mac -Affee 60% of security breaches happen from within our own organizations). • Users do not encrypt the files where they store their credentials. • Users do forget these “unnatural credentials “ we forced them to have, what creates another problem which is PASSWORD RESETING. • Users trend to access Corporate systems and applications from any device they deem appropriate which we not always can control security (smart phones, tablets, PC’s, Laptops, etc). • Users care less about security and more about usability therefore they forget to run system checks, anti-virus updates, do timely backups, access through controlled and authorized resources, etc.
Cybercrime Main Causes 5- Lack of innovation 5- Lack of innovation
Lack of Innovation “If you keep doing the same things over and over, you will keep getting the same results over and over”….Albert Einstein • Changing credentials every 90 or 60 days is not innovation, it’s just pretending to solve a problem with the wrong tools. • A computer with a digital certificate it’s a passport for whomever get there to do whatever he/she wants, same as granting access to a known device…how do you know that the person behind the device is the rightful user??? • A single point of entry could be a single point of failure (SSO), unless you really have “innovative security”. • A thief who can not brake into a lock (innovative lock) very quick will most likely go still somewhere else, hacker do the same when they find innovative technology that makes their lives miserable simply because most Companies don’t!! • Hackers do innovate by nature….do we??
Ideal Technology • One where the longer we keep the same credentials the more secure the system becomes. • The less complex the credentials the harder the security to be bridged (user adoption is key for security). • Security based on the users themselves (who you are instead of something you have –tokens, certificates, otp’s,etc-) no matter where they are coming from. • Truly identify the person typing the credentials (biometrically). • Increase security without affecting usability (user friendly). • Multiple device capabilities for user authentication (mobility) . • Comply with government regulations (PCI-DSS, SOX, etc).
Ideal Technology (cont) • Non-invasive architecture (SOA) • Configurable security levels based on: application, user, transaction • No need to deploy any type of device, card or even software. • Easy to integrate with existing applications (web services) • Transparent enrollment process • Scalable to millions of users without adding complexity • Extremely accurate (low False Acceptance Rate and low False Rejection Rate).
Marcos de Pedro Neoris authenware_cybersecurity step1

Recommended

Staying safe on the internet
Staying safe on the internetStaying safe on the internet
Staying safe on the internetArthur Landry
 
Computer Security
Computer SecurityComputer Security
Computer SecurityGreater Noida Institute Of Technology
 
System failure
System failureSystem failure
System failurechrispaul8676
 
Computer security
Computer securityComputer security
Computer securityRoshanMaharjan13
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber securitySweta Kumari Barnwal
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditingSweta Kumari Barnwal
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 

Recommended

Staying safe on the internet
Staying safe on the internetStaying safe on the internet
Staying safe on the internetArthur Landry
 
Computer Security
Computer SecurityComputer Security
Computer SecurityGreater Noida Institute Of Technology
 
System failure
System failureSystem failure
System failurechrispaul8676
 
Computer security
Computer securityComputer security
Computer securityRoshanMaharjan13
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber securitySweta Kumari Barnwal
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditingSweta Kumari Barnwal
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Chapter 11
Chapter 11Chapter 11
Chapter 11Mohd Khairil Borhanudin
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacymalik1972
 
Computer Security
Computer SecurityComputer Security
Computer SecurityVaibhavi Patel
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and EthicsMohsin Riaz
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer PrivacySaqib Raza
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacyeiramespi07
 
Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Anna Stirling
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
 
Cehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hackingCehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hackinganonymousrider
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcareNicholas Davis
 
Bryley - mobility in the work place
Bryley - mobility in the work placeBryley - mobility in the work place
Bryley - mobility in the work placeBryley Systems Inc.
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abusePrakash Raval
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
cyber_security
cyber_securitycyber_security
cyber_securityJana Baxter
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 

More Related Content

What's hot

BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacymalik1972
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and EthicsMohsin Riaz
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer PrivacySaqib Raza
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacyeiramespi07
 
Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Anna Stirling
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
 
Cehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hackingCehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hackinganonymousrider
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcareNicholas Davis
 
Bryley - mobility in the work place
Bryley - mobility in the work placeBryley - mobility in the work place
Bryley - mobility in the work placeBryley Systems Inc.
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abusePrakash Raval
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 

What's hot (20)

BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESS
 
Chapter 11
Chapter 11Chapter 11
Chapter 11
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacy
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBC
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer Privacy
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacy
 
Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Discovering Computers: Chapter 11
Discovering Computers: Chapter 11
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
 
Cehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hackingCehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hacking
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcare
 
Bryley - mobility in the work place
Bryley - mobility in the work placeBryley - mobility in the work place
Bryley - mobility in the work place
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abuse
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
cyber_security
cyber_securitycyber_security
cyber_security
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4
 

