Episode 40
Implementing Phishing Resistant Multifactor Authentication
The Cybersecurity and Infrastructure Security Agency (CISA) recently (Oct 31, 2022) released fact sheets urging all organizations to implement phishing-resistant multi-factor authentication (MFA). In this episode, George Gerchow, Chief Security Officer and Senior Vice President of IT, Sumo Logic, and I have an in-depth discussion on this very important security subject matter. The scope of coverage ranges from providing an overview of MFA and its benefits to discussing the challenges and hurdles of implementing phishing-resistant MFA, recommended implementation approaches, and the future of MFA.
Time Stamps
01:53 -- Please share with listeners some highlights of your professional journey.
02:51 -- Please provide listeners with an overview of what multifactor authentication is.
03:52 -- A recently published article on Dark Reading reports that a massive phishing campaign targeting GitHub users convinced at least one developer at Dropbox to enter in their credentials and the two-factor authentication code, leading to the theft of at least 130 software code repositories. Essentially, the perpetrators exploited the multi-factor authentication fatigue. George, your reactions.
06:51 -- You said that many organizations don't even have multifactor authentication. That begs the question, why is that the case? Is there a technology aspect to it, a technological complexity of having multifactor authentication integrated into existing legacy systems? Is there a cost aspect to it, is it very expensive? What does your experience tell you?
08:30 -- From personal experience, I haven't felt the fatigue. Even if I had to review several times or take that extra step to authenticate, I would because I am paranoid about ensuring that access is very secure. So I have brought about a change in my own mindset. I'm just curious to know if organizations are striving to bring about a change in the multifactor authentication mindset. What are your thoughts?
12:23 -- As humans, it is our natural tendency to assume, Oh, it's not going to happen to me. And if it does, we'll deal with it then. And I know that organizations also often have that mindset, some organizations know they will get bailed out. George, what are your thoughts?
22:21 -- Would you like to expand on how organizations go about implementing phishing-resistant MFA? What solutions are available out there?
25:09 -- George, I read about this FIDO authentication, the FIDO Alliance, where they have developed this protocol to enable phishing-resistant authentication. Can you expand on that?
26:50 -- During our planning meeting, you made a couple of very poignant statements, one of which is, "leaders should create a culture where employees feel they can slow down for the sake of security." Help tie this to our discussion on multifactor authentication.
30:44 -- Going back to this multi-factor authentication fatigue, is there really a fatigue? Or is it being hyped up? What's the real story?
35:33 -- George, I'd like to give you the opportunity to share some final words, some key messages for the listeners.
Memorable George Gerchow Quotes/Statements
"Absolute laziness is really what it comes down to in the beginning; I don't want to disrupt my organization by having them go through this extra step."
"Development organizations that are heavy with startups, the developers do not want to take that extra step. Sometimes executives are also unwilling to follow through with that extra authentication step -- Do I really have to do this? I know it's a policy, but can't I get around this? And the answer should be flat-out No, under any circumstances."
"Whenever you can help your employees, the people that work for your company, do something that not only benefits the company but also benefits them personally, the better off the organization is going to be."
"The two things that most hackers go after are health and wealth."
"Like, how cool would it be if you got into a car and went to start the engine, and the engine wouldn't even start unless you had the seatbelt on?"
"One-time code (OTC) is the way to go when implementing phishing-resistant multi-factor authentication. And let's ensure we implement MFA around critical applications, users, and data."
"I'm sorry, sometimes you (developers) need to be slowed down. What if we drove on the road with absolutely no speed limits whatsoever? We create all kinds of damage. So I just think that there's this perception, this emotional transition Dr. Dave that people have to make, and we have to help them get there."
"You need technology to back up the policy because people are people, and people will try to circumvent things a lot of times if they know there's no accountability."
"A lot of times, security used to be looked at as a business inhibitor, mow it's a business enabler. People will want to do business with you when you have really good security hygiene in place, especially as we're looking at supply chain attacks that we've seen over and over again over the last few years."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Our discussion today will focus on phishing
Dr. Dave Chatterjee:resistant multifactor authentication. Recently, CISA,
Dr. Dave Chatterjee:the Cybersecurity and Infrastructure Security Agency,
Dr. Dave Chatterjee:released two factsheets highlighting threats against
Dr. Dave Chatterjee:accounts and systems. CISA strongly urges all organizations
Dr. Dave Chatterjee:to implement phishing resistant MFA. MFA stands for multifactor
Dr. Dave Chatterjee:authentication to protect against phishing, and other
Dr. Dave Chatterjee:known cyber threats. I'm delighted to welcome George
Dr. Dave Chatterjee:Gerchow, Chief Security Officer and Senior Vice President of
Dr. Dave Chatterjee:Information Technology at Sumo Logic to share his thoughts and
Dr. Dave Chatterjee:perspectives on this very important security subject
Dr. Dave Chatterjee:matter. Welcome, George.
