This document discusses why two-factor authentication alone is not enough for security and summarizes a presentation by SecureAuth on adaptive authentication. The key points are:
1) While two-factor authentication is important, it only protects around 56% of company assets currently and popular two-factor methods like one-time passwords have flaws.
2) Passwords are expensive to manage and disruptive to users, while single sign-on increases productivity but still needs strong protection.
3) SecureAuth proposes an adaptive authentication approach that combines multi-factor authentication, continuous authentication, flexible workflows and data visualization to securely authenticate users while providing a good user experience.
4) Their solution analyzes multiple risk factors without user
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
If you're like many IT security professionals, you're on a quest to do a better job of authenticating users in the face of new security and business challenges.
Have you gotten caught up in one of five authentication traps, like many of your peers?
Full replay of the recording is available online:
https://go.duosecurity.com/Forrester_Webinar_Signs_Youre_Doing_Authentication_Wrong.html
In this webinar, you will learn:
* Five signs you're doing authentication wrong
* Forrester research on key trends and generational shifts in the authentication market
* How to assess solution usability, deployability and security
* Will it ever be truly possible to "kill the password?"
Join the following guest speakers as they comment on the virtues of a thoughtfully deployed authentication solution.
* Eve Maler, Forrester Research
* Brian Kelly, Duo Security
* Daniel Frye, CedarCrestone
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
If you're like many IT security professionals, you're on a quest to do a better job of authenticating users in the face of new security and business challenges.
Have you gotten caught up in one of five authentication traps, like many of your peers?
Full replay of the recording is available online:
https://go.duosecurity.com/Forrester_Webinar_Signs_Youre_Doing_Authentication_Wrong.html
In this webinar, you will learn:
* Five signs you're doing authentication wrong
* Forrester research on key trends and generational shifts in the authentication market
* How to assess solution usability, deployability and security
* Will it ever be truly possible to "kill the password?"
Join the following guest speakers as they comment on the virtues of a thoughtfully deployed authentication solution.
* Eve Maler, Forrester Research
* Brian Kelly, Duo Security
* Daniel Frye, CedarCrestone
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
The extra factors are implemented to prove the user’s identity beyond a simple password. The definition states that to be two-factor authentication it must require the user to provide at least two of the factors listed above.
http://www.portalguard.com
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
Learn how to add two-factor authentication to secure remote access for employees, staff, partners, and customers that need to access PeopleSoft at your organization.
What is Account Takeover - An Introduction to Web FraudNuData Security
Account takeover enables mass credit card fraud, identity theft and damage to brands and their reputation.
We give you a brief overview of Account Takeover, how it happens and how to prevent it.
Security Breaches from Compromised User LoginsIS Decisions
Stop blaming your users for compromised passwords. Bolster your defense against security breaches that stem from both stolen and shared user login credentials.
For IT security administrators it's tough to identify malicious network access from valid credentials. Rather than blaming users for being human, our latest infographic shows you how to better protect users' authenticated logins.
By taking a closer look at the contextual information around the logon or file access, you can identify and stop network access when credentials have been compromised.
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
Real-word breaches are often caused by simple lapses of judgment.
Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality.
Did you know 30% of Ecommerce website visitors are unsavory competitors, hackers, and fraudsters?
Fact is, online retailers are particularly susceptible to the effects of advanced bot threats, including competitive tactics like price scraping, product matching, variation tracking and availability targeting. Even worse, security breaches such as transaction fraud and account takeovers endanger the overall security of your website, customer base, and brand.
When aggressive scrapers caused repeated site slowdowns, Brian Gress, Director of IT Systems & Governance at Hayneedle, said enough was enough.
Key takeaways include how to:
- Stop competitors from scraping your prices and monitoring your inventory
- Reduce chargeback fees due to transaction fraud, carding and account hijacking
- Optimize your conversion funnel and enjoy clean analytics and KPIs
- Protect your brand image, reputation and SEO rankings
As you see in the news every month, credit card breaches are on the rise. Recent investigations into credit card merchant breaches indicate that many attacks have been aimed at insecure remote access. In this session, Matt will cover how a credit card breach happens, what you should do to protect your business and your customers, and how you can take action to secure remote access in your system.
Enemy from Within: Managing and Controlling AccessBeyondTrust
Access the full webinar here: https://www.beyondtrust.com/resources/webinar/enemy-within-managing-controlling-access/?access_code=380c50225d67f81afaf12a795543782a
In this presentation from the webinar of SANS faculty fellow and industry-recognized security expert, Dr. Eric Cole, discover how identity and access management (IAM) and privileged access management work together to reduce the threat surface and contain attacks.
Also, hear how BeyondTrust and SailPoint solutions work together.
Kevin Cardwell served as the leader of a 5 person DoD Red Team that achieved a 100% success rate at compromising systems and networks for six straight years. He has conducted over 500 security assessments across the globe. His expertise is in finding weaknesses and determining ways clients can mitigate or limit the impact of these weaknesses.
He spent 22 years in the U.S. Navy. He has worked as both software and systems engineer on a variety of Department of Defense projects and early on was chosen as a member of the project to bring Internet access to ships at sea. Following this highly successful project he was selected to head the team that built a Network Operations and Security Center (NOSC) that provided services to the commands ashore and ships at sea in the Norwegian Sea and Atlantic Ocean . He served as the Leading Chief of Information Security at the NOC for six years. While there he created a Strategy and Training plan for the development of an expert team that took personnel with little or no experience and built them into expert team members for manning of the NOSC.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Webinar: Goodbye RSA. Hello Modern Authentication.SecureAuth
If you are seeking an alternative to RSA’s rigid workflows, costly maintenance and obstructive user experience, there is a better way. SecureAuth has helped hundreds of RSA customers move to an access control solution that offers more flexibility, visibility and can reduce total cost of ownership by over 50%.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
The extra factors are implemented to prove the user’s identity beyond a simple password. The definition states that to be two-factor authentication it must require the user to provide at least two of the factors listed above.
http://www.portalguard.com
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
Learn how to add two-factor authentication to secure remote access for employees, staff, partners, and customers that need to access PeopleSoft at your organization.
