WEBVTT

00:00.000 --> 00:02.580
>> One of the more effective
security controls that we

00:02.580 --> 00:05.925
can implement into networks
is strong Authentication.

00:05.925 --> 00:08.460
The job of authentication
is to force

00:08.460 --> 00:10.890
a user to prove their
claimed identity.

00:10.890 --> 00:12.795
I claim to be administrator.

00:12.795 --> 00:14.655
You can claim to be
anything you want.

00:14.655 --> 00:16.590
Now, I need you to prove it.

00:16.590 --> 00:18.650
Traditionally, we've
had three ways we

00:18.650 --> 00:20.790
proved our claim:
something I know,

00:20.790 --> 00:22.980
something I have, and
something you are.

00:22.980 --> 00:25.200
There's also something
you do and somewhere you

00:25.200 --> 00:27.330
are with GPS positioning
and tracking.

00:27.330 --> 00:30.030
We're even extending
the ways to prove it.

00:30.030 --> 00:32.760
The problem with that
is any single form

00:32.760 --> 00:34.605
of authentication
can be spoofed.

00:34.605 --> 00:37.230
We always want to combine
more than one factor.

00:37.230 --> 00:39.270
When we talk about
more than one factor,

00:39.270 --> 00:40.620
I don't mean two somethings you

00:40.620 --> 00:43.215
have like a driver's
license and a passport.

00:43.215 --> 00:45.055
That's not multi-factor.

00:45.055 --> 00:47.150
We want to combine
at least two types

00:47.150 --> 00:48.560
of authentication so that way,

00:48.560 --> 00:50.630
we can have a better
standard of proof.

00:50.630 --> 00:53.420
Multi-factor
authentication is best.

00:53.420 --> 00:55.325
Bullet point here at the bottom.

00:55.325 --> 00:58.670
Mutual authentication,
that's also desirable.

00:58.670 --> 01:00.920
Not only do I
authenticate to you,

01:00.920 --> 01:03.200
you authenticate back to me.

01:03.200 --> 01:05.675
For instance, you connect
to a banking server.

01:05.675 --> 01:07.340
We're used to that
banking server

01:07.340 --> 01:09.335
requesting our
username and password.

01:09.335 --> 01:12.200
We have to prove our identity
to the banking server.

01:12.200 --> 01:13.820
We also want that
banking server to

01:13.820 --> 01:14.720
>> prove its identity to

01:14.720 --> 01:17.449
>> us so that we know
it's not a rogue device,

01:17.449 --> 01:20.450
which is where digital
certificates come in.

01:21.220 --> 01:24.410
Most common is definitely
something you know.

01:24.410 --> 01:25.945
We use passwords.

01:25.945 --> 01:28.735
Traditionally, we've had
password best practices,

01:28.735 --> 01:30.200
includes ideas like change

01:30.200 --> 01:32.015
your password on
a regular basis,

01:32.015 --> 01:33.875
use uppercase and lowercase,

01:33.875 --> 01:36.820
have alphanumeric,
non-alphanumeric.

01:36.820 --> 01:38.600
Not only do you change
your password every so

01:38.600 --> 01:41.480
often but enforcing
a password history.

01:41.480 --> 01:43.550
What's very interesting
about this is

01:43.550 --> 01:45.410
NIST and the gentlemen that

01:45.410 --> 01:47.750
specifically wrote
the NIST standards

01:47.750 --> 01:50.540
for passwords has essentially
come out and said,

01:50.540 --> 01:52.070
"All those ideas we've had in

01:52.070 --> 01:55.085
the past really are
not accurate today."

01:55.085 --> 01:57.770
We used to be a very good
preventative controls

01:57.770 --> 01:59.120
your passwords was based on

01:59.120 --> 02:00.890
the knowledge and
tools at the time.

02:00.890 --> 02:02.840
Right now, the types of attacks

02:02.840 --> 02:04.520
that attackers are doing upper,

02:04.520 --> 02:06.080
lowercase, alphanumeric,

02:06.080 --> 02:09.530
non-alphanumeric, these
don't matter anymore because

02:09.530 --> 02:11.150
their password
scanning programs are

02:11.150 --> 02:14.170
going to try all
those combinations.

02:14.170 --> 02:17.355
What makes passwords
harder today is length.

02:17.355 --> 02:19.775
As you add additional
length to your password,

02:19.775 --> 02:21.545
you add more entropy.

