Business Contingency and Continuity Program (BCCP)

Business Contingency and Continuity Program (BCCP)

Oh no! They hacked my password!!! JERRY WYNNE, CIS A, CISSP, CIRSC VICE PRESIDENT OF SECURITY, CISO Disclaimer This document and any oral presentation accompanying it are not intended/should not be taken as necessarily representing the policies, opinions, and/or views of Noridian Mutual Insurance Company, Blue Cross Blue Shield of North Dakota, Noridian Healthcare Solutions, any

of their component services, or any other affiliated companies. This document and any oral presentation accompanying it has been prepared in good faith. However, no express or implied warranty is given as to the accuracy or completeness of the information in this document or the accompanying presentation Agenda Who am I? Breach after Breach after Breach Its a numbers game Cracking a password

What is the value? Creatures of Habit Collision of Facts So, If my password is not enough. Who am I? Currently employed by Noridian Mutual Insurance Company DBA: Blue Cross Blue Shield of North Dakota an independent licensee of the Blue Cross Blue Shield Association DBA: Noridian Healthcare Solutions Assisting: Three other Healthcare plans with Security

Vice President of Security, Chief Information Security Officer (CISO) Responsible for both Electronic and Physical Security 3200 employees, 15+ locations coast to coast Staff of 70+, physical and electronic security professionals Certifications include: Certified Information Systems Auditor (CISA) Certified Information System Security Professional (CISSP) Certified in Risk and Information System Control (CRISC) Over twenty years experience in Electronic Security, with over fifteen years of leadership in Electronic Security

Breach after Breach after Breach The Password Breaches keep coming and coming 2013 Yahoo data breach Over I Billion Passwords breached 2015 LinkedIn password 115 Million passwords breached 2017 CloudFire Breach Includes: Uber, Fitbit, OKCupid among 3,400 websites;

Unknown number of passwords Users are urged to update all passwords Its a numbers game Total Population of USA: 323 Million Total Population of World: 7.5 Billion Its a numbers game Approximate total number of

passwords stolen in 2016 alone: 4.2 Billion Its a numbers game So, if passwords were just stolen from Americans, every American would have lost: 13 Passwords in 2016 If passwords were stolen from everyone in the world Every other person in the world has had

a password stolen in 2016! Cracking a password From the UK Daily Mail, 2013: A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449 - as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'. Rather than repeatedly entering passwords into a website, the hackers used a list of hashed

passwords they managed to get online In several cases they identified the user, and used plain text passwords and created a hash from the plain text password Cracking a password From the 2016 Verizon report: Verizon found that 63% of confirmed data breaches involved leveraging weak, stolen or default passwords. Further, the 2018 Verizon reported: that 93% of data breaches occurred within minutes, while 63% werent discovered for months.

What is the value of these passwords? So many passwords have been stolen and resold/published that: It is estimated that enough passwords have been stolen that at least the equivalent of two passwords for every computer user have been stolen Billions of Passwords and user codes are available for free on the dark web Passwords and user codes are only worth money when they have just recently been stolen and news of the theft have not been made public

Creatures of Habit Grace Boyle (an online blogger) summed up creatures of habit in a guest article where she wrote: We are creatures of habit. We find comfort in regularity. When something out of the ordinary comes along, forces us to dig deep and make a U-Turn instead of keep going straight, its jarring. All of a sudden the comfort and familiarity are gone and were alone-not quite sure what to do next. People reuse passwords Most software does not stop this from happening Reused passwords typically only vary slightly

No software can stop password reuse on different systems Creatures of Habit More Reasons users reuse passwords: Typical Password policies that state things like:

You must have at least 10-12 characters with letters (upper and lower case), Numbers Special characters Time restrictions like forced resets every 30 days. Some websites wont let you paste your password in, you have to type it. Collision of facts Facts: People reuse passwords Everyone leaves some type of digital fingerprint (social media)

Billions of Passwords are available for free on the dark web So if my password is not enough Definition: Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Two-factor authentication (also known as 2FA) is a method of confirming a

user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication. So if my password is not enough Understanding slang versus fact: What is Multifactor authentication? Is Usercode / password Multifactor authentication? Why or Why Not? However, how is Multifactor authentication typically defined?

Typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). So if my password is not enough Some options for multifactor authentication include but are not limited to: Hard Tokens Soft Tokens

Biometrics PINs Passwords User IDs Smart Cards So if my password is not enough Hard Tokens Hard tokens (also known as hardware tokens, security tokens, authentication tokens) are a common method of deploying two-factor

authentication (2FA), popularized by RSA in the late 80s / early 90s Soft Tokens A software token (a.k.a. soft token) is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. So if my password is not enough

Biometrics Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database. If both samples of the biometric data match, authentication is confirmed. PINs Passwords A secret word or phrase that must be used to gain admission to something, a string of characters that allows access to a computer, interface, or system.

So if my password is not enough User IDs User identification (user ID) is a logical entity used to identify a user on a software, system, website or within any generic IT environment. It is used within any IT enabled system to identify and distinguish between the users who access or use it. A user ID may also be termed as username or user identifier. Smart Cards

A plastic card with a built-in microprocessor, used typically for electronic processes such as financial transactions and personal identification. So if my password is not enough How many factors should you use? The number of factors should be appropriate to risk Three factors is now a default minimum Factors should be from different categories Remote Access:

User ID, Password, PIN, and Token generated security number So if my password is not enough How many factors should you use? High Risk accounts: Admin Accounts with Remote Access 6 factors?

User ID Password PIN Token generated security number Different ID Different Password

So if my password is not enough Security is a factor of Risk Companies should base factors of authentication based on determined risk of access Companies should have Data tied to risk Top Breaches

Resources Checking to see if your account or domain has been compromised in a data breach https://haveibeenpwned.com/ Questions? [email protected] References Slide 7, Lastpass for Enterprise, Marking Materials, 2017 Slide 9,

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-1 6-character-passwords-hour.html Slide 12, http://www.lifewithoutpants.com/theinconvenience-of-change-we-are-creatures-of-habit-graceboyle/ Slide 16, https://en.wikipedia.org/wiki/Multi-factor_authentication Slide 19, http://searchsecurity.techtarget.com/definition/biometric-authentication Slide 24, https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21stcentury.html

Recently Viewed Presentations

  • CROSSBREEDING SYSTEMS for BEEF CATTLE

    CROSSBREEDING SYSTEMS for BEEF CATTLE

    CROSSBREEDING SYSTEMS for BEEF CATTLE By David R. Hawkins Michigan State University CROSSBREEDING Most widely used mating system in commercial beef herds. Can result in up to 23% increase in lbs. of calf weaned per cow exposed to breeding as...
  • Antigone - Ms. Heffron's English and Literature Class!

    Antigone - Ms. Heffron's English and Literature Class!

    TSWBAT analyze the play Antigone and link it back to one of our ... You will review two rough drafts and make comments in each section of the STARS . If you finish early continue reading ... Switch your questions...
  • L1 - Poetry

    L1 - Poetry

    Create own poem. Little Red Riding Hood And The Wolf. As soon as Wolf began to feel. That he would like a decent meal, He went and knocked on Grandma's door. When Grandma opened it, she saw. The sharp white...
  • Systems of Linear Equations

    Systems of Linear Equations

    Linear System with MANY Solutions If you use the graph method, you will see that the equations are the same line, and any point on the line is a solution. If you use linear combinations or substitution, you will have...
  • School Portal Complete Reference Guide School Portal  Complete

    School Portal Complete Reference Guide School Portal Complete

    Online Advertising. Create great quality ads fast, and post them in a few clicks whenever it's convenient. Ad Performance Tracking. View your jobs' statistics and use the data to maximise their performance. School Career Site. Position your school as an...
  • BD Expert Panel I Final Report - DPCPSI

    BD Expert Panel I Final Report - DPCPSI

    Several respondents used "Hale's book" as a reference point from which to compare LACT, which emerged somewhat lacking in content and detail. Additionally, inclusion of links to the AAP, CBI (Center for Breastfeeding Information), and LLLI (La Leche League) were...
  • Enriching the Brains of Poverty - Jensen Learning

    Enriching the Brains of Poverty - Jensen Learning

    3 Quick, Important Notes. The PowerPoint for today is available to you (no cost). I will share where/how at the end of the presentation. You'll also get 3 other powerful tools for follow up later in this session.
  • Pirfenidon: Greifbare Hoffnung für Patienten mit IPF?

    Pirfenidon: Greifbare Hoffnung für Patienten mit IPF?

    An intracellular inhibitor of tyrosine kinases1,2. Targets VEGF, FGF and PDGF receptors1,2. Phase II TOMORROW study. 12 months' treatment with nintedanib 150 mg bid reduced lung function decline and acute exacerbations in patients with IPF3. INPULSIS trials4. Two replicate 52-week,...