© 2013 Copyright SecurEnvoy Ltd. All rights reservedPhil UnderwoodGlobal Head of Pre SalesUsers, Access and PasswordsaBAD ...
© 2013 Copyright SecurEnvoy Ltd. All rights reservedUser AuthenticationIt’s all about trustCan you trust the “logon”Was it...
© 2013 Copyright SecurEnvoy Ltd. All rights reservedHow Many Passwords ?
© 2013 Copyright SecurEnvoy Ltd. All rights reserved• “Social engineering”• Finding written password– Post-It Notes• Guess...
© 2013 Copyright SecurEnvoy Ltd. All rights reservedCompromising the Passwordwww.oxid.it
© 2013 Copyright SecurEnvoy Ltd. All rights reservedCompromising the Passwordwww.keyghost.com
© 2013 Copyright SecurEnvoy Ltd. All rights reservedTraditional approachWeakness
© 2013 Copyright SecurEnvoy Ltd. All rights reservedReal Customer• Password policyMinimum password length : 8 charsMaximum...
© 2013 Copyright SecurEnvoy Ltd. All rights reservedWhy Tokenless®• 6 Billion GSM phones WorldwideSource: http://mobithink...
© 2013 Copyright SecurEnvoy Ltd. All rights reservedTokenless using SMS1. User enabled for authentication2. User setup for...
© 2013 Copyright SecurEnvoy Ltd. All rights reserved*****************Soft Token Deployment
© 2013 Copyright SecurEnvoy Ltd. All rights reservedEnrolment SecuritySeed 1st PartQRCode Scan8 Digit CodeSeed 1st PartFin...
© 2013 Copyright SecurEnvoy Ltd. All rights reservedSMS Vs Soft TokensWhat Is The Best Option?Option 1 SMSOption 2 Soft To...
© 2013 Copyright SecurEnvoy Ltd. All rights reservedWEB/VPNRemote Users –WEB/VPNRADIUS
© 2013 Copyright SecurEnvoy Ltd. All rights reservedThank You
Upcoming SlideShare
Loading in...5
×

MCA 2013 - Phil Underwood - Secur Envoy

478

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
478
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

MCA 2013 - Phil Underwood - Secur Envoy

  1. 1. © 2013 Copyright SecurEnvoy Ltd. All rights reservedPhil UnderwoodGlobal Head of Pre SalesUsers, Access and PasswordsaBAD Combination?
  2. 2. © 2013 Copyright SecurEnvoy Ltd. All rights reservedUser AuthenticationIt’s all about trustCan you trust the “logon”Was it the real user?
  3. 3. © 2013 Copyright SecurEnvoy Ltd. All rights reservedHow Many Passwords ?
  4. 4. © 2013 Copyright SecurEnvoy Ltd. All rights reserved• “Social engineering”• Finding written password– Post-It Notes• Guessing password / pin– Dog/Child’s name/ Birthday• Shoulder surfing• Keystroke logging– Can be resolved with mouse based entry• Screen scraping (with Keystroke logging)• Brute force password crackers– L0phtcrack, Cain & AbelThe Password Problem
  5. 5. © 2013 Copyright SecurEnvoy Ltd. All rights reservedCompromising the Passwordwww.oxid.it
  6. 6. © 2013 Copyright SecurEnvoy Ltd. All rights reservedCompromising the Passwordwww.keyghost.com
  7. 7. © 2013 Copyright SecurEnvoy Ltd. All rights reservedTraditional approachWeakness
  8. 8. © 2013 Copyright SecurEnvoy Ltd. All rights reservedReal Customer• Password policyMinimum password length : 8 charsMaximum password age : 42 daysMinimum password age : 28 days,Force logoff : never forcePassword history : no history• 342 user account passwords including 69 IPC$shares was obtained• 29 users had the password “password”• 1 user had the password “password1”• 4 users only used numbers, of which two of these looked like a date of birth.• 3 users only used 5 character passwords.Vulnerability Assessment
  9. 9. © 2013 Copyright SecurEnvoy Ltd. All rights reservedWhy Tokenless®• 6 Billion GSM phones WorldwideSource: http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers• According to the United Nations there are 7Billion people in the worldSource: http://www.un.org/News/Press/docs/2011/sgsm13691.doc.htm• That’s a potential token ready to be utilised• Our Vision is to put an Authentication Tokeninto every pocket
  10. 10. © 2013 Copyright SecurEnvoy Ltd. All rights reservedTokenless using SMS1. User enabled for authentication2. User setup for Pre Load SMS, OTP, Day3. Passcode refreshed at time of use4. User setup for Real Time SMS (Flash)5. User receives SMS at time of logon6. Real time Passcode (set time to live)
  11. 11. © 2013 Copyright SecurEnvoy Ltd. All rights reserved*****************Soft Token Deployment
  12. 12. © 2013 Copyright SecurEnvoy Ltd. All rights reservedEnrolment SecuritySeed 1st PartQRCode Scan8 Digit CodeSeed 1st PartFingerprint of PhoneSeed 2nd PartSeed 2nd Part2nd Seed Part is recreated each time a passcode is createdSeed 2nd PartSeed 2nd PartSeed 2nd PartRandom 1st Seed Part Created LocallySeeds are NOT stored by manufactureAES 256 Bit Encrypted
  13. 13. © 2013 Copyright SecurEnvoy Ltd. All rights reservedSMS Vs Soft TokensWhat Is The Best Option?Option 1 SMSOption 2 Soft Token AppBOTH - Put The User In Control
  14. 14. © 2013 Copyright SecurEnvoy Ltd. All rights reservedWEB/VPNRemote Users –WEB/VPNRADIUS
  15. 15. © 2013 Copyright SecurEnvoy Ltd. All rights reservedThank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×