What is Account Takeover - An Introduction to Web FraudNuData Security
Account takeover enables mass credit card fraud, identity theft and damage to brands and their reputation.
We give you a brief overview of Account Takeover, how it happens and how to prevent it.
Security Breaches from Compromised User LoginsIS Decisions
Stop blaming your users for compromised passwords. Bolster your defense against security breaches that stem from both stolen and shared user login credentials.
For IT security administrators it's tough to identify malicious network access from valid credentials. Rather than blaming users for being human, our latest infographic shows you how to better protect users' authenticated logins.
By taking a closer look at the contextual information around the logon or file access, you can identify and stop network access when credentials have been compromised.
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
Real-word breaches are often caused by simple lapses of judgment.
Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality.
Did you know 30% of Ecommerce website visitors are unsavory competitors, hackers, and fraudsters?
Fact is, online retailers are particularly susceptible to the effects of advanced bot threats, including competitive tactics like price scraping, product matching, variation tracking and availability targeting. Even worse, security breaches such as transaction fraud and account takeovers endanger the overall security of your website, customer base, and brand.
When aggressive scrapers caused repeated site slowdowns, Brian Gress, Director of IT Systems & Governance at Hayneedle, said enough was enough.
Key takeaways include how to:
- Stop competitors from scraping your prices and monitoring your inventory
- Reduce chargeback fees due to transaction fraud, carding and account hijacking
- Optimize your conversion funnel and enjoy clean analytics and KPIs
- Protect your brand image, reputation and SEO rankings
As you see in the news every month, credit card breaches are on the rise. Recent investigations into credit card merchant breaches indicate that many attacks have been aimed at insecure remote access. In this session, Matt will cover how a credit card breach happens, what you should do to protect your business and your customers, and how you can take action to secure remote access in your system.
Enemy from Within: Managing and Controlling AccessBeyondTrust
Access the full webinar here: https://www.beyondtrust.com/resources/webinar/enemy-within-managing-controlling-access/?access_code=380c50225d67f81afaf12a795543782a
In this presentation from the webinar of SANS faculty fellow and industry-recognized security expert, Dr. Eric Cole, discover how identity and access management (IAM) and privileged access management work together to reduce the threat surface and contain attacks.
Also, hear how BeyondTrust and SailPoint solutions work together.
Kevin Cardwell served as the leader of a 5 person DoD Red Team that achieved a 100% success rate at compromising systems and networks for six straight years. He has conducted over 500 security assessments across the globe. His expertise is in finding weaknesses and determining ways clients can mitigate or limit the impact of these weaknesses.
He spent 22 years in the U.S. Navy. He has worked as both software and systems engineer on a variety of Department of Defense projects and early on was chosen as a member of the project to bring Internet access to ships at sea. Following this highly successful project he was selected to head the team that built a Network Operations and Security Center (NOSC) that provided services to the commands ashore and ships at sea in the Norwegian Sea and Atlantic Ocean . He served as the Leading Chief of Information Security at the NOC for six years. While there he created a Strategy and Training plan for the development of an expert team that took personnel with little or no experience and built them into expert team members for manning of the NOSC.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Webinar: Goodbye RSA. Hello Modern Authentication.SecureAuth
If you are seeking an alternative to RSA’s rigid workflows, costly maintenance and obstructive user experience, there is a better way. SecureAuth has helped hundreds of RSA customers move to an access control solution that offers more flexibility, visibility and can reduce total cost of ownership by over 50%.
Webinar: Beyond Two-Factor: Secure Access Control for Office 365SecureAuth
James Romer, Chief Security Architect, discussed the requirements for achieving secure access control for Office 365, leveraging existing infrastructure and increasing security without compromising your user experience.
Explore how to move beyond two-factor authentication towards adaptive authentication which continuously analyzes risk-factors including, geo-location, behavioral biometrics and threat intelligence, to ensure your users are who they say they are.
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
Passwords, multi-factor authentication, knowledge-based questions/answers, and hard tokens are based on technologies that are now 20 years old. With organizations losing the battle against cyber attacks, it’s clearly time to move beyond these legacy technologies and adopt a modern approach in which awareness and flexibility are king. Authentication must adapt based on the level of risk, so that it can deliver strong security yet be invisible to users most of the time.
Achieving that balance of strong security and appropriate user friction is the basis for modern authentication. This session will explore what modern authentication is and why using it across all users, devices, and services is vital to turning a losing battle into a winning strategy to stop cyber attacks.
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
As cyber attacks have matured and become more complex over the last number of years, the objective of most attacks has not changed: compromise and collect user credentials. This session will explore the changing cybersecurity landscape and how managing identity – both in the enterprise as well as across 3rd party applications - is becoming job #1 in managing your organization’s risk.
Presentation at Networkshop46.
Phishing simulation exercises, by Michael Jenkins, Brunel University.
Rogue wifi - by Danny Moules, professional security services: security assessment specialist, Jisc
Implementing cyber essentials - Ged Nicholson, Hartlepool College of FE
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeTom Janetscheck
Back in the days, when blocking network traffic was enough to prevent attackers from accessing corporate content, life was easy. You could be sure that your physical datacenter walls built your perimeter, so you simply needed to protect your borders. But nowadays, when we see an increasing amount of phishing, spear phishing and credential theft attacks against corporate environments, it’s no longer sufficient to only take care of network and data security.Today, it's more important than ever to protect and securely manage identities in the cloud and on-premises, and to make sure to be informed as soon as someone tries to get hold of them.