02:21.545 --> 02:23.120
You make it more difficult for

02:23.120 --> 02:24.594
>> an attacker to determine.

02:24.594 --> 02:26.360
>> We really have
made passwords very

02:26.360 --> 02:28.730
difficult for
ourselves to remember.

02:28.730 --> 02:30.690
How many times have you
gone to the same site,

02:30.690 --> 02:32.360
typed a password 3, 4,

02:32.360 --> 02:34.130
or 5 times, thought
you knew what it

02:34.130 --> 02:36.590
was and turns out it's a
password from another site?

02:36.590 --> 02:38.600
It can be very frustrating.

02:38.600 --> 02:40.160
What a lot of users do is they

02:40.160 --> 02:41.675
just write their passwords down,

02:41.675 --> 02:44.765
which is obviously, that's
a security vulnerability.

02:44.765 --> 02:47.105
What we want is
longer passwords,

02:47.105 --> 02:50.070
not passwords that
are hard to remember.

02:50.150 --> 02:53.330
Something you have. If
you can't touch it,

02:53.330 --> 02:54.980
it's something you have.

02:54.980 --> 02:56.860
There are also other
non-tangible things

02:56.860 --> 02:58.790
that you would have
like a private key,

02:58.790 --> 03:01.990
digital certificates, or
cookies on your system.

03:01.990 --> 03:04.040
If you log on to a system and it

03:04.040 --> 03:05.945
says we don't recognize
your computer,

03:05.945 --> 03:08.390
that's because when you set
up your account initially,

03:08.390 --> 03:10.100
that web server put a cookie on

03:10.100 --> 03:13.250
your system that it looks
each time you log in.

03:13.250 --> 03:14.990
That's one way of verifying

03:14.990 --> 03:16.940
your identity, with a cookie.

03:16.940 --> 03:17.990
A lot of times,

03:17.990 --> 03:20.510
we make this multi-factor
authentication as seamless

03:20.510 --> 03:22.160
as possible because
we don't want to

03:22.160 --> 03:24.200
annoy users and
pester them to death,

03:24.200 --> 03:27.245
but we do want that
multi-factor authentication.

03:27.245 --> 03:30.410
A lot of organizations are
using smartphones today.

03:30.410 --> 03:32.645
You go and log in
with the password.

03:32.645 --> 03:34.585
I'm going to send you
a code to your phone.

03:34.585 --> 03:35.880
The fact that you know

03:35.880 --> 03:37.875
the code proves to me
that you have a phone.

03:37.875 --> 03:39.625
It's fairly unobtrusive.

03:39.625 --> 03:43.630
If you have a password on
your phone, you get access.

03:44.270 --> 03:46.635
Other somethings you have.

03:46.635 --> 03:49.070
We use memory cards
for a long time.

03:49.070 --> 03:51.140
The memory card is
a magnetic strip on

03:51.140 --> 03:53.495
the back of our credit
cards without encryption.

03:53.495 --> 03:55.685
There's just stored
information on that strip

03:55.685 --> 03:59.135
and very easy to siphon
off those credit cards,

03:59.135 --> 04:00.965
very easy to clone
a credit card,

04:00.965 --> 04:03.110
and very easy to copy these.

04:03.110 --> 04:05.270
What you have in the
top illustration is

04:05.270 --> 04:06.650
a little shim that fits over

04:06.650 --> 04:08.390
the legitimate
credit card reader,

04:08.390 --> 04:10.520
and you can see it
can't even tell

04:10.520 --> 04:12.755
the difference. Then
you swipe your card.

04:12.755 --> 04:14.420
It's actually being
read by the shim,

04:14.420 --> 04:16.820
as well as being passed
along to the reader.

04:16.820 --> 04:19.940
Very easy to do credit card
theft, credit card fraud,

04:19.940 --> 04:21.260
billions of dollars a

04:21.260 --> 04:23.640
year are lost with
credit card theft.

04:23.640 --> 04:25.520
A deterrent for that or

04:25.520 --> 04:28.655
an alternative is to use
the PIN and chip system.

04:28.655 --> 04:30.320
These are smart cards.

04:30.320 --> 04:32.090
You can tell they're smart
cards because they have

04:32.090 --> 04:33.950
a processor on them.

04:33.950 --> 04:35.150
The idea is these could

04:35.150 --> 04:37.775
actually provide
three-factor authentication.

04:37.775 --> 04:40.010
You got the chip,
something to have;

04:40.010 --> 04:41.720
you know the PIN,
something you know.

