SlideShare a Scribd company logo

Two-Factor_Authentication_1-22-15.pptx

Download as PPTX, PDF
P
PreethamS41

2fA

Technology
1 of 18
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015
Information Security Confidential MSU Information Security Vision and Mission Statement Vision Diminish IT security risks to an acceptable level and become the most effective IT function; enable the University to make informed decisions based on risk. Mission Design, implement and maintain an information security program that protects the University’s resources against unauthorized use, modification and loss. Establish a practical information security program that enables MSU to be the best public research University in the world. 2
Information Security Confidential Two-Factor Goals • Safe guard MSU employee data • Safe guard MSU HR/Payroll and Finance data • Provide additional security on EBS applications to prevent susceptibility to phishing attacks 3
Information Security Confidential Information Security Risks for MSU 4 Who’s perpetrating breaches? How do breaches occur? What commonalities exist? *Verizon Data Breach Investigations Report – 2013 (+) Is an increase of 10% or greater from last year (-) Is a decrease of 10% or greater from last year
Information Security Confidential Payroll Incident Summary 5 • Millions of attempts to hack into MSU computer systems every day (>20 million prevented during month of May 2014) • Millions of SPAM and phishing scams every day, some faculty, staff, and students take the bait • Current safeguards in place: – Email SPAM filtering – Over 5 million SPAM and phishing emails blocked per day – Anti-virus installed on workstations – Security awareness training • Two Payroll Incident Examples – October 2013 and March 2014 – Phishing emails are suspected of compromising the users’ EBS login credentials (user name and password) – No breach of MSU systems/network appears to have occurred – Risk currently mitigated by disabling online direct deposit changes • People and process changes recommended to further improve prevention, detection, and response Context:
Information Security Confidential Addressing Security Risks at MSU 6 Two-Factor Authentication Security Policy Dedicated Incident Response Security Awareness Security Incident and Event Management Vulnerability Management Defense in Depth Approach – Multiple layers of controls to reduce overall risk Business enablement combined with risk reduction
Information Security Confidential Two-Factor Authentication Overview 7 Two-factor authentication requires the use of two of the three authentication factors: Something only the user: 1. Knows (e.g. password, PIN, secret answer) 2. Has (e.g. ATM card, mobile phone, hard token) 3. Is (e.g. biometric – iris, fingerprint, etc.)
Information Security Confidential Who Uses Two-Factor? 8
Information Security Confidential How Two-Factor Authentication Helps Credentials are commonly stolen through: – Phishing attacks targeted at MSU – Third-party sites compromised and same username/password used for MSU applications • Adobe, Yahoo, LinkedIn, Forbes, Zappos, and eHarmony were breached in past year, 32 million usernames and passwords stolen – 15,000+ users registered with MSU email addresses, unknown how many used MSU password to register with these sites Two-factor authentication prevents attackers from accessing your account even if they obtain your username and password. 9
Information Security Confidential Two-Factor Strategy at MSU • Second Factor will be a“soft” Token • Identify an Industry Leader for the Two-Factor Components • Enhance MSU’s single sign-on solution (Sentinel) to integrate with Industry Leaders Solution to provide Two- Factor • Enable Two-Factor for EBS applications (portal, HR, Payroll, Finance, BI) for all current employees. 10
Information Security Confidential Multiple deployment options available for MSU users: 1. Mobile application 2. SMS text message 3. Voice call made to desk, mobile, or home phone Two-Factor Authentication Deployment Options 11
Information Security Confidential Appendix A – Scope diagram 12 Sentinel Portal Case 1, Step 2 Cognos Case 2, Step 2 KFS Case 2, Step 2 ECC STUINFO Case 1, Step 1 SAP Internal Login Out of Scope XI/PI MSUEDW SAP Internal Login In Scope Case 1: User logs into EBS Portal 1. Authenticate in Sentinel 2. Routed to EBS Portal 3. Navigate to other EBS applications Basis Team & HR/ Payroll Power Users – Central Payroll and BAS Team Case 1, Step 3 Case 1, Step 3 Case 1, Step 3 Case 2: User logs directly into EBS application 1. Authenticate in Sentinel 2. Routed to EBS application
Information Security Confidential Appendix B – Enrollment: Step 1 13
Information Security Confidential Appendix B – Enrollment: Step 2 14
Information Security Confidential Appendix B – Enrollment: Step 3 15
Information Security Confidential Appendix B – Enrollment: Step 3 16
Information Security Confidential Appendix B – Enrollment: Step 4 17
Information Security Confidential Appendix C – Login 18