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016Verimatrix
Verimatrix SVP of Marketing Steve Christian examines the security vulnerabilities that device and systems vendors become susceptible to as they aggregate and analyze sensitive customer data. His presentation underscores the importance of determining whether or not the expertise, data capture capabilities and computing infrastructures they have available in-house are agile and scalable enough to not only uncover and use detailed customer behavior, but also keep abreast of regulatory and legal data privacy regulations, which vary county-by-country.
Portal Protection Using Adaptive AuthenticationSecureAuth
PORTAL PROTECTION:
Raising Security Without Raising Disruptions
It's an age-old dilemma: security versus user experience. Traditionally, hardening security adds to the burden on users — they have to authenticate more often or supply additional factors. But many organizations prefer to err on side of the user experience, especially when it comes to protecting portals. But the multiple portal breaches in 2016, including those at ADP, Cisco, and Verizon, might give you pause. In fact, with 81% of reported breaches in 2016 involving the use of stolen or weak credentials, can you continue to sacrifice security for user convenience? The good news is, you don’t have choose.
Introduction to the Current Threat LandscapeMelbourne IT
Do you know what threats are lurking in the shadows? Have you been compromised without even knowing about it? Most companies don't even know if their business has been subjected to attacks and even worse, may have lost sensitive data without knowing about it until it’s too late.
The latest vulnerabilities highlight the extent and depth that hackers are adopting to steal your content or destroy trust in your brand. Our industry experts joining us for the presentation have a wealth of experience in robust security strategies and will be discussing the current online threat landscape, the most prominent approaches to security breaches and what you need to consider to protect your online presence from any potential malicious attacks.
About Melbourne IT:
Melbourne IT Enterprise Services designs, builds and operates custom cloud solutions for Australia’s leading enterprises. Its expert staff help enterprises solve business challenges and build cultures that enable organisations to use technology investments efficiently to improve long-term value. With more than 15 years’ experience in delivering managed outcomes to Australian enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security experts repeatedly deliver results. Many of the brands you already know and trust rely on Melbourne IT. For more information, visit www.melbourneitenterprise.com.au
Role Of Two Factor Authentication In Safeguarding Online TransactionsITIO Innovex
If you need assistance on how to start your own payment gateway business, please contact us to discuss your requirements.
Visit us at: https://itio.in/
Christian Larsen, Regional Manager, International, SMS Passcode
Virtualization Forum 2014, Prague, 22.10.2014
Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf (kliknutím na tlačitko v dolní liště snímků).
With 2014 being noted as “The Year of the Breach,” many businesses are still unprepared or not properly protected from numerous security threats. So what can your business do to help keep sensitive data safe? Check out the following slideshow to learn how to protect yourself and your business from threats. Contact the IT Security experts at MTG today to protect your organization!
The Death of 2FA and the Birth of Modern AuthenticationSecureAuth
The definitions for two-factor authentication (2FA) or multi-factor authentication (MFA) were born in a different 'day' and based upon technology and approaches that are 20 years old. However, technology has changed. Connectivity has been dramatically improved. Mobility and cloud have considerably increased the number of use cases for authentication. So, our definition of and expectations for authentication also need to change.
Keith Graham, CTO of SecureAuth, and Frank Dickson, Research Director at IDC, cover:
- The death of 2FA, and why it is not enough or even too much
- Looking beyond 2FA to increase security and usability
- Modern authentication best practices
- How modern authentication can take you passwordless
Passwordless is Possible - How to Remove Passwords and Improve Security SecureAuth
According to the latest Verizon Data Breach Report, breaches caused by stolen or weak credentials are on the rise – up to 81% in 2016. While there is no denying that we need to remove our dependency on the password as a primary method of authentication, the question remains how do we get there?
This SC Magazine-hosted Webinar featured SecureAuth CTO Keith Graham discussing how passwordless authentication is possible today, the considerations needed when moving to a password–free world and how removing passwords as your weakest link can increase security while providing a great user experience.
Most organizations recognize the benefits of single sign-on (SSO): Users love it because they have only one password to remember; security teams love it because they can require that one password to be strong; and management loves it because it boosts productivity while reducing password reset calls.
But how secure is your SSO? A great user experience sometimes means sacrificing security. And even the strongest passwords won’t protect you from the misuse of stolen credentials.
Discuss the shortcomings of traditional SSO and how an adaptive approach can strengthen security while still delivering an amazing user experience.
New technology and enhancements SecureAuth has come out with the last few months.
Some updates include:
Phone Number Fraud Prevention
Symbol-to-Accept
Better Security for the VPN
Connected Security Alliance
And More!
2017 Predictions: Identity and Security SecureAuth
Guest speaker Andras Cser, VP and Principal Analyst at Forrester Research, and Stephen Cox, Chief Security Architect at SecureAuth, discussed the emerging Identity and Access Management Trends for 2017. Learn how these trends will impact your organization and how you can develop an effective Adaptive Authentication Strategy to stay ahead of the trends and cyber attackers.
Learn more on these emerging 2017 trends:
* The evolution of the threat landscape & emerging threats
* What adaptive authentication in 2017 will look like
* Why it's time to go passwordless
* Types of breaches to watch for in 2017
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...SecureAuth
In 2015 alone, over 3000 cyber attacks were reported globally – with many more never reported or even detected. Enterprises deploy security point solutions in the hopes of stopping a data breach, while savvy attackers work to exploit the whitespace between them.
In this webcast, Garrett Bekker, Senior Analyst, Enterprise Security of 451 Research and Stephen Cox, Chief Security Architect of SecureAuth explored how the Connected Security Alliance is bringing together best-of-breed cyber security vendors to close the gap between isolated security products.
Originally presented October 19, 2016.
A CISO's Guide to Cyber Liability InsuranceSecureAuth
Cyber insurance is not new, in fact it has been around for more than 10 years. Still it remains a complicated issue with confusion about what’s covered and what isn’t. And with incidentals of data breaches rising, so are cyber insurance premiums themselves. One thing is clear: Companies will be breached at some point, if they haven’t been breached already and protecting your organization to minimize financial loss is critical.