04:41.720 --> 04:43.350
If you sign it on
the back and if

04:43.350 --> 04:44.690
the cashier checks
your signature

04:44.690 --> 04:45.830
on whoever takes the card,

04:45.830 --> 04:47.870
then you actually have
something you know,

04:47.870 --> 04:50.195
something you have,
and something you do

04:50.195 --> 04:51.500
or something you are just

04:51.500 --> 04:52.790
depending on the classification,

04:52.790 --> 04:54.890
how you classify signatures.

04:54.890 --> 04:56.630
That's not really
the way it works

04:56.630 --> 04:58.300
today because many times,

04:58.300 --> 05:00.245
cashiers don't check
the signature.

05:00.245 --> 05:01.595
Even if they glance at it,

05:01.595 --> 05:03.950
they're not really looking
for any similarities.

05:03.950 --> 05:06.050
A lot of times,
the vendor systems

05:06.050 --> 05:07.730
don't have the chip
reader enabled.

05:07.730 --> 05:09.140
When it comes right down to it,

05:09.140 --> 05:11.640
if that chip reader is disabled,

05:11.920 --> 05:14.390
then we just swipe our cards in

05:14.390 --> 05:17.140
the magnetic reader with
a magnetic strip again.

05:17.140 --> 05:18.920
We don't really get
all the benefits

05:18.920 --> 05:20.270
of the chip and PIN system

05:20.270 --> 05:21.650
because we don't
really enforce them

05:21.650 --> 05:24.290
the way that they
should be enforced.

05:24.770 --> 05:28.445
Now the third category,
something you are.

05:28.445 --> 05:30.920
This used to be considered
something you are,

05:30.920 --> 05:32.300
and the biometrics included

05:32.300 --> 05:35.350
both physiological and
behavioral traits.

05:35.350 --> 05:38.490
Behavioral traits are how
I walk, talk, and type,

05:38.490 --> 05:41.435
but now they move that
to its own category,

05:41.435 --> 05:43.070
which is something you do.

05:43.070 --> 05:45.140
Now when we talk about
something you are,

05:45.140 --> 05:48.155
it's just your physiological
traits: palm scan,

05:48.155 --> 05:50.435
thumbprint, iris
scan, retina scan.

05:50.435 --> 05:51.770
Whatever those traits are,

05:51.770 --> 05:53.240
how well you match
to those traits

05:53.240 --> 05:56.125
determines whether or
not you gain access.

05:56.125 --> 05:58.275
Now somewhere you are.

05:58.275 --> 06:01.020
Because of GPS trafficking
and positioning,

06:01.020 --> 06:03.540
the fact that I'm in
Kelly Handerhan's house

06:03.540 --> 06:05.385
proves that I'm Kelly Handerhan.

06:05.385 --> 06:08.615
Again, we still want to combine
that with multi-factor,

06:08.615 --> 06:11.440
other factors for
authentication.

06:11.440 --> 06:13.555
Then there's something you do.

06:13.555 --> 06:16.775
Like I said, how I perform
certain activities.

06:16.775 --> 06:18.140
Some cell phones don't have

06:18.140 --> 06:20.090
a PIN to open up
the lock screen,

06:20.090 --> 06:22.970
then you have a swipe
pattern in a certain way.

06:22.970 --> 06:25.160
There are all sorts of little
quirks that are unique

06:25.160 --> 06:26.960
to us and how we walk or sign

06:26.960 --> 06:29.000
a document or how
we type our names

06:29.000 --> 06:32.160
can be good identifiers
of an individual.

06:32.380 --> 06:34.700
The thing about biometrics

06:34.700 --> 06:37.325
specifically is we have
issues with false positives

06:37.325 --> 06:39.830
and false negatives or
what's really better

06:39.830 --> 06:43.055
referred to as false acceptance
and false rejections.

06:43.055 --> 06:44.930
Let's say that I've
decided to use

06:44.930 --> 06:47.420
my thumbprint for
access to my laptop.

06:47.420 --> 06:49.730
I've got sensitive
information on there,

06:49.730 --> 06:51.470
so I want to make
sure nobody that

06:51.470 --> 06:54.055
shouldn't get access
gets onto my system.

06:54.055 --> 06:56.975
I provide my thumbprint and
I require the match to be

06:56.975 --> 06:58.250
100 percent accurate before

06:58.250 --> 07:00.170
letting someone onto the system.