George Gerchow:Thanks for having me. Dr. Dave. It's a
George Gerchow:pleasure to be here.
Dr. Dave Chatterjee:So George, before we get into the details
Dr. Dave Chatterjee:of multifactor authentication, its strengths,weaknesses, let's
Dr. Dave Chatterjee:talk about you a litte bit. Please share with listeners some
Dr. Dave Chatterjee:highlights of your professional journey.
George Gerchow:You're gonna make me blush. I've been lucky
George Gerchow:Dr. Dave to have had two different roles. A role to a
George Gerchow:CISO or CSO is a little different for everyone. I
George Gerchow:started off in the private sector, mainly in government
George Gerchow:contracting, and then financial companies. And then I
George Gerchow:transitioned over to software where I held many roles from
George Gerchow:sales engineer to PMs. And then I settled into VMware twice,
George Gerchow:which was a really good role there. And I co founded the
George Gerchow:Center for Policy and compliance and then eventually ended up at
George Gerchow:Sumo Logic, where now I am lucky enough to serve and support a
George Gerchow:team called RISC, which is real estate, IT security and
George Gerchow:compliance. And I think that that's probably the biggest
George Gerchow:feather in my cap is working with a really good group of
George Gerchow:people at a really good company.
Dr. Dave Chatterjee:Fantastic. And you have excellent
Dr. Dave Chatterjee:credentials, I can't think of a better subject matter expert to
Dr. Dave Chatterjee:talk about this topic. So George, to get the discussion
Dr. Dave Chatterjee:going, I think it's only right to provide listeners with an
Dr. Dave Chatterjee:overview of what is multifactor authentication.
George Gerchow:Yeah, so multi factor authentication is almost
George Gerchow:exactly how it sounds. Whenever you log into a system, you know,
George Gerchow:so for the layman out there, think about like when you log
George Gerchow:into your online banking account, or even your cellular
George Gerchow:provider, it'll come back and say is this really you, either
George Gerchow:identify it through a CAPTCHA, which is show me how many
George Gerchow:pictures there are of a tractor, which is a very popular one, or
George Gerchow:punch in a code going out to either your cell phone, or an
George Gerchow:email that verifies that that's really you. It's a very
George Gerchow:important second step to authentication and to logging
George Gerchow:into critical systems.
Dr. Dave Chatterjee:Exactly right. So if I could recap what
Dr. Dave Chatterjee:George just said, multifactor authentication is a security
Dr. Dave Chatterjee:technology that requires multiple methods of
Dr. Dave Chatterjee:authentication from independent categories of credentials to
Dr. Dave Chatterjee:verify a user's identity. The reason one uses the word
Dr. Dave Chatterjee:multifactor, because one can get the credentials from different
Dr. Dave Chatterjee:factors such as what the user knows, examples password, what
Dr. Dave Chatterjee:the user has, example, a security token, and what the
Dr. Dave Chatterjee:user is, example would be different types of biometric
Dr. Dave Chatterjee:verifications, such as a retina scan. It's a very important part
Dr. Dave Chatterjee:of the security protocol. It's part of a defense-in-depth
Dr. Dave Chatterjee:strategy. So that's the good news that we have the
Dr. Dave Chatterjee:technologies to enable multifactor authentication. But
Dr. Dave Chatterjee:unfortunately, like every other defense, even this defense is
Dr. Dave Chatterjee:being breached by the hackers. A recently published article on
Dr. Dave Chatterjee:Dark Reading reports that a massive phishing campaign
Dr. Dave Chatterjee:targeting GitHub users convinced at least one developer at
Dr. Dave Chatterjee:Dropbox to enter in their credentials, and the two factor
Dr. Dave Chatterjee:authentication code, leading to the theft of at least 130
Dr. Dave Chatterjee:software code repositories. Essentially, the perpetrators
Dr. Dave Chatterjee:exploited the multi factor authentication fatigue. George,
Dr. Dave Chatterjee:your reactions.