This SlideShare by SecureAuth and SC Magazine, will discuss what security professionals need to know to ensure they are protected, including:
The current state of cyber insurance from a business operations perspective – what is covered and what isn’t
What insurance companies look for (ie. people, process, system) regarding your ability to response to an attack
How financial reimbursement does not address the real impact of a data breach
How adaptive access control can help minimize the potential loss of breached data, reduce CI premiums and keep you ahead of the game
California has always been a king of innovation - from the earliest ventures in filmmaking to today’s Silicon Valley technologies. So it's not surprising that California has been at the vanguard of cybersecurity, being the first state to enact a breach data notification law in 2003.
Laws don't stop cybercriminals, though - and California has seen a sharp rise in breaches the last 4 years, according to The California Data Breach Report. Consider these chilling realities:
• There were 657 data breaches involving more than 500 records from 2012-2015 - impacting a total of more than 49 million records of Californians.
• In 2012, 2.6 million records were impacted; by 2015, that number rose to 24 million.
• Nearly 3 out of 5 California residents were victims of a data breach last year.
According to the report, every industry is affected: schools, hospitals, restaurants, retailers, banks, hotels, government agencies and more. Any of them can suffer severe consequences, such as brand damage, class action lawsuits, lost business and regulatory fines. Their users and consumers see their social security numbers, payment card data, medical information, driver's license numbers and other personal data fall into criminal hands; according to Javelin Strategy & Research, 67 percent of 2014 breach victims in the U.S. were also victims of fraud.
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...SecureAuth
With the latest release of SecureAuth IdP, we announced the addition of SecureAuth Threat Service and offered it exclusively to you at 50% off list price! But if you are still not convinced that Threat Service will help you build the most secure environment possible then join us on June 29th for a live webinar with Forrester VP and Principal Analyst, Andras Cser where we will discuss the threats anonymous/Tor networks and the harmful repercussions that can happen in your network.
What's New in IdP 9.0 Behavioral Biometrics and more…SecureAuth
We are proud to announce our latest version of SecureAuth™ IdP v9.0. This release marks a milestone in technology advancement for access control and authentication security with the introduction of behavioral biometrics. This groundbreaking new risk analysis technology makes an organization even more secure while improving user experience. The technology performs keystroke and mouse movement analysis to determine a user’s legitimacy without the user noticing, if they don’t match – SecureAuth IdP v9.0 can require multi-factor authentication (MFA) for that login to proceed. SecureAuth is the first identity management vendor to offer this capability as part of a comprehensive risk-based authentication process.
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlSecureAuth
Billions are being spent on network and endpoint security each year and yet companies continue to get breached and become big news headlines. So the question remains: How can organizations protect their network and applications while detecting unwanted users and potential attackers? Join 451 Research and SecureAuth as we explore the current state of information security and discuss some of the emerging access control technologies that can help address these challenges.
In this informative webinar you will learn:
•Why the future of access control will require higher security while improving user experience
•How adaptive access control techniques can protect against an attack using multi-layered risk analysis
•How using Behavioral Biometrics can identify anomalous user behavior - continuously
Damon Tepe, Director of Product Marketing, and Ryan Rowcliffe, Super Solution Architect, discuss and show release highlights:
• Cisco pxGrid support/integration – check if users/identities are logged on to network
• Adaptive and Authentication API enhancements – bring strong and adaptive authentication to homegrown applications
• Splunk support/integration – visualize real-time feeds from SecureAuth IdP 8.2
• Push-to-Accept – new authentication method
• Updated product theme – Clean new sleek design
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
SecureAuth and special guest Forrester Research discuss the trends and strategies that will help you boost security and protect your organization from access threats. In this session, you will hear from Forrester's Andras Cser as he shares the top 5 information security and access control trends to watch for in 2016 and how they will impact your organization. Additionally, Keith Graham, CTO from SecureAuth, will present effective strategies to stay ahead of these trends and protect against advanced cyber attacks with adaptive authentication.
How to Stop Cyber Attacks Using Adaptive AuthenticationSecureAuth
Attacks on organizations are in the news every day. How can your organization keep from becoming tomorrow’s headline?
Join SecureAuth as we take a deeper look at how adaptive authentication techniques can enable your organization to stop attackers in their tracks. With live intelligence data as a part of your authentication workflows, you can easily identify suspicious actors before they enter your network, not after they violate a policy.
Balancing User Experience with Secure Access Control in HealthcareSecureAuth
Managing remote and cloud user access via passwords has always presented challenges. Remote access to EHR/EMR applications through VPNs such as Citrix, by clinical and non-clinical staff must be secured beyond the vulnerable password. But doctors and other users often resist added security measures because they reduce usability. Emerging technologies that help achieve a balance, such as device fingerprinting, will be covered and shown to actually improve the end user experience while still providing Strong, Adaptive Authentication.
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...SecureAuth
Two-factor authentication is a great first step in securing your VPN, but we have seen that it is not always infallible. With advances in authentication technology we now have techniques to analyze the context of a user before and during authentication and step up your security when needed, without burdening your users. SecureAuth IdP is the industry’s first access control solution to provide adaptive authentication and leverage live attack intelligence to identify suspicious actors and drop a net around them, stopping them in their tracks.
Advanced Authentication: Past, Present, and FutureSecureAuth
Channel Systems and SecureAuth have teamed up to discuss and educate you about how the advent of cloud and mobile applications has changed the way we should think about authentication.
Advanced Authentication topics include:
Pre-authentication Risk Analysis
Geo-fencing
Attribute Exchange
www.secureauth.com
The Future of Mobile Application SecuritySecureAuth
The rapid adoption of mobile technology in recent years has created an opportunity for enterprises to increase the productivity and flexibility of their organizations. This demand for greater mobility has forced enterprises to deliver sensitive applications and data across a wide array of devices and networks.
SecureAuth and Sencha have created an integrated approach to application, data, and user mobility that elegantly addresses these challenges.
