Business Contingency and Continuity Program (BCCP)

Business Contingency and Continuity Program (BCCP)

Oh no! They hacked my password!!! JERRY WYNNE, CIS A, CISSP, CIRSC VICE PRESIDENT OF SECURITY, CISO Disclaimer This document and any oral presentation accompanying it are not intended/should not be taken as necessarily representing the policies, opinions, and/or views of Noridian Mutual Insurance Company, Blue Cross Blue Shield of North Dakota, Noridian Healthcare Solutions, any

of their component services, or any other affiliated companies. This document and any oral presentation accompanying it has been prepared in good faith. However, no express or implied warranty is given as to the accuracy or completeness of the information in this document or the accompanying presentation Agenda Who am I? Breach after Breach after Breach Its a numbers game Cracking a password

What is the value? Creatures of Habit Collision of Facts So, If my password is not enough. Who am I? Currently employed by Noridian Mutual Insurance Company DBA: Blue Cross Blue Shield of North Dakota an independent licensee of the Blue Cross Blue Shield Association DBA: Noridian Healthcare Solutions Assisting: Three other Healthcare plans with Security

Vice President of Security, Chief Information Security Officer (CISO) Responsible for both Electronic and Physical Security 3200 employees, 15+ locations coast to coast Staff of 70+, physical and electronic security professionals Certifications include: Certified Information Systems Auditor (CISA) Certified Information System Security Professional (CISSP) Certified in Risk and Information System Control (CRISC) Over twenty years experience in Electronic Security, with over fifteen years of leadership in Electronic Security

Breach after Breach after Breach The Password Breaches keep coming and coming 2013 Yahoo data breach Over I Billion Passwords breached 2015 LinkedIn password 115 Million passwords breached 2017 CloudFire Breach Includes: Uber, Fitbit, OKCupid among 3,400 websites;

Unknown number of passwords Users are urged to update all passwords Its a numbers game Total Population of USA: 323 Million Total Population of World: 7.5 Billion Its a numbers game Approximate total number of

passwords stolen in 2016 alone: 4.2 Billion Its a numbers game So, if passwords were just stolen from Americans, every American would have lost: 13 Passwords in 2016 If passwords were stolen from everyone in the world Every other person in the world has had

a password stolen in 2016! Cracking a password From the UK Daily Mail, 2013: A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449 - as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'. Rather than repeatedly entering passwords into a website, the hackers used a list of hashed

passwords they managed to get online In several cases they identified the user, and used plain text passwords and created a hash from the plain text password Cracking a password From the 2016 Verizon report: Verizon found that 63% of confirmed data breaches involved leveraging weak, stolen or default passwords. Further, the 2018 Verizon reported: that 93% of data breaches occurred within minutes, while 63% werent discovered for months.

What is the value of these passwords? So many passwords have been stolen and resold/published that: It is estimated that enough passwords have been stolen that at least the equivalent of two passwords for every computer user have been stolen Billions of Passwords and user codes are available for free on the dark web Passwords and user codes are only worth money when they have just recently been stolen and news of the theft have not been made public

Creatures of Habit Grace Boyle (an online blogger) summed up creatures of habit in a guest article where she wrote: We are creatures of habit. We find comfort in regularity. When something out of the ordinary comes along, forces us to dig deep and make a U-Turn instead of keep going straight, its jarring. All of a sudden the comfort and familiarity are gone and were alone-not quite sure what to do next. People reuse passwords Most software does not stop this from happening Reused passwords typically only vary slightly

No software can stop password reuse on different systems Creatures of Habit More Reasons users reuse passwords: Typical Password policies that state things like:

You must have at least 10-12 characters with letters (upper and lower case), Numbers Special characters Time restrictions like forced resets every 30 days. Some websites wont let you paste your password in, you have to type it. Collision of facts Facts: People reuse passwords Everyone leaves some type of digital fingerprint (social media)

Billions of Passwords are available for free on the dark web So if my password is not enough Definition: Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Two-factor authentication (also known as 2FA) is a method of confirming a

user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication. So if my password is not enough Understanding slang versus fact: What is Multifactor authentication? Is Usercode / password Multifactor authentication? Why or Why Not? However, how is Multifactor authentication typically defined?

Typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). So if my password is not enough Some options for multifactor authentication include but are not limited to: Hard Tokens Soft Tokens

Biometrics PINs Passwords User IDs Smart Cards So if my password is not enough Hard Tokens Hard tokens (also known as hardware tokens, security tokens, authentication tokens) are a common method of deploying two-factor

authentication (2FA), popularized by RSA in the late 80s / early 90s Soft Tokens A software token (a.k.a. soft token) is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. So if my password is not enough

Biometrics Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database. If both samples of the biometric data match, authentication is confirmed. PINs Passwords A secret word or phrase that must be used to gain admission to something, a string of characters that allows access to a computer, interface, or system.

So if my password is not enough User IDs User identification (user ID) is a logical entity used to identify a user on a software, system, website or within any generic IT environment. It is used within any IT enabled system to identify and distinguish between the users who access or use it. A user ID may also be termed as username or user identifier. Smart Cards

A plastic card with a built-in microprocessor, used typically for electronic processes such as financial transactions and personal identification. So if my password is not enough How many factors should you use? The number of factors should be appropriate to risk Three factors is now a default minimum Factors should be from different categories Remote Access:

User ID, Password, PIN, and Token generated security number So if my password is not enough How many factors should you use? High Risk accounts: Admin Accounts with Remote Access 6 factors?

User ID Password PIN Token generated security number Different ID Different Password

So if my password is not enough Security is a factor of Risk Companies should base factors of authentication based on determined risk of access Companies should have Data tied to risk Top Breaches

Resources Checking to see if your account or domain has been compromised in a data breach https://haveibeenpwned.com/ Questions? [email protected] References Slide 7, Lastpass for Enterprise, Marking Materials, 2017 Slide 9,

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-1 6-character-passwords-hour.html Slide 12, http://www.lifewithoutpants.com/theinconvenience-of-change-we-are-creatures-of-habit-graceboyle/ Slide 16, https://en.wikipedia.org/wiki/Multi-factor_authentication Slide 19, http://searchsecurity.techtarget.com/definition/biometric-authentication Slide 24, https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21stcentury.html

Recently Viewed Presentations

  • Living with the Lab: What you Need to Know to Succeed

    Living with the Lab: What you Need to Know to Succeed

    What is Living with the Lab?. Three part course sequence: ENGR 120, 121, & 122. Each are 2 credit hour courses. Meets twice a week (for 110 minutes each time) Blocked with a math and science course
  • Making Thinking Visible (MTV): Promoting Students' Model ...

    Making Thinking Visible (MTV): Promoting Students' Model ...

    Furthermore, all tasks in which students' are constructing models, are learning with models, and are critiquing models of their peers are scaffolded using a model-based scaffolding framework (Gobert & Buckley, in prep.) in order to promote both deep understanding of...
  • A tutorial on MS Project - Texas Tech University

    A tutorial on MS Project - Texas Tech University

    A tutorial on MS Project James Burns Must start with A list or tasks Or A Work Breakdown Structure Bring up MS Project Start in the Gantt View Enter task detail in the entry table to the left Subordinate tasks...
  • Generalized Model for Program Planning

    Generalized Model for Program Planning

    History. Rather than a formally tested model, the Generalized Model for Program Planning is McKenzie and colleagues (author s of the textbook) summary and synthesis of multiple other programming models.
  • The Firm: Demand and Supply - London School of Economics

    The Firm: Demand and Supply - London School of Economics

    The firm as a "black box" Behaviour can be predicted by necessary and sufficient conditions for optimum. The FOC can be solved to yield behavioural response functions
  • The Sun Visible Image of the Sun Our

    The Sun Visible Image of the Sun Our

    The total mass decreases during a fusion reaction. The sun has enough mass to fuel its current energy output for another 5 billion years Nuclear fusion requires temperatures of at least 107 K - why? Atomic nuclei are positively charged...
  • Chemical Quantities - SCH3U

    Chemical Quantities - SCH3U

    Arial Arial Black Calibri Symbol Snowy road design template 1_Snowy road design template The Mole and Molar Mass Atomic Structure Review Calculating the Formula Mass B. Molar Mass Examples B. Molar Mass Examples B. Molar Mass Examples The Mole, Chemistry's...
  • Module 6: Understanding the Needs of Children of

    Module 6: Understanding the Needs of Children of

    (Werner, Young, Dennis, & Amatetti, 2007) Family Recovery Is More Than Treatment Completion. Family recovery is more than a parent completing a treatment program. It is a longer process that includes changes in each of the domains of recovery noted...