George Gerchow:Yeah, I mean, it's there's also examples with
George Gerchow:GitHub and Uber as well, too, recently. And, you know, as you
George Gerchow:mentioned, which is right on point, we have the technology to
George Gerchow:do it. But is it being implemented correctly, and in a
George Gerchow:lot of places is not even being implemented? I think what I want
George Gerchow:to start off with saying is that this shouldn't discourage anyone
George Gerchow:from doing multi factor authentication, it's really
George Gerchow:important to do that as part of defense in depth, as you
George Gerchow:mentioned, that how you roll it out matters, it's people can
George Gerchow:just become numb to anything. And so what happened in all of
George Gerchow:those cases is the same thing. Someone just got a push to their
George Gerchow:phone most likely or to their watch that said, Hey, do you
George Gerchow:approve of this login? And the natural reaction when you have
George Gerchow:to do that so many times and especially because of regulatory
George Gerchow:compliance needs, is to go yes, I accept, without really
George Gerchow:understanding were you trying to log into something like, it
George Gerchow:seems like such an easy thing, but it's not. Because you can
George Gerchow:sometimes have to authenticate many times in one day. And so
George Gerchow:just like alert fatigue, when it comes to Sims, it's the same
George Gerchow:thing. You sort of start ignoring these things when they
George Gerchow:get pushed over and over again. So the implementation really
George Gerchow:matters, as well as executive buy in which you have to
George Gerchow:constantly get not only to roll it out, but then how you roll it
George Gerchow:out as well to.
Dr. Dave Chatterjee:Absolutely, in fact, you mentioned
Dr. Dave Chatterjee:something, you said that many organizations don't even have
Dr. Dave Chatterjee:multifactor authentication. That begs the question, why is that
Dr. Dave Chatterjee:the case? Is there a technology aspect to it, a technological
Dr. Dave Chatterjee:complexity of having multifactor authentication integrated into
Dr. Dave Chatterjee:existing legacy systems? Is there a cost aspect to it, is
Dr. Dave Chatterjee:very expensive? What does your experience tell you?
George Gerchow:Well, the first one is absolute laziness is
George Gerchow:really what it comes down to in the beginning is I don't want to
George Gerchow:disrupt my organization by having them go through this
George Gerchow:extra step. And it might seem crazy to you, Dr. Dave, and
George Gerchow:crazy to me, but especially like think about development
George Gerchow:organizations that are heavy with startups, like these
George Gerchow:developers do not want to take that extra step. So then
George Gerchow:sometimes executives as well, too, do I really have to do
George Gerchow:this. I know it's a policy, but can't I get around this? And the
George Gerchow:answer should be flat out No, under any circumstances. But you
George Gerchow:said something interesting too, which is costs. The way you roll
George Gerchow:it out matters. Just to give you a an example. So we use a
George Gerchow:traditional vendor, which is Okta, Okta is a really good
George Gerchow:company. They're well known in this space. However, to get a
George Gerchow:push code, instead of just the push, you have to have a
George Gerchow:different enterprise type license. And so to be able to
George Gerchow:really roll it out correctly, it sometimes is going to cost you
George Gerchow:more when you're dealing with one of the IAM vendors and
George Gerchow:they're not alone. So Duo SailPoint, Ping, the list goes
George Gerchow:on and on. They do the same thing, they will upsell, when it
George Gerchow:comes to maybe doing the right thing, which is a little bit
George Gerchow:crazy, but it is what it is.
Dr. Dave Chatterjee:Yeah, I mean, just using common sense.
Dr. Dave Chatterjee:If I'm leading an organization, or if I'm part of the leadership
Dr. Dave Chatterjee:that provides oversight to cybersecurity, I do want to have
Dr. Dave Chatterjee:the best possible defense in place that will protect the
Dr. Dave Chatterjee:organization from phishing attacks, which is the most
Dr. Dave Chatterjee:dominant form of attack. And talking about authentication
Dr. Dave Chatterjee:methods. I myself, I was used to the traditional authentication,
Dr. Dave Chatterjee:then I just sat up one day and I said, You know what, I need to
Dr. Dave Chatterjee:go and visit every account that I have. And I need to enable
Dr. Dave Chatterjee:multifactor authentication, unless the vendor has already
Dr. Dave Chatterjee:enabled it. So I took that step. And I went through each and
Dr. Dave Chatterjee:every account. And I did that at a personal level, because I felt
Dr. Dave Chatterjee:strongly about having that additional layer of defense.