-Secure enterprise application deployment
-End-to-end data security with strong encryption
-Managed application container that works on any device
-Developer SDK for creating rich application user experiences
Learn what a modern architecture looks like. It accepts any identity, authenticates users, and asserts those identities to any cloud, mobile, web, or network resource without requiring directory migration or duplication.
Learn from security experts at Deloitte how you can rethink your architecture with a fresh outlook that meets the needs of your agile enterprise.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Navigating the Metaverse: A Journey into Virtual Evolution"
Why Two-Factor Isn't Enough
1. SecureAuth
Why Two-Factor Authentication
Isn’t Enough
Ryan Rowcliffe
Director, Solution Engineers
rrowcliffe@secureauth.com
Damon Tepe
Director, Product Marketing
dtepe@secureauth.com
November 16, 2016
2. 2Copyright SecureAuth Corporation 2016
+ All attendee audio lines are muted
+ Submit questions via Q&A panel at any time
+ Questions will be answered during Q&A at the end of the
presentation
+ Slides and recording will be sent later this week
+ Contact us at webinars@secureauth.com
Webinar Housekeeping
3. 3Copyright SecureAuth Corporation 2016
Single Factor….NOT Enough
+ 63% of reported 2015 breaches involve
the use of compromised credentials (Verizon
DBIR 2016)
+ Attackers will find weakest link & move
laterally
+ Frequent PW changes/complex PWs =
poor security practices & rising costs
+ PW re-use is common and creates
vulnerabilities
+ Poor user experience
44% of assets are
protected by
username/password
or nothing at all
1 - Wakefield Survey, Sept, 2016
2 - http://www.darkreading.com/risk/average-cost-of-data-breaches-rises-past-$4-million-ponemon-says/d/d-id/1325921
4. 4Copyright SecureAuth Corporation 2016
A) More than 90%
B) 75% - 90%
C) 50% - 75%
D) 25%- 50%
E) Less than 25%
+ What percentage of your
assets/resources are protected
with 2-factor authentication
today?
All answers are anonymous – we only see the accumulated results
POLLING QUESTION
5. 5Copyright SecureAuth Corporation 2016
The Next Step…2FA & SSO
+ Single Sign-On (SSO) reduce number of
log-ins & increases user productivity
but…
+ 99% of IT decision makers feel that 2-
factor authentication is best way to
protect
+ Then why only cover 56% of assets?
+ Anonymity networks (e.g. Tor) pose a
threat1
Why not deploy 2FA more?
Resistance from company executives (42%)
Worry about disrupting users (42%)
Lack of resources to support (40%)
Steep user learning curve (30%)
Fear improvements wouldn’t work (26%)
1. The Trouble with Tor – Mathew Prince - https://blog.cloudflare.com/the-trouble-with-tor
6. 6Copyright SecureAuth Corporation 2016
A) Yes
B) No
+ Do you feel 2-Factor
Authentication is the best way
to protect assets/resources?
All answers are anonymous – we only see the accumulated results
POLLING QUESTION
7. 7Copyright SecureAuth Corporation 2016
Calculating Business Value
5000 User Organization
7500 Password Reset Calls/year
$40/call
$300,000 spent annually on PW Resets
+
+
=
Passwords Can Be Expensive
5000 User Organization
Save 3 minutes/day (240 x 3mins = 12hr/yr)
$40/hr x 12hr/yr = $480/yr
$2,400,000 in saved labor costs/productivity gains=
Removing Disruptions Has Benefits
$480/yr x 5000 employees
www2.secureauth.com/Password_Calculator
www2.secureauth.com/SSO_Calculator
8. 8Copyright SecureAuth Corporation 2016
Popular 2FA Methods Have Flaws
Knowledge based
questions & answers
One-time passcodes (OTPs),
delivered via SMS/Text or email
Push-to-acceptHard Tokens
10. 10Copyright SecureAuth Corporation 2016
Quick Summary
+ Username & password doesn’t protect
+ Self-service tools save costs
+ SSO is great if properly protected
+ User experience is important
+ Some popular 2FA methods have flaws
There is a better way…..
11. 11Copyright SecureAuth Corporation 2016
SecureAuth Uniquely Positioned
Raise Confidence in
Authenticating Identities
&
Provide a Good and
Positive User Experience
13. 13Copyright SecureAuth Corporation 2016
Employees
Partners
Customers
Adaptive
Authentication
Risk checks without
users knowing
1
SMS OTP
Telephony OTP
Email OTP
Fingerprint Biometric
Push-to-Accept
Multi-Factor
Authentication
25+ methods to
choose from
2
Continuous
Authentication
Post-authentication
continual monitoring
3 4
Flexible
Workflows
Admins MUST
MFA every time
On campus logons
don’t require MFA
Deny ANY user posing a
serious threat/risk
Best Possible Security
5
Data Visualization
& Sharing
Dashboard
SIEM Integration
Faster Intrusion
detection & remediation
14. 14Copyright SecureAuth Corporation 2016
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Geo-Fencing
Phone Number Fraud Prevention
Behavioral Biometrics
Identity Governance
User & Entity Behavior Analytics
Pre-Authentication Risk Analysis
Adaptive Authentication
Do we recognize this device?
Associated with a user we know?
Real-time Threat Intelligence
IP Address Interrogation
Group membership and
attribute checking
Request coming from a known location?
Do we have employees, partners or
customers here?
Has an improbable travel
event taken place?
Track normal behavior
Looking for anomalies
Who should/does have access rights?