Similar to Marcos de Pedro Neoris authenware_cybersecurity step1

itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Information security Presentation
Information security Presentation Information security Presentation
Information security Presentation dhirujapla
 
Computer , Internet and physical security.
Computer , Internet and physical security.Computer , Internet and physical security.
Computer , Internet and physical security.Ankur Kumar
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYNishant Pawar
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security PresentationPraphullaShrestha1
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnMaximaSheffield592
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Application Security: What do we need to know?
Application Security: What do we need to know?Application Security: What do we need to know?
Application Security: What do we need to know?Jose L. Quiñones-Borrero
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
Community IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators
 

Similar to Marcos de Pedro Neoris authenware_cybersecurity step1 (20)

itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Information security Presentation
Information security Presentation Information security Presentation
Information security Presentation
 
Computer , Internet and physical security.
Computer , Internet and physical security.Computer , Internet and physical security.
Computer , Internet and physical security.
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
Password Problem - Solved!
Password Problem - Solved!Password Problem - Solved!
Password Problem - Solved!
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization On
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Application Security: What do we need to know?
Application Security: What do we need to know?Application Security: What do we need to know?
Application Security: What do we need to know?
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
 
Community IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best Practices
 

Recently uploaded

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Recently uploaded (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 

Marcos de Pedro Neoris authenware_cybersecurity step1

  • 1. Credential changing policies and complex passwords are decreasing security
  • 2. Agenda • Cybercrime Statistics • Cybercrime Causes • Password Complexity Myth • User name & password paradigm overused • Forfeiting of personal data • End user malpractice • Ideal Technology scenario • AUTHENWARE, the solution.
  • 3. Cybercrime Statistics- Digital era • 1.5 Billion wired individuals (over 10 passwords each) • 6.8 Trillion e-mails sent every day • 1 Million new Facebook subscribers per day • 375 Million wireless networks • 10 Million new web-pages per day • Every “second” 3 babies are born and 28 mobiles purchased • Global internet usage growth 356%
  • 4. Cybercrime Statistics- Hacking Impact • $ 1.8 trillion in damages to the global economy • $ 4.6 million loses per company on intellectual property • US pentagon hacked via Northrop Grumman (29,000) • RSA (division of EMC) hacked on 3/17 ($ 500M) • Sony hacked on 4/6…and the list goes on…. • ……14 people hacked per second • In the US we spend $ 40 dollar on coffee/person and $ 0,025 on security…
  • 5. Cybercrime Main Causes 1- Credentials Complexity & changing 1- Credentials Complexity & changing 2- Username & password paradigm is overused 2- Username & password paradigm is overused 3- Forfeiting of personal identification data 3- Forfeiting of personal identification data 4- End-user malpractice 4- End-user malpractice 5- Lack of innovation 5- Lack of innovation
  • 6. Cybercrime Main Causes 1- Credentials Complexity & changing 1- Credentials Complexity & changing
  • 7. Authentication bypassing- Password complexity plays no role “The stronger the password the less secure the system” The list below is not exhaustive, but it shows the pattern. Passwords are not the only means of bypassing authentication. There are several popular techniques, and password complexity plays no role in defending against them…” # Techniques to bypass authentication Are complex passwords a defense? Is AuthenWare a defense? 1 Steal Passwords Sometimes YES 2 SQL Injection No YES 3 Cross Site Scripting No YES 4 Steel Data from the browser No YES 5 Privileged Escalation No YES
  • 8. (1) Steal Password (from previous slide) “Password complexity plays no role” # Techniques to steal passwords Are complex passwords a defense? Is AuthenWare a defense? 1 Brute force guessing Sometimes YES 2 Intelligent guessing Sometimes YES 3 Phishing No YES 4 Sniffing No YES 5 Social engineering No YES 6 Keystroke loggers No YES 7 From browser memory No YES 8 From browser history No YES 9 From Browser refresh No YES 10 Crack database locally Sometimes YES To a Hacker passwords are strings of characters, if he can access a simple string he can access a complex one just as easily
  • 9. The argument for complex passwords hold little water (from previous slide) • (1) Brute force guessing – Antiquated, most systems will only allow a set number of tries before accounts get locked out. Lockout forces resets and users have hard time recalling new passwords • (2) Intelligent guessing – While password complexity helps with intelligent guessing the stats show users need to write down the passwords which significantly decreases security. Guessing windows is small, due to set number of password tries. • (10) Crack a database locally – If the hacker get a local copy of the database he has all the time in the world and all tools at his disposal so complexity will only cause a delay in time. The advantages are few but the decrease in security due to the human factor is high