Dr. Dave Chatterjee:Now, do I suffer from any kind of an MFA fatigue? Not yet, not
Dr. Dave Chatterjee:really. But again, to be fair and realistic, I cant relate to
Dr. Dave Chatterjee:some of the examples that are being shared about people being
Dr. Dave Chatterjee:bombarded by requests for authentication, and then they
Dr. Dave Chatterjee:are falling for it. So I can't relate to that. But from my own
Dr. Dave Chatterjee:personal experience, I haven't felt the fatigue and even if I
Dr. Dave Chatterjee:had to several times review that or go to that extra step, I
Dr. Dave Chatterjee:would, because I am even more paranoid about ensuring that
Dr. Dave Chatterjee:access is very secure. So I want to take the extra step. And if
Dr. Dave Chatterjee:that requires a little bit of an inconvenience, it is worth it.
Dr. Dave Chatterjee:So I have brought about a change in my own mindset. And I'm just
Dr. Dave Chatterjee:curious to know from you, George, how are organizations,
Dr. Dave Chatterjee:do they think very differently? What are what are your thoughts?
George Gerchow:Yeah, that's right. So you bring up a great
George Gerchow:point, which I think is whenever you can help your employees, the
George Gerchow:people that work for your company, do something that only
George Gerchow:benefits the company, but benefits them personally, the
George Gerchow:better off you're going to be. And this is a great example. So
George Gerchow:very simple things like do not use the same password over and
George Gerchow:over and over again, that's hard for people to do, but they do
George Gerchow:it. But if they're going to do it in their personal life,
George Gerchow:they're going to do it at work, too. So you have to like give
George Gerchow:them examples as to why that is such a horrible idea. Because if
George Gerchow:you compromise one password, and you compromise it all over the
George Gerchow:place, well you've seen examples of that for years. So basically,
George Gerchow:a password hygiene. The second piece of that when it comes to
George Gerchow:rolling it out, like you said, a lot of people are like, if I
George Gerchow:have the option to not do it, should i The answer should
George Gerchow:always be Yes, take that extra step. Because until you felt the
George Gerchow:pain of having your identity compromised, it's a horrible
George Gerchow:thing, because now you have like bank accounts and medical
George Gerchow:records. And those are the two things that most hackers go
George Gerchow:after is health and wealth. And it's going to really be
George Gerchow:disruptive to your life. So take a look at what's going on out
George Gerchow:there with that one extra step that 30 seconds can benefit
George Gerchow:people so much. Now you brought up something that I want to tap
George Gerchow:into as well too, which is vendors, do vendors force you to
George Gerchow:do it. So banking environments do without a doubt, cellular
George Gerchow:providers do as well, too. But here's the very interesting
George Gerchow:thing like for us, well, we're a security vendor, right? So we
George Gerchow:provide a cloud sim, but we provide observability and
George Gerchow:everything else, but we don't force our customers to leverage
George Gerchow:multi factor authentication. Why? Because a lot of them would
George Gerchow:get mad. It's a simple fact, I'd love to I'd love to say before
George Gerchow:you log into Sumo Logic, as a customer, you have to use
George Gerchow:multifactor authentication and SSO But reality is, is that we
George Gerchow:would get tremendous pushback and doing so. But I feel like
George Gerchow:sometimes it's worth it as a vendor to do that. Because then
George Gerchow:it shows that the vendor is starting to change your behavior
George Gerchow:for you to do the right thing. Like how cool would it be if you
George Gerchow:got into a car and you went to start the engine and the engine
George Gerchow:wouldn't even start unless a seatbelt came on? I look at it
George Gerchow:the same exact way.
Dr. Dave Chatterjee:I'm absolutely bewildered to hear
Dr. Dave Chatterjee:this. You mentioned something about organizations being lazy.
Dr. Dave Chatterjee:You mentioned something about organizations might get mad when
Dr. Dave Chatterjee:the vendor is trying to push on to them multifactor. Once again,
Dr. Dave Chatterjee:if I was running the show, or if I'm part of the team that's
Dr. Dave Chatterjee:running the show, I would take the trouble of reading up on the
Dr. Dave Chatterjee:expert guidance that is being provided by organizations such
Dr. Dave Chatterjee:as CISA and trying to understand from where they are coming, and
Dr. Dave Chatterjee:then looking at my own organization and making that
Dr. Dave Chatterjee:call that is it worth the extra step. And I totally understand
Dr. Dave Chatterjee:that balance between convenience and security. I get it. But
Dr. Dave Chatterjee:having said that, I would strongly urge all listeners,
Dr. Dave Chatterjee:there organizations, that if you have not enabled multifactor
Dr. Dave Chatterjee:authentication, please do so to the extent possible feasible.
