Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oh no! They hacked my password!!!

Published byPierce Hudson Modified over 5 years ago

Similar presentations

Presentation on theme: "Oh no! They hacked my password!!!"— Presentation transcript:

1 Oh no! They hacked my password!!!
Jerry Wynne, CISA, CISSP, CIRSC Vice President of Security, CISO

2 Disclaimer This document and any oral presentation accompanying it are not intended/should not be taken as necessarily representing the policies, opinions, and/or views of Noridian Mutual Insurance Company, Blue Cross Blue Shield of North Dakota, Noridian Healthcare Solutions, any of their component services, or any other affiliated companies. This document and any oral presentation accompanying it has been prepared in good faith. However, no express or implied warranty is given as to the accuracy or completeness of the information in this document or the accompanying presentation

3 Agenda Who am I? Breach after Breach after Breach It’s a numbers game
Cracking a password What is the value? Creatures of Habit Collision of Facts So, If my password is not enough….

4 Who am I? Currently employed by Noridian Mutual Insurance Company
DBA: Blue Cross Blue Shield of North Dakota an independent licensee of the Blue Cross Blue Shield Association DBA: Noridian Healthcare Solutions Assisting: Three other Healthcare plans with Security Vice President of Security, Chief Information Security Officer (CISO) Responsible for both Electronic and Physical Security 3200 employees, 15+ locations coast to coast Staff of 70+, physical and electronic security professionals Certifications include: Certified Information Systems Auditor (CISA) Certified Information System Security Professional (CISSP) Certified in Risk and Information System Control (CRISC) Over twenty years experience in Electronic Security, with over fifteen years of leadership in Electronic Security

5 Breach after Breach after Breach
The Password Breaches keep coming and coming 2013 Yahoo data breach Over I Billion Passwords breached 2015 LinkedIn password 115 Million passwords breached 2017 CloudFire Breach Includes: Uber, Fitbit, OKCupid among 3,400 websites; Unknown number of passwords Users are urged to update all passwords

6 It’s a numbers game Total Population of USA: 323 Million
Total Population of World: 7.5 Billion

7 It’s a numbers game Approximate total number of passwords stolen in 2016 alone: 4.2 Billion

8 It’s a numbers game 13 Passwords in 2016
So, if passwords were just stolen from Americans, every American would have lost: 13 Passwords in 2016 If passwords were stolen from everyone in the world Every other person in the world has had a password stolen in 2016!

9 Cracking a password From the UK Daily Mail, 2013:
A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449  - as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'. Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online In several cases they identified the user, and used plain text passwords and created a hash from the plain text password

10 Cracking a password From the 2016 Verizon report:
Verizon found that “63% of confirmed data breaches involved leveraging weak, stolen or default passwords.” Further, the 2018 Verizon reported: that 93% of data breaches occurred within minutes, while 63% weren’t discovered for months.

11 What is the value of these passwords?
So many passwords have been stolen and resold/published that: It is estimated that enough passwords have been “stolen” that at least the equivalent of two passwords for every computer user have been stolen Billions of Passwords and user codes are available for free on the dark web Passwords and user codes are only worth money when they have just recently been stolen and news of the theft have not been made public

12 Creatures of Habit Grace Boyle (an online blogger) summed up creatures of habit in a guest article where she wrote: We are creatures of habit. We find comfort in regularity. When something out of the ordinary comes along, forces us to dig deep and make a U-Turn instead of keep going straight, it’s jarring. All of a sudden the comfort and familiarity are gone and we’re alone-not quite sure what to do next. People reuse passwords Most software does not stop this from happening Reused passwords typically only vary slightly No software can stop password reuse on different systems

13 Creatures of Habit More Reasons users reuse passwords:
Typical Password policies that state things like: You must have at least characters with letters (upper and lower case), Numbers Special characters Time restrictions like forced resets every 30 days. Some websites won’t let you paste your password in, you have to type it.

14 Collision of facts Facts: People reuse passwords
Everyone leaves some type of digital fingerprint (social media) Billions of Passwords are available for free on the dark web

15 So if my password is not enough…
Definition: Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi- factor authentication.

16 So if my password is not enough…
Understanding slang versus fact: What is Multifactor authentication? Is Usercode / password Multifactor authentication? Why or Why Not? However, how is Multifactor authentication typically defined? Typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).

17 So if my password is not enough…
Some options for multifactor authentication include but are not limited to: Hard Tokens Soft Tokens Biometrics PINs Passwords User IDs Smart Cards

18 So if my password is not enough…
Hard Tokens Hard tokens (also known as hardware tokens, security tokens, authentication tokens) are a common method of deploying two-factor authentication (2FA), popularized by RSA in the late 80s / early 90s Soft Tokens A software token (a.k.a. soft token) is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated.

19 So if my password is not enough…
Biometrics Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database. If both samples of the biometric data match, authentication is confirmed. PINs Passwords A secret word or phrase that must be used to gain admission to something, a string of characters that allows access to a computer, interface, or system.

20 So if my password is not enough…
User IDs User identification (user ID) is a logical entity used to identify a user on a software, system, website or within any generic IT environment. It is used within any IT enabled system to identify and distinguish between the users who access or use it. A user ID may also be termed as username or user identifier. Smart Cards A plastic card with a built-in microprocessor, used typically for electronic processes such as financial transactions and personal identification.

21 So if my password is not enough…
How many factors should you use? The number of factors should be appropriate to risk Three factors is now a default minimum Factors should be from different categories Remote Access: User ID, Password, PIN, and Token generated security number

22 So if my password is not enough…
How many factors should you use? High Risk accounts: Admin Accounts with Remote Access 6 factors? User ID Password PIN Token generated security number Different ID Different Password

23 So if my password is not enough…
Security is a factor of Risk Companies should base factors of authentication based on determined risk of access Companies should have Data tied to risk

24 Top Breaches

25 Resources Checking to see if your account or domain has been compromised in a data breach

26 Questions?

27 References Slide 7, Lastpass for Enterprise, Marking Materials, 2017
Slide 9, strong-password-Hackers-crack-16-character-passwords-hour.html Slide 12, we-are-creatures-of-habit-grace-boyle/ Slide 16, Slide 19, authentication Slide 24, biggest-data-breaches-of-the-21st-century.html

Download ppt "Oh no! They hacked my password!!!"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Biometrics: Voice Recognition

Biometrics: Voice Recognition
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.

Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
© 2005-07 NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
IT Security Essentials Lesley A. Bidwell, IT Security Administrator.

IT Security Essentials Lesley A. Bidwell, IT Security Administrator.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
Password Security Everything (well… a lot, anyway) you didn’t know, or want to, but really actually need to.

Password Security Everything (well… a lot, anyway) you didn’t know, or want to, but really actually need to.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Password Security Review Your password is the last line of defense. Keep your data safe with good password practices. Mikio Olin Kevin Matteson.

Password Security Review Your password is the last line of defense. Keep your data safe with good password practices. Mikio Olin Kevin Matteson.

Similar presentations

Ads by Google