  • 10. Gartner - Authentication: Myths and Misconceptions Debunked (see report attached). “Passwords must be changed every 90 (or even 30) days password aging is a major reason users have difficulty remembering their passwords, yielding operational and security problems namely, a high help desk call volume for password resets (typically peaking in the days just after the change) and the increased likelihood that users will write down their passwords” Other justifications for this practice are based on weaknesses in other processes or controls that are better remediated in other ways (see the previously cited research and "Management Update: Eight Security Practices Offer More Value Than Password Aging"). Nevertheless, regulations often parrot it, and auditors continue to enforce it, whether or not any germane regulation explicitly requires it. Therefore, it's hard to avoid being a slave to this myth. A few clients report successfully rebutting auditors by quoting the Gartner research cited”
  • 11. Cybercrime Main Causes 2- User ID & Password overused 2- User ID & Password overused
  • 12. User ID and password overused • User ID and Password it’s a paradigm we inherited from the mainframe times when systems would only be accessed within the firewall. • During those days only known and registered individuals would be able to access systems an applications which were just few at the time. • During the mainframe era there were many users for every single terminal (1 to N), any user who wanted to access a system had to come to a terminal an type a set of “never changing” credentials. • With the advent of personal computers organizations evolved to one computer for every user (1 to 1), then the internet came along and we opened the back door of our systems so people could access these from the outside…..and still we are sticking with user id and password for accessing these systems! • Nowadays not only we have a proliferations of systems and applications, we also have proliferations of credentials for every one of these systems but what is worst we got to a situation where every user has a myriad of devices for accessing these systems (N to 1 user)
  • 13. Cybercrime Main Causes 3- Forfeiting of personal identification data 3- Forfeiting of personal identification data
  • 14. Forfeiting of personal identification data • It is easy to remember credentials when they are related to something natural like for example: • • user id: peterjohns password: 01031966, Then due to a “miss-interpretation” of a SOX Guideline on COBIT information security topics (under section Access & Authentication) we interpreted that we had to change user id’s and passwords every 90 days so credentials got something like this: • User Id: Pet*)5$2 Password: Lftrd132^@054 • The problem with those unnatural credentials is that we can not possibly remember them so we are forced to write them on papers or files, same that we can easy loose and when we do our security and our Organization’s security gets compromised. • Security experts from companies like Google, Microsoft, Unisys, CSC, Amazon, just to mention few, agree that changing credentials too often only benefits hackers. • Changing credentials too often is not only inconvenient but also INSECURE! • Most Organizations have the “default” Administrator credentials for their Systems and Hardware what makes hacking very easy even to non-experts.
  • 15. Cybercrime Main Causes 4- End User malpractice 4- End User malpractice
  • 16. End user malpractice • Users do share credentials with friends, family and co-workers what compromises their security and eventually the Organization’s they work for. • Users accidentally leave sessions open when they leave their desk for lunch, leave for the day or go for a break (according to Mac -Affee 60% of security breaches happen from within our own organizations). • Users do not encrypt the files where they store their credentials. • Users do forget these “unnatural credentials “ we forced them to have, what creates another problem which is PASSWORD RESETING. • Users trend to access Corporate systems and applications from any device they deem appropriate which we not always can control security (smart phones, tablets, PC’s, Laptops, etc). • Users care less about security and more about usability therefore they forget to run system checks, anti-virus updates, do timely backups, access through controlled and authorized resources, etc.
  • 17. Cybercrime Main Causes 5- Lack of innovation 5- Lack of innovation
  • 18. Lack of Innovation “If you keep doing the same things over and over, you will keep getting the same results over and over”….Albert Einstein • Changing credentials every 90 or 60 days is not innovation, it’s just pretending to solve a problem with the wrong tools. • A computer with a digital certificate it’s a passport for whomever get there to do whatever he/she wants, same as granting access to a known device…how do you know that the person behind the device is the rightful user??? • A single point of entry could be a single point of failure (SSO), unless you really have “innovative security”. • A thief who can not brake into a lock (innovative lock) very quick will most likely go still somewhere else, hacker do the same when they find innovative technology that makes their lives miserable simply because most Companies don’t!! • Hackers do innovate by nature….do we??
  • 19. Ideal Technology • One where the longer we keep the same credentials the more secure the system becomes. • The less complex the credentials the harder the security to be bridged (user adoption is key for security). • Security based on the users themselves (who you are instead of something you have –tokens, certificates, otp’s,etc-) no matter where they are coming from. • Truly identify the person typing the credentials (biometrically). • Increase security without affecting usability (user friendly). • Multiple device capabilities for user authentication (mobility) . • Comply with government regulations (PCI-DSS, SOX, etc).
  • 20. Ideal Technology (cont) • Non-invasive architecture (SOA) • Configurable security levels based on: application, user, transaction • No need to deploy any type of device, card or even software. • Easy to integrate with existing applications (web services) • Transparent enrollment process • Scalable to millions of users without adding complexity • Extremely accurate (low False Acceptance Rate and low False Rejection Rate).