Compu&ng Services Strengthening Authen&ca&on. October 2016

Transcription

1 Compu&ng Services Strengthening Authen&ca&on October 2016

2 ID and password pair is the sole means of authen4ca4ng access AUTHENTICATION Current State o o File storage o Enterprise applica1ons (including human resource, financial, and student data) o Sponsored project informa1on (including conflict of interest informa1on) o Library subscrip1ons o Licensed so@ware downloads 2

3 IDs and passwords are vulnerable to a9ack and disclosure AUTHENTICATION Current State Security Risks ADacker use of compromised accounts includes adempts to change employment direct deposit instruc1ons, launch of addi1onal phishing adacks and reconnaissance and exploita1on of the university network and computers. Iden1fica1on of root cause for creden1al loss is costly. For this reason, root cause is not always determined and metrics are incomplete and under-represented. The trend in phishing a9acks and their success is undeniable. 3

4 PHISHING: Catalyst For Change 43 Phishing AHacks 15,165 Recipients 129 Phishing AHacks 45,352 Recipients 2015 JANUARY - DECEMBER 2016 JANUARY - JULY Jul Jul 2016: average phishing adacks grew from 3 to 20 per month Jul Dec 2015: approximately 20 recipients responded to a Phishing adack Jan Jul 2016: approximately 116 responded to a Phishing adack Significant growth in Phishing a9acks and users who fall vic4m to these a9acks requires a substan4al increase in work effort. 4

5 Current Mi&ga&ons User awareness via Web content Simulated phishing tests Published guidelines for securing passwords and computers Inbound filtering System and applica1on monitoring Timely incident response including: o Network and response blocking (where we can) o Vic1m no1fica1on o Forensic analysis o Forced password resets when account compromise is known or suspected...but it is not enough! 5

6 Poten&al Proac&ve Tac&cs ADDITIONAL AUTHENTICATION FACTOR Add a factor beyond something that is known and can be easily disclosed. REQUIRE REGULAR PASSWORD CHANGE May be less secure overall if users write down or create guessable passwords to remember them. 6

7 RECOMMENDATION Two-Factor Authen&ca&on People are easily tricked into disclosing what they know and they don t even remember disclosing the informa1on. An addi1onal factor, such as something they are (a biometric) or something they have (a smartphone or token) addresses this weakness. 7

8 What is Two-Factor Authen&ca&on Requires use of two of the three authen1ca1on factors. Something only the user: 1. Knows (e.g. password, PIN, secret answer) 2. Has (e.g. ATM card, mobile phone, hard token) 3. Is (e.g. biometric iris, fingerprint) Most Common Example Automated Teller Machine TWO-FACTOR AUTHENTICATION Insert bank card (Something you have) Provide PIN (Something you know) Receive money (Access) 8

9 TRENDING Two-Factor Authen&ca&on in Industry Security risks associated with reliance on passwords alone is well known and widely discussed. Based on this risk, a shi@ to mul1-factor authen1ca1on is under way in the federal government, across industry and in higher educa1on. Consumers are increasingly provided op1on for mul1-factor authen1ca1on. Examples: Google 2-step Verifica1on, Facebook login approvals, and Bank of America s SafePass Many colleges and universi1es have implemented 2-factor authen1ca1on. There is an opportunity to address gaps in published research on usability and other factors. 9

10 DUO Adopters Currently 110 organiza1ons have subscribed to the Duo + InCommon partnership. Carnegie Mellon is a DUO adopter for certain use cases since March

11 DUO EXPERIENCE 1. Log into applica1on that is configured for Duo 2. Sign in with Andrew creden1als at login.cmu.edu 3. Prompted for either Duo Push or Duo Token 4. Send Push to phone OR enter passcode 5. Start using applica1on(s) 11

12 CURRENT STATUS 1. IN PRODUCTION since March 2016 Risk Based Roles (~600 users) Mostly System & Applica1on Administrators DUO Supported Applica&ons 2. IN TEST Various weblogin-supported applica1ons like Box 3. IN DEVELOPMENT Various applica1ons and campus organiza1ons Contact if you would like more informa1on about implemen1ng DUO for your applica1on and organiza1on. 12

13 ? QUESTIONS Contact 13