High Access Rights = greater
risk/vulnerability
Access request coming from within
or outside a geographic barrier
Typing Sequences & Mouse Movements
Unique to each user on each device
Reduce # of OTPs, Block device class,
Identify “porting” status, Block by carrier
15. 15Copyright SecureAuth Corporation 2016
Multi-Layered Risk Analysis
Only require a MFA
Step if risk present
Single Sign-On
Convenience of removing log-in
across multiple systems
User Self-Service
Allow user to help themselves
without a Help Desk call
More pre-authentication
risk checks than any other vendor –
bullet proof vest
• Library of over 8000+ apps
• All Federation protocols supported
• Support custom branding
• Password Resets
• Account Unlocking
• Enrollment
• User Personal Info
MFA Step
Deny
Redirect
Allow
Best Possible User Experience
On-Prem Apps
Homegrown Apps
SaaS Apps
VPN
Data Stores
16. 16Copyright SecureAuth Corporation 2016
Matt Articulates HIS User’s Experience
“The end users love the new system. When
they’re on premise, they don’t even have
to be prompted for their credentials,
however if they take that same device off
network, they’re automatically prompted
for credentials. It’s really a nice solution
and a lot of time people don’t even realize
they are using it”
- Matt Johnson, Manager, Server Engineering,
Houston Methodist Hospital www.secureauth.com/resources/
case-study-houston-methodist
17. 17Copyright SecureAuth Corporation 2016
Adaptive Authentication
Low
Medium
High
Medium Medium Medium Medium
High High High
Normal Day Travel Day Lost/New Laptop Stolen Credentials Stolen Laptop
Allow
MFA Step
Deny
Allow
MFA Step
Deny
Allow
MFA Step
Deny
Allow
Deny
dtepe@secureauth.com
***********
dtepe@secureauth.com
***********
hack@cyberattack.com
**********
hack@cyberattack.com
**********
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Geo-Fencing
Phone Number Fraud Prevention
Behavioral Biometrics
Identity Governance
User & Entity Behavior Analytics
Allow
MFA Step
Deny
Redirect Redirect Redirect Redirect Redirect
MFA Step
Hello everyone, thank you for attending and welcome to the “Why Two-Factor Authentication Isn’t Enough” webcast.
I’m Damon Tepe, Director of Product Marketing and I’ll be joined today by Ryan Rowcliffe, Director of Solution Engineers here at SecureAuth.
Our purpose today is to explain why 2Factor authentication may not be enough to properly secure and protect today’s organizations. And with cyber-attacks and the cost of breaches both on the rise, security mechanisms in place today, don’t seem to have the desired effect.
Can we really ignore more secure access to resources?
But before we dig into the presentation, lets get some Housekeeping items out of the way….
All attendee audio lines are muted – this is for everyone listening pleasure
You can submit questions via the Q&A panel at any time throughout the session (it’s located on the right hand side of your console)
Those submitted Questions will be answered during Q&A at the end of the presentation (and if we run out of time, we will follow-up with you directly)…we have roughly 30 minutes of content and will follow up with 15 mins or more if needed for Q&A
We do have a couple polling questions, and you can answer those in roughly the same area you can pose questions (right hand side of console)
Slides and a recording of this session will be sent later this week
If you have questions related to this webinar or any others, you can always contact us at webinars@secureauth.com
Lets first level set where organizations sit today. In a survey, conducted last month by Wakefield Research, of IT decision makers at various sized organizations, proclaim that 56% of assets/resources are protected with 2 factor authentication….which means 44% of the remaining assets are protected by single factor authentication (username/password) or nothing at all.
The 2016 Verizon Data Breach Investigations Report tells us that 63% of reported 2015 breaches involve the use of compromised credentials….this has been on the rise the too…two years ago it was less than 50%, last year it slightly more than 50%.
Attackers will find and expose your weakest link - For example, in the 2014 JPMorgan breach — the largest breach in financial services history — attackers gained access to the network by using the stolen login credentials for a JPMorgan employee to gain access to a particular server where two-factor authentication had not been deployed. Attackers usually move laterally using those credential or even better they create new credentials and give themselves the access they want.
Most of us try and combat this the stolen credential issue with complex PW requirements and frequent PW changes, but unfortunately this leads to user writing them down in unsecure places, typically leads to more frequent PW reset calls because user forget them. Those calls cost time and money and keep users from being productive while they wait for a password reset from the helpdesk.
PW reuse becomes problematic as well….using the same password or password structure across multiple logins (facebook, Target, LinkedIn, Online banking) means a compromise on one site could lead to an infiltration with that re-used PW on your network.
Beyond not providing the protection needed in today’s business environment, UN/PW (or single factor auth) doesn’t provide a great user experience. Logging in with credentials multiple times every day is a burden and has a productivity hit to users
In summary, single factor auth or UN/PW alone is NOT a great security solution….
Lets move on to our first poll…
Please cast your vote on the right-hand side of your webinar console now…..we will display the results shortly.
The question is……”What percentage of your assets/resources are protected with 2-factor authentication today?”.
All answers are anonymous and we only see and display the accumulated results. You have five choices, please choose the percentage band that corresponds to your organization’s 2FA use across all assets/resources.
Thank you to all for your participation!
So we beat-up single factor authentication pretty good….and the typical next step for organizations is to deploy Single Sign On…reduce the number of logins/disruption, but with single sign-on using only single factor authentication, you make things easier on would-be attackers by giving more access if they can compromise credentials.
Because of that, organizations are deploying more and more 2-factor authentication….in fact that same Wakefield Research survey I referenced earlier….reports that 99% of IT decision makers feel 2-factor auth is the best way to protect assets!!!
BUT that begs the question…why only cover 56% of assets, right?
Those decision makers go on to tell us why….read chart….
Another thing to keep in mind related to single or 2-factor authentication….often times attacker mask there identities via the use of anonymity networks like Tor. CloudFlare reports that 94% access requests they see from the Tor network are malicious…so being able to detect requests from these networks can significantly improve security whether attackers have valid credentials or can get around your certain 2FA steps
Lets go to our final poll…
Again…Please cast your vote on the right-hand side of you're webinar console…..we will display the results shortly.
The question is……” Do you feel 2-Factor Authentication is the best way to protect assets/resources?”