Dr. Dave Chatterjee:But definitely move in that direction. It serves as a
Dr. Dave Chatterjee:no-brainer. And we will get into the discussion of password-less
Dr. Dave Chatterjee:authentication. Because that's that will hopefully be a more
Dr. Dave Chatterjee:convenient approach. But we got to take the step first. And then
Dr. Dave Chatterjee:other things can follow. I want to share a personal example that
Dr. Dave Chatterjee:happened the other day. I woke up at around 1:30 in the
Dr. Dave Chatterjee:morning. And as is my habit, I was checking my iPhone for
Dr. Dave Chatterjee:messages. And I saw an alert from my financial institution
Dr. Dave Chatterjee:saying that my password had been compromised, and I should change
Dr. Dave Chatterjee:my password. So I came downstairs to my office, I
Dr. Dave Chatterjee:alerted my wife, we both came down and we realized that
Dr. Dave Chatterjee:password we had used for several accounts. So I went through each
Dr. Dave Chatterjee:and every account to change that password. And as I was doing it,
Dr. Dave Chatterjee:I was wondering, oh my God, now what kind of inconvenience am I
Dr. Dave Chatterjee:gonna deal with? What's going to be the consequence of this? And
Dr. Dave Chatterjee:like George, you said, I know people who have been victims of
Dr. Dave Chatterjee:ID theft, and it's terrible what they have to go through. And I
Dr. Dave Chatterjee:was just really worried that that's going to be my situation.
Dr. Dave Chatterjee:So anyhow, I did the due diligence. I did change out the
Dr. Dave Chatterjee:passwords, went back to bed. Next morning. I called their
Dr. Dave Chatterjee:support and I asked him that I received this email. So what's
Dr. Dave Chatterjee:the story? Fortunately, they told me it was a technical
Dr. Dave Chatterjee:snafu, and that email had gone gone out to millions, but my
Dr. Dave Chatterjee:password wasn't compromised. Anyhow, that's a different story
Dr. Dave Chatterjee:about their process and how they manage their process. They could
Dr. Dave Chatterjee:have done it better. But however, that experience does
Dr. Dave Chatterjee:bring to light what we are all vulnerable and susceptible to.
Dr. Dave Chatterjee:But as humans, it is our natural tendency to assume, Oh, it's not
Dr. Dave Chatterjee:going to happen to me. Yep. And if it does, we'll deal with it
Dr. Dave Chatterjee:then. And I know that organizations also often have
Dr. Dave Chatterjee:that mindset, some organizations who know they will get bailed
Dr. Dave Chatterjee:out, and I don't think that's an acceptable practice. George,
Dr. Dave Chatterjee:your thoughts?
George Gerchow:Yeah. Dr. David, you're exactly right. It all
George Gerchow:starts at that executive level, you have to have board executive
George Gerchow:buy-in to make sure that not only you have the right policies
George Gerchow:in place to leverage complex password, continued password
George Gerchow:changes, SSO, and an MFA in place as well to like, it's
George Gerchow:gotta be buy-in from the absolute top. No exceptions
George Gerchow:whatsoever. Like for us at Sumo Logic, if a developer creates
George Gerchow:like an AWS account, for example, and doesn't turn on MFA
George Gerchow:within 24 hours, that account is disabled. And that's the reality
George Gerchow:of what you have to do. I do think that once people do have
George Gerchow:it put in place, you've got to now take it to the next level,
George Gerchow:you know, so let's go back to where you were digging in a
George Gerchow:little bit, talking about MFA fatigue, it's a real thing. And
George Gerchow:I think that password-less security, as you mentioned
George Gerchow:before, is going to be the future like my Mac right now I
George Gerchow:can put my thumbprint, my fingerprints, do biometrics,
George Gerchow:that's a very easy way to get around that would solve a lot of
George Gerchow:these issues. Another way is one time passwords. So OTP, which
George Gerchow:folks like off l made that very, very popular. But I'm gonna
George Gerchow:bring up an interesting point, because I'd like to get your
George Gerchow:thoughts around this as well, too. One of the things that
George Gerchow:we've struggled with as an industry forever has been these
George Gerchow:questionnaires that people send out before they go do business
George Gerchow:with a company like Sumo Logic. And one of the questions is
George Gerchow:always do you use MFA? And think about the Okta compromise, which
George Gerchow:was so interesting, because they are a single sign on MFA
George Gerchow:company. When they got compromised, it was by a third
George Gerchow:party vendor that checked the box and said they use MFA
George Gerchow:working for an MFA company and didn't use it. And so like now,
George Gerchow:as an industry, we're starting to really try to figure out
George Gerchow:what's the best way to trust a vendor, trust the partner, and
George Gerchow:ensure that they're actually doing these things, because it's
George Gerchow:so easy to check that box because they want your business,
George Gerchow:even though it's not the right thing to do. So penalties have
George Gerchow:to start coming into place with a lot of these things.