Recommended

Information security[277]
Information security[277]Information security[277]
Information security[277]Timothy Warren
 
Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder
 
4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptx4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptxromawoodz
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Cyber Security and the CEO
Cyber Security and the CEOCyber Security and the CEO
Cyber Security and the CEOMicheal Axelsen
 
Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Tammy Clark
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMukesh Chinta
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
 

Recommended

Information security[277]
Information security[277]Information security[277]
Information security[277]Timothy Warren
 
Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder
 
4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptx4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptxromawoodz
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Cyber Security and the CEO
Cyber Security and the CEOCyber Security and the CEO
Cyber Security and the CEOMicheal Axelsen
 
Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Tammy Clark
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMukesh Chinta
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksHow To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksTammy Clark
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Database Security Analysis
Database Security AnalysisDatabase Security Analysis
Database Security AnalysisBrendan Mc Sweeney
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...AI Publications
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODSierraware
 
I0516064
I0516064I0516064
I0516064IOSR Journals
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09Tammy Clark
 
Information systems security_awareness_fy10
Information systems security_awareness_fy10Information systems security_awareness_fy10
Information systems security_awareness_fy10Wesen Tegegne
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Kabul Education University
 
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IRJET Journal
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET Journal
 
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET Journal
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information Technology Security Management
Information Technology Security ManagementInformation Technology Security Management
Information Technology Security ManagementMITSDEDistance
 
Cyber Security and the National Central Banks
Cyber Security and the National Central BanksCyber Security and the National Central Banks
Cyber Security and the National Central BanksCommunity Protection Forum
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

More Related Content

Similar to Two-Factor_Authentication_1-22-15.pptx

How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksHow To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksTammy Clark
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...AI Publications
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODSierraware
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09Tammy Clark
 
Information systems security_awareness_fy10
Information systems security_awareness_fy10Information systems security_awareness_fy10
Information systems security_awareness_fy10Wesen Tegegne
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IRJET Journal
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET Journal
 
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET Journal
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information Technology Security Management
Information Technology Security ManagementInformation Technology Security Management
Information Technology Security ManagementMITSDEDistance
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 

Similar to Two-Factor_Authentication_1-22-15.pptx (20)

How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksHow To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Database Security Analysis
Database Security AnalysisDatabase Security Analysis
Database Security Analysis
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
 
I0516064
I0516064I0516064
I0516064
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
 
Information systems security_awareness_fy10
Information systems security_awareness_fy10Information systems security_awareness_fy10
Information systems security_awareness_fy10
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh Webinar
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
 
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
 
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Information Technology Security Management
Information Technology Security ManagementInformation Technology Security Management
Information Technology Security Management
 
Cyber Security and the National Central Banks
Cyber Security and the National Central BanksCyber Security and the National Central Banks
Cyber Security and the National Central Banks
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 

Recently uploaded

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Two-Factor_Authentication_1-22-15.pptx

