“Passwords are No Longer Sufficient”
Brian Rivers
§ For systems that provide
access to sensitive and
restricted information systems
§ Requires something you have
(hardware token) in addition to something you know
(username + password)
§ Over 1700 employees currently
using ArchPass to access these systems
Session Outcomes
§ Understand how ordinary user credentials are no longer sufficient
and how multi-factor authentication adds an additional layer of protection that would have prevented recent incidents
§ Understand how multi-factor authentication can integrate into
complex, decentralized technical architectures in a timely and cost-effective manner.
§ Understand the human dimension, placing the implementation in
the context of business functions, user requirements, and involve critical stakeholders across the institution.
Session Outcomes
§
This could save your bacon.
§
“So easy a caveman can do it.”
June 17th, 2013 20:53 GMT By Eduard Kovacs
Victims by Location
Data breaches
2012
73%
•
Australia 7%
•
Canada 3%
•
UK
2%
•
Brazil 1.2%
•
Other 20.8%
Attackers by Location
Originated in
US
29%
•
Romania 33.4%
•
Ukraine 4.4%
•
China 3.9%
•
Unknown 14.8%
Phishing / Malicious Spam
@
• 14 billion malicious spam
daily
• 9.8 billion messages contain
links to websites that will infect your computer
Of spam emails sent
daily are malicious
10%
Phishing Attacks
Phishing Spear
Phishing Whaling
Target(s) Anyone Group or
organization
Specific person or team
Research
required Minimal Moderate Substantial
Believability Medium High Very High
Sophistication Minimal Moderate Substantial Goal Identities / access to system or network
Changing the Culture
§
Creating awareness – “Information security is non-negotiable,
and it’s everybody’s business”
§
Accept Change – “Institutions need to adopt common sense
measures that move the pendulum back so that a balance is
struck between user convenience and security”
§
Invest in Technology – “Tools such as anti-virus, digital loss
prevention (DLP) software, and multi-factor authentication
reduce attack surfaces dramatically”
ArchPass - Business Functionality and
User Impacts
§
UGA Culture and Background
§
UGA has a strong culture of compliance and a
willingness to improve information security however,
§
ArchPass would need to overcome:
§
UGA’s decentralized administrative structures
§
Institutional skepticism and reluctance to add
Business Functionality and Impacts
§
Role of the Administrative Systems Advisory Council (ASAC)
§ Involve UGA business units and stakeholders with shared responsibility
in the delivery and support of information technology, application, and data needs of the University community.
§ Represent the entire University when making administrative system
recommendations. Thus ASAC has broad representation from each of Vice Presidents and major units and extends itself to gather feedback from special interest groups.
Business Functionality and Impacts
§
ASAC Approach to ArchPass
§
Review initial proposal from the VP for IT for phase
one of a multi-factor authentication program.
§
Recommend criteria for systems required to use
ArchPass, policy and procedure, and an exception
process.
Business Functionality and Impacts
§
ASAC Approach to ArchPass (continued)
§
Gather input and feedback on the recommendations from
University-wide user groups.
§
Provide this feedback to IT.
This feedback was key to implementing a program with
University-wide acceptance. The User community was
part of the decision-making and the overall process.
Business Functionality and Impacts
§ Key Concerns Expressed by Users and ASAC
§ Creating an exception process (both opt-in and opt-out) with
appropriate vetting, risk assessment, and functional and technical management approval.
§ Access to systems from off-site locations, especially during
emergencies.
§ University recognition that this was ‘Phase I’ and not ‘end state’.
ArchPass - Business Functionality and
User Impacts
§
Post Implementation Feedback
§
“It is easy to use.”
§
“Has become a way of life, just like using my UGA ID
card for building access.”
§
Status Symbol of sorts – “My co-worker has an
Multifactor Authentication Strategy
The University of Georgia elected to deploy a network
(VPN) based 2-Factor authentication using hardware
tokens.
Decision Factors were
§
Timeliness of Deployment
§
Diversity and age of platforms being protected
BDC Secure Zone Internal Firewall Virtual Desktop UGA Network Network Monitoring ·∙ SSNCap ·∙ NetFlow ·∙ SNORT ·∙ ASSETs pcap F5 BigIP ·∙ Load Balancer ·∙ SSL termination Security Event Monitoring Data Loss Prevention Vulnerability Assessment External Firewall 2 Factor Authenticated VPN Group ·∙ Dedicated IP range ·∙ Specific DC Firewall Permissions Internet Secure Zone Architecture VPN
The Technology
Network Level Multifactor
§ Pros:
§ No application modifications needed for integration (good option
for legacy applications)
§ Central logging of network behaviors
§ Protects against application & OS authentication vulnerabilities
§ Leverages tried & true VPN security technology
§ Cons:
§ VPN client required for access
Hardware Token Solution
§ Pros:
§ Tried & true solution
§ Lower complexity in support model
§ Avoids BYOD support & function issues
§ Avoids multi-platform support issues
§ Cons:
§ Deployment overhead
§ Per Unit hardware/software cost is higher
Data Containment Strategy
The University of Georgia deployed a Secure Virtual
Desktop Infrastructure along with Data Loss prevention
technology within the Secure Network zone.
§
Glove box for user data processing
§
Controlled desktop with application safe-listing
§
Highly restricted browser access
Cost Estimates
Below are possible cost estimates for a 500 user implementation.
Estimates Initial Costs Annual Maint. 3 year Tco 5 year Tco
500 Tokens $20,000 $3,000
Incidentals $5,000
Cisco ASA 5555 $16,437 $2,250
Total $41,437 $5,250 $51,937 $62,437
