“passwords are no longer sufficient”
DESCRIPTION
“Passwords are No Longer Sufficient”. Brian Rivers University of Georgia. For systems that provide access to sensitive and restricted information systems Requires something you have (hardware token) in addition to something you know (username + password) - PowerPoint PPT PresentationTRANSCRIPT
“Passwords are No Longer Sufficient”
Brian Rivers
University of Georgia
For systems that provide
access to sensitive and
restricted information systems
Requires something you have
(hardware token) in addition to
something you know
(username + password)
Over 1700 employees currently
using ArchPass to access
these systems
Session Outcomes Understand how ordinary user credentials are no longer sufficient
and how multi-factor authentication adds an additional layer of
protection that would have prevented recent incidents
Understand how multi-factor authentication can integrate into
complex, decentralized technical architectures in a timely and cost-
effective manner.
Understand the human dimension, placing the implementation in
the context of business functions, user requirements, and involve
critical stakeholders across the institution.
Session Outcomes
This could save your bacon.
“So easy a caveman can do it.”
We really can play nice in the sandbox.
The Threat
June 17th, 2013 20:53 GMT By Eduard Kovacs
Data Breaches in the News
Victims by Location
Data breaches 2012
73%• Australia
7%• Canada
3%• UK
2%• Brazil 1.2%• Other 20.8%
data source: Trustwave Global Security Report
Attackers by Location
Originated in US
29%• Romania
33.4%• Ukraine
4.4%• China 3.9%• Unknown
14.8%data source: Trustwave Global Security Report
Phishing / Malicious Spam
@• 14 billion malicious spam
daily• 9.8 billion messages contain
links to websites that will infect your computer
Of spam emails sent daily are malicious
10%
data source: Trustwave Global Security Report
Phishing Attacks
PhishingSpear Phishing
Whaling
Target(s) AnyoneGroup or organization
Specific person or team
Research required
Minimal Moderate Substantial
Believability Medium High Very High
Sophistication Minimal Moderate Substantial
Goal Identities / access to system or network
data source: http://markn.ca/2011/whaling/
The Response
Changing the Culture Creating awareness – “Information security is non-
negotiable, and it’s everybody’s business”
Accept Change – “Institutions need to adopt common
sense measures that move the pendulum back so that a
balance is struck between user convenience and
security”
Invest in Technology – “Tools such as anti-virus, digital
loss prevention (DLP) software, and multi-factor
authentication reduce attack surfaces dramatically”
ArchPass - Business Functionality and User Impacts
UGA Culture and Background
UGA has a strong culture of compliance and a
willingness to improve information security however,
ArchPass would need to overcome:
UGA’s decentralized administrative structures
Institutional skepticism and reluctance to add
administrative burden
Business Functionality and Impacts Role of the Administrative Systems Advisory Council (ASAC)
Involve UGA business units and stakeholders with shared responsibility
in the delivery and support of information technology, application, and
data needs of the University community.
Represent the entire University when making administrative system
recommendations. Thus ASAC has broad representation from each of
Vice Presidents and major units and extends itself to gather feedback
from special interest groups.
Business Functionality and Impacts
ASAC Approach to ArchPass
Review initial proposal from the VP for IT for phase
one of a multi-factor authentication program.
Recommend criteria for systems required to use
ArchPass, policy and procedure, and an exception
process.
Business Functionality and Impacts
ASAC Approach to ArchPass (continued)
Gather input and feedback on the recommendations
from University-wide user groups.
Provide this feedback to IT.
This feedback was key to implementing a program
with University-wide acceptance. The User
community was part of the decision-making and
the overall process.
Business Functionality and Impacts
Key Concerns Expressed by Users and ASAC
Creating an exception process (both opt-in and opt-
out) with appropriate vetting, risk assessment, and
functional and technical management approval.
Access to systems from off-site locations, especially
during emergencies.
University recognition that this was ‘Phase I’ and not
‘end state’. Need to monitor, adjust, and update
policy/procedure over time.
ArchPass - Business Functionality and User Impacts
Post Implementation Feedback
“It is easy to use.”
“Has become a way of life, just like using my UGA ID
card for building access.”
Status Symbol of sorts – “My co-worker has an
ArchPass, why don’t I have one?”
Implementation
Multifactor Authentication Strategy
The University of Georgia elected to deploy a network
(VPN) based 2-Factor authentication using hardware
tokens.
Decision Factors were
Timeliness of Deployment
Diversity and age of platforms being protected
Supportability of authentication platform
BDC Secure Zone
Internal Firewall
Virtual Desktop
UGA Network
Network Monitoring· SSNCap· NetFlow· SNORT· ASSETs pcap
F5 BigIP· Load Balancer· SSL termination
Security Event Monitoring
Data LossPrevention
VulnerabilityAssessment
External Firewall
2 Factor Authenticated VPN Group· Dedicated IP range· Specific DC Firewall
Permissions
InternetSecure ZoneArchitecture
VPN
The Technology
ArchPass Project Timeline
Network Level Multifactor Pros:
No application modifications needed for integration (good option
for legacy applications)
Central logging of network behaviors
Protects against application & OS authentication vulnerabilities
Leverages tried & true VPN security technology
Cons:
VPN client required for access
Possible spoofing risks if done incorrectly
Hardware Token Solution Pros:
Tried & true solution
Lower complexity in support model
Avoids BYOD support & function issues
Avoids multi-platform support issues
Cons:
Deployment overhead
Per Unit hardware/software cost is higher
Software Tokens are currently under investigation for Phase 2
Data Containment Strategy
The University of Georgia deployed a Secure Virtual
Desktop Infrastructure along with Data Loss prevention
technology within the Secure Network zone.
Glove box for user data processing
Controlled desktop with application safe-listing
Highly restricted browser access
Detailed access and use logging
Cost EstimatesBelow are possible cost estimates for a 500 user
implementation.
Estimates Initial Costs Annual Maint. 3 year Tco 5 year Tco
500 Tokens $20,000 $3,000
Incidentals $5,000
Cisco ASA 5555 $16,437 $2,250
Total $41,437 $5,250 $51,937 $62,437
UGA ongoing support estimates approximately 1/3rd FTE.
Questions