  • 1. Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015
  • 2. Information Security Confidential MSU Information Security Vision and Mission Statement Vision Diminish IT security risks to an acceptable level and become the most effective IT function; enable the University to make informed decisions based on risk. Mission Design, implement and maintain an information security program that protects the University’s resources against unauthorized use, modification and loss. Establish a practical information security program that enables MSU to be the best public research University in the world. 2
  • 3. Information Security Confidential Two-Factor Goals • Safe guard MSU employee data • Safe guard MSU HR/Payroll and Finance data • Provide additional security on EBS applications to prevent susceptibility to phishing attacks 3
  • 4. Information Security Confidential Information Security Risks for MSU 4 Who’s perpetrating breaches? How do breaches occur? What commonalities exist? *Verizon Data Breach Investigations Report – 2013 (+) Is an increase of 10% or greater from last year (-) Is a decrease of 10% or greater from last year
  • 5. Information Security Confidential Payroll Incident Summary 5 • Millions of attempts to hack into MSU computer systems every day (>20 million prevented during month of May 2014) • Millions of SPAM and phishing scams every day, some faculty, staff, and students take the bait • Current safeguards in place: – Email SPAM filtering – Over 5 million SPAM and phishing emails blocked per day – Anti-virus installed on workstations – Security awareness training • Two Payroll Incident Examples – October 2013 and March 2014 – Phishing emails are suspected of compromising the users’ EBS login credentials (user name and password) – No breach of MSU systems/network appears to have occurred – Risk currently mitigated by disabling online direct deposit changes • People and process changes recommended to further improve prevention, detection, and response Context:
  • 6. Information Security Confidential Addressing Security Risks at MSU 6 Two-Factor Authentication Security Policy Dedicated Incident Response Security Awareness Security Incident and Event Management Vulnerability Management Defense in Depth Approach – Multiple layers of controls to reduce overall risk Business enablement combined with risk reduction
  • 7. Information Security Confidential Two-Factor Authentication Overview 7 Two-factor authentication requires the use of two of the three authentication factors: Something only the user: 1. Knows (e.g. password, PIN, secret answer) 2. Has (e.g. ATM card, mobile phone, hard token) 3. Is (e.g. biometric – iris, fingerprint, etc.)
  • 9. Information Security Confidential How Two-Factor Authentication Helps Credentials are commonly stolen through: – Phishing attacks targeted at MSU – Third-party sites compromised and same username/password used for MSU applications • Adobe, Yahoo, LinkedIn, Forbes, Zappos, and eHarmony were breached in past year, 32 million usernames and passwords stolen – 15,000+ users registered with MSU email addresses, unknown how many used MSU password to register with these sites Two-factor authentication prevents attackers from accessing your account even if they obtain your username and password. 9
  • 10. Information Security Confidential Two-Factor Strategy at MSU • Second Factor will be a“soft” Token • Identify an Industry Leader for the Two-Factor Components • Enhance MSU’s single sign-on solution (Sentinel) to integrate with Industry Leaders Solution to provide Two- Factor • Enable Two-Factor for EBS applications (portal, HR, Payroll, Finance, BI) for all current employees. 10
  • 11. Information Security Confidential Multiple deployment options available for MSU users: 1. Mobile application 2. SMS text message 3. Voice call made to desk, mobile, or home phone Two-Factor Authentication Deployment Options 11
  • 12. Information Security Confidential Appendix A – Scope diagram 12 Sentinel Portal Case 1, Step 2 Cognos Case 2, Step 2 KFS Case 2, Step 2 ECC STUINFO Case 1, Step 1 SAP Internal Login Out of Scope XI/PI MSUEDW SAP Internal Login In Scope Case 1: User logs into EBS Portal 1. Authenticate in Sentinel 2. Routed to EBS Portal 3. Navigate to other EBS applications Basis Team & HR/ Payroll Power Users – Central Payroll and BAS Team Case 1, Step 3 Case 1, Step 3 Case 1, Step 3 Case 2: User logs directly into EBS application 1. Authenticate in Sentinel 2. Routed to EBS application
  • 13. Information Security Confidential Appendix B – Enrollment: Step 1 13
  • 14. Information Security Confidential Appendix B – Enrollment: Step 2 14
  • 15. Information Security Confidential Appendix B – Enrollment: Step 3 15
  • 16. Information Security Confidential Appendix B – Enrollment: Step 3 16
  • 17. Information Security Confidential Appendix B – Enrollment: Step 4 17

Editor's Notes

  1. Vision – What we would like to achieve Acceptable Level – We aren’t building Fort Knox (pic) Not implement myself out of a job. Implement enough security controls to reach an acceptable level, doesn't have to be 0 risk Most Effective – bold goal, be service oriented Security is an IT function Not there to police, but to partner and collaborate Enable - Support Bolder by Design Initiative Not a roadblock People seek me out for advice/guidance – not afraid to have me involved in fear of slowing projects down Business within a business – everyone is our customer