07:00.170 --> 07:03.365
Well, I'm not going to
be 100 percent accurate,

07:03.365 --> 07:06.080
different pressure, different
way I roll my thumb,

07:06.080 --> 07:08.825
could be scratches or
dust on my fingerprints.

07:08.825 --> 07:11.450
If I require such a
high match before

07:11.450 --> 07:14.090
letting out or letting
into the system,

07:14.090 --> 07:16.700
I'm going to be locked
out over and over.

07:16.700 --> 07:18.590
That's a lot of
administrative hassle

07:18.590 --> 07:20.585
and it's very frustrating.

07:20.585 --> 07:23.300
I'm tired of being locked
out of my own system.

07:23.300 --> 07:26.090
You know what, anybody
with a thumb can get in.

07:26.090 --> 07:27.410
Well, the problem
there is there'll be

07:27.410 --> 07:28.744
>> false acceptances.

07:28.744 --> 07:30.380
>> People that
shouldn't be allowed

07:30.380 --> 07:32.065
in are going to be allowed in.

07:32.065 --> 07:34.730
What you're going to find
is that false acceptances

07:34.730 --> 07:37.280
and false rejections
are inversely related.

07:37.280 --> 07:40.285
As one goes up, the other
goes down, and vice versa.

07:40.285 --> 07:42.440
There will be a point where
the two of them meet.

07:42.440 --> 07:45.170
That point is called the
crossover error rate.

07:45.170 --> 07:50.015
That's how the accuracy of
the system is assessed.

07:50.015 --> 07:53.870
Where the FRR meets
the FAR is the CER.

07:53.870 --> 07:56.375
That's just for those of
you that like letters.

07:56.375 --> 07:58.640
Otherwise, where your
false acceptances

07:58.640 --> 08:00.350
meets your false rejections,

08:00.350 --> 08:02.330
that's called the
crossover error rate,

08:02.330 --> 08:04.625
and that indicates
the sensitivity

08:04.625 --> 08:07.470
or the accuracy of the system.

08:07.990 --> 08:11.810
Other things to think about
with biometrics is cost.

08:11.810 --> 08:14.600
Does it warrant a high-end
biometrics solution?

08:14.600 --> 08:16.810
Also, user acceptance.

08:16.810 --> 08:18.650
Users are not 100 percent

08:18.650 --> 08:20.885
comfortable with all
forms of biometrics.

08:20.885 --> 08:22.400
Still to this day, if I say,

08:22.400 --> 08:24.875
"Hey, I got my thumbprint
taken yesterday."

08:24.875 --> 08:26.780
The first question is
did you have to go

08:26.780 --> 08:28.610
downtown? Were you speeding?

08:28.610 --> 08:30.950
What was going on?
We tend to still

08:30.950 --> 08:32.480
associate being thumbprinted

08:32.480 --> 08:34.550
or fingerprinted with crimes.

08:34.550 --> 08:36.170
We feel like they're
very intrusive

08:36.170 --> 08:37.340
into our personal space.

08:37.340 --> 08:40.130
If the biometrics
gets compromised,

08:40.130 --> 08:41.465
you can't revoke them.

08:41.465 --> 08:44.060
If my password gets
lost or compromised,

08:44.060 --> 08:45.800
I can revoke that password,

08:45.800 --> 08:47.825
get issued a new one,
and I'm good to go.

08:47.825 --> 08:50.075
If my thumbprint is compromised,

08:50.075 --> 08:51.935
not much I can do about that.

08:51.935 --> 08:54.475
There are other issues
like enrollment time.

08:54.475 --> 08:55.950
Biometrics are the best

08:55.950 --> 08:57.740
of the single-factor
authentication,

08:57.740 --> 09:00.455
but there are definitely
drawbacks to them as well.

09:00.455 --> 09:03.515
Even if you decide the pros
outweigh the drawbacks,

09:03.515 --> 09:05.600
don't forget it should just be

09:05.600 --> 09:09.275
implemented as one part
of a multi-factor system.

09:09.275 --> 09:12.500
Of course, our multi-factor
systems are going to

09:12.500 --> 09:15.110
combine more than one
type: something you know,

09:15.110 --> 09:16.985
something you have,
something you are,

09:16.985 --> 09:19.150
something you do,
somewhere you are.

09:19.150 --> 09:20.750
You have to have that because

09:20.750 --> 09:24.450
any single means of
authentication can be spoofed.