Again, all answers are anonymous. You have 2 choices, “Yes” and “No”
Thank you again for your participation!
We’ve now come the math portion of our program….but before you start checking emails or playing games on your phone….this is easy math and can help you understand a couple ways to think about business value.
Assuming passwords will remain an important component of your access control strategy, lets see how expensive they can be and how we can reduce the expense…
It’s reported that 20%-50% of helpdesk calls are for PW resets at a cost of $15-$70/per call…lets say each user at 5000 person organization has to make a PW reset call a year and another 50% have to make a 2nd call = 7,500 calls/yr at $40/per = $300,000/year…It’s Important to use complex passwords and frequently change them for security purposes, but doing so often leads to more password reset calls to helpdesk….a self-service password reset solution allows you to save the money shown on the slide and provides a better, faster user experience. You can calculate your saving using our online calculator at www2.secureauth.com/Password_Calculator
Minimizing User Disruptions throughout the day also can save costs or maybe better put….productivity savings.
Many variables here but if each user could save just time everyday by not having to enter a PW into each resource by utilizing single sign-on, or wait on PW reset helpdesk call… the savings can be significant. Lets assume we can save 3 mins a day per user x 240 working days = 720 minutes/year or 12 hours/year. Doesn’t sound like much, but at an average employee cost of $40/hour, could save $480/year/user….keeping consistent with our 5,000 user example = $2,400,000 in labor costs or to look at it another way….improved productivity gains. Not only does SSO provide user convenience and less disruptions it translates into more productivity.
BUT keep in mind…SSO without strong access control can actually make you more vulnerable…if attackers gain entry by cracking or stealing credentials….you’ve given them easier assess to resources.
So lets move on to talk about how some popular 2FA methods have flaws…
Many popular 2FA methods have flaws and those methods coupled with a username and password can provide a false sense of security.
As we showed before, 99% of IT decision makers think that 2FA is best way to protect access….but Cyber attackers continually evolve and have found ways around them:
Knowledge-based questions and answers (KBAs) can be socially engineered fairly easily with the wealth of personal information publically available via social media. Think of popular security questions….mother’s maiden name, favorite color or favorite car, street you grew up on…much of this info can be mined from social media.
One-time passcodes (OTPs) delivered via SMS/Text and/or email can be intercepted. The National Institute for Standards and Technology (NIST) in their latest “Digital Authentication Guideline” no longer recommends SMS/Text based OTPs because of how easy they can be intercepted.
Both RSA and Gemalto hard tokens have been compromised by attackers in the past. And most users don’t want to carry around something else, preferring to use methods via things they already use daily (cell phone, email, voice over a call)
Common 2FA method - ‘Push-to-Accept’ – has been known to routinely be falsely accepted by users that are not authenticating. Attacker with valid yet compromised credentials, will continue to request access until an impatient user finally hits “accept” on their phone ...often because they become conditioned every day to hit “accept”.
Security conscious organizations need to look beyond 2FA alone for access control and cyber-attack protection.
Lets do a quick summary of what we’ve covered before we move on the talk about a better security solution.
We’re not going to show this video, but I encourage you to take a quick look when you get a chance. Might want to take a picture of the screen, to capture the link.
But in the 2.5 minute video, we see how easy it is for attackers to compromise credentials. This hacker was able to gain access to the mark’s cell phone and have the password changed to their choosing with just a phone call…..no coding, no super complicated or elaborate malware or tools were needed….just a phone.
Encourage you to take a look, it’s worth the 2.5 minutes. Ok….hopefully everyone who wanted the watch the video snapped a picture because we need to move on….
UN/PW Combo doesn’t protect
Self-service tools (like SSPR) can provide significant savings
SSO provides a good user experience and can increase productivity gains, but HAS TO BE properly protected
User experience is important - Whether SSO, Self-service tools, fast/convenient 2FA…are all aimed at fast access to resources…keep users productive
Some 2FA methods have flaws and can provide a false sense of security
Those are the problems….there is a better way….so lets look at how SecureAuth can help!
SecureAuth is uniquely positioned to help organizations increase security and provide a clean seamless user experience because:
For Security….
We can layer multiple pre-authenticate risk checks together, making it infinitely more difficult for attackers to penetrate (we offer more risk check than any other vendor)
We couple those risk checks with 25+ different authentication methods (we offer more choices/flexibility than any other vendor)
We visualize authentication data to make it easier to see anomalies and share that data with SIEMs to help customer Security Operations Centers more quickly remediate intrusions (I don’t know of any other vendor building integrations to other security products (not their own) to help better detect intrusions)
For a good user expeience…
With the multiple pre-authenticate risk checks we do, if no risk is detected, users can log-in without taking a 2FA step.
We add to that.. the ability to provide SSO into a plethora of resources
Offer self-service tools (like password resets, account unlocking, enrollment, etc…)
If you add it all up…SecureAuth is uniquely positioned to provide the best security, with the best user convenience!
Lets take a deeper look….
Adaptive authentication is to a doorman….. What user credentials are to a lock.
Anyone with key can open locked door….the lock doesn’t know who the key bearer is, just that if the right key is used, the lock is opened.
A doorman adapts, recognizes people coming in and going and can make it difficult or easy to pass though if recognized. The more familiar that doorman becomes with tenants, the easier it becomes to come and go freely without interruption.
So…how do we provide the best possible security….:
First – is our adaptive authentication capabilities….which evaluate multiple potential risks, but do so pre-authentication, without users knowing and when layered together provide additional security nearly impossible for attackers to pass thru without either being denied outright or given a 2FA step to prove validity. But the flip side of that is good users with know devices, coming in from known locations, and exhibiting normal behavior can be given access without a 2FA disruption!
In addition to Adaptive Authentication, we offer 25+ multi-factor authentication methods – giving organizations choice and flexibility to use methods of their choosing.
Next we provide “Continuous Authentication” – This is via our Behavioral Biometric capabilities. Helps protect post-authentication, where most access control solution do nothing. Helps with protecting from insider threats and continually monitors and measures typing sequences and mouse movements.
Next we offer flexible workflows…not all users are created equal, some have access to more sensitive resources than others and we can add or remove additional authentication steps depending on the potential vulnerability a particular user/group of users, or resources poses.
Lastly, we show data in a nice dashboard (failed log-ins, utilizations, types of requests) and maybe more importantly we share this data with various SIEMs via pre-built integrations with the goal of correlating our data with other security data for faster intrusion detection and ultimately accelerate remediation, if needed.
Very few competitor, including RSA, have these capabilities – we have more adaptive authentication risk checks than any other vendor, we provide more MFA choices than any other vendor, we offer Continuous Authentication (post-authentication) where only a couple other vendors offer it, we allow flexible workflows where most vendors offer two at best (we offer an infinite #) and while some vendors do display there authentication data, I’ve heard of none talking about SIEM integration and data correlation for better detection and remediation.
Some of you may have noticed that our adaptive stack has grown…..lets take a look at that, considering it’s our biggest differentiator….
So Adaptive authentication is a doorman and learns and adapts over time
I often describe these pre-authentication risk checks like layers in a bullet proof vest. Bullet proof vest is made up of multiple layers of laminate fibers….each layers may not stop a bullet by itself, but when layered together form an impenetrable barrier.
Device Recognition – Do we recognize this device and is it a device associated with a user we know? ….we can include web browser configuration, language, installed fonts, browser plugins, device IP address, screen resolution, cookie settings, time zone, and more and associate this relatively unique “device fingerprint” to a specific user
Threat Service – where we can compare the IP address of an authentication requests to known white and black lists and can also compare to continually updated live threat intelligence service feeds to ensure analysis is current to the minute (this is where we identify if a request is for example coming from a anonymity network like Tor)
Directory Lookup – Check group membership and if user attributes are correct (where we can compare an identity to others, looking for abnormalities…oftentimes attackers, once they’ve infiltrated an organization, will create their own new identity and credentials to have free reign within your application landscape. But those attackers often don’t create the new identify will all the fields your organization requires, therefore by checking it, we can find inconsistencies and require multi-factor authentication before proceeding)
Geo-Location – we can compare an identity’s current geographic location against good and bad locations (e.g. You don’t have employees, business partners, or customers in China….therefore no one from China should be trying to access your resources)
Geo-Velocity – we also look at whether an improbably travel event has occurred (e.g. User logs in at 2pm PST from Los Angeles and attempts to log back in at 7pm EST in New York City….very unlikely that user was able to travel from California to New York in 2 hours)
Geo-Fencing – You can create a geographic barrier – where access request within and outside that barrier are treated differently
Phone Number Fraud Prevention – this is the new functionality we are building for Anthem, and should also be available next month.
The Second Factor Throttling (or spam prevention) will provide protection against an attacker attempting to overwhelm the system by generating a large number of OTP's.
The phone number profiling service will provides the ability to take a phone number, and return real time intelligence from carrier networks on various aspects of the number to determine risk and fraudulent activity.
We can block numbers by class of phone (e.g. virtual phone, landline, mobile)
We can also block by carrier network (e.g. so calls from cell networks in North Korea, Iran, Afghanistan, or others can be blocked)
Behavioral Biometrics – where we analyze typing sequences, and mouse movements to create unique biometric profiles for each user on each device (if current request does match the profile, we can deny access or require a MFA step to confirm the identity)
These last two come by way of our Connect Security Alliance agreement:
Identity Governance – this comes from SailPoint, where they provide us a risk score based on entitlements – the more access a user has to sensitive resources the higher their score and we can use this score as yet another input to our overall adaptive risk scoring
Lastly we have User & Entity Behavior Analytics – This comes to us through Exabeam, where they track and baseline individual user behavior and look for anomalies (things out the ordinary). Exabeam tells us if behavior is inside or outside the norm, and we can utilize that information in our overall adaptive risk scoring as well.
SecureAuth has more Pre-Authentication risk checks than any other vendor…they happen without users even knowing, and can improve both security and user experience
Lets move on to how we provide the best possible user experience….
Best Possible User Experience
Not all users are created equal, but everyone hates additional authentication steps
Getting beyond the old school, multi-step/multi-interruption process helps provide good user experience
Clean authentication experience enhances user adoption and reduces complaints to the security team…the multiple layered silent risk checks we just talked about allow organizations to identify and deny bad access requests, challenge risky ones, and allow good ones right thru without an MFA step
Organization can now balance security needs with user preferences and don’t have to compromise security or user experience…best of both worlds!
We can reduce the number of daily interruptions when accessing organizational resources with SSO, improving productivity by enabling fast and seamless access to the things people need to do their jobs
We can also empower users to help themselves when and if the need arises via self-service tools like password resets, account unlocking, enrollment, updating personal info – all saving both user and IT time.
I’ve spend time talking about why SecureAuth and how we’re different, but it’s always better to hear what an actual customers is saying….
Normal Day
No MFA needed…even need a password?
I kept “Identity Governance” consistent because “access rights” didn’t change for user
“Behavior Analytics” is low because it’s just a regular day…start time, start app of da
Travel Day
Joe Director of Manufacturing
Travel from US to China to scope out a potentially new mfg facility….
Allow or MFA Challenge?....the prospect gets to choose/hence flexibility of the solution
Lost/New Laptop
While in China Joe’s laptop gets stolen…luckily he’s able to purchase a new laptop
Suggest a “self enrollment” step via mobile app and QR code…this might not work
We developed this check list to quickly highlight what we refer to as the “new adaptive”….
Read chart…
We could have titled this webinar single-factor and second-factor authentication are NOT ENOUGH….but hopefully you found the webinar informative and have a better understanding of how SecureAuth is uniquely positioned to offer both the best in security with the best in user experience!