Dr. Dave Chatterjee:Unfortunately, that is true. Like I have
Dr. Dave Chatterjee:discussed several times in my talks. And also during these
Dr. Dave Chatterjee:podcasts, that history tells us that organizations respond best
Dr. Dave Chatterjee:to laws, laws with strong penalties, SOX is an example. So
Dr. Dave Chatterjee:unfortunate, unfortunately, I, I do see a day not far from today,
Dr. Dave Chatterjee:when a major legislation will come down the pipeline,
Dr. Dave Chatterjee:requiring organizations to follow through with the
Dr. Dave Chatterjee:recommended best practices, because that's the only way you
Dr. Dave Chatterjee:will get real compliance. What's happening today, as you you
Dr. Dave Chatterjee:shared with just an example of checking-the-box kind of
Dr. Dave Chatterjee:compliance, trying to find a way of to get the contract, get the
Dr. Dave Chatterjee:business. And I know this might sound idealistic, and people
Dr. Dave Chatterjee:will say, Oh, you're a professor, that's what you do
Dr. Dave Chatterjee:you preach the ideal. I don't, I don't, but I will say this, that
Dr. Dave Chatterjee:you have to be as security conscious as practical. Even
Dr. Dave Chatterjee:when I'm was reading the CISA guideline, they are not being
Dr. Dave Chatterjee:very idealistic, they are saying, we understand that it
Dr. Dave Chatterjee:may not be possible to protect all the resources at once. Pick
Dr. Dave Chatterjee:the ones that are most important to either users that are high
Dr. Dave Chatterjee:value targets. So they are they're basically suggesting an
Dr. Dave Chatterjee:incremental approach to implementing phishing resistant
Dr. Dave Chatterjee:MFAs. So it's not like it has to be a big bang implementation and
Dr. Dave Chatterjee:overnight, we will achieve 100% compliance, but at least there
Dr. Dave Chatterjee:has to be a recognition and then follow through steps. And as you
Dr. Dave Chatterjee:rightly said, George, unless you get the buy-in from the
Dr. Dave Chatterjee:leadership, from the top management, that is a very
Dr. Dave Chatterjee:important security defense. And it's not just one of those add
Dr. Dave Chatterjee:ons. That is more headache than it is worth it. Unless that
Dr. Dave Chatterjee:buy-in is there, real buy-in, where you really want to be
Dr. Dave Chatterjee:secure and safe. Not because you are being forced to not because
Dr. Dave Chatterjee:you want to project to the world, how security conscious
Dr. Dave Chatterjee:you are, you really believe it, and you follow through with it.
Dr. Dave Chatterjee:So I have emphasized this genuineness in literally each of
Dr. Dave Chatterjee:my podcasts, even in my book, that at the end of the day, if
Dr. Dave Chatterjee:you if an organization as well as an individual, if they take
Dr. Dave Chatterjee:genuine steps that comes under the category of due diligence
Dr. Dave Chatterjee:and due care, and they do everything, even after that, if
Dr. Dave Chatterjee:they get breached, which is absolutely possible, they have a
Dr. Dave Chatterjee:fair shot before the jury. I'm not a lawyer. But I've had the
Dr. Dave Chatterjee:pleasure of talking with several legal experts. And I've been
Dr. Dave Chatterjee:told that that's where the judge reviews what you've done, have
Dr. Dave Chatterjee:you done everything possible? Have you taken into
Dr. Dave Chatterjee:consideration all the expert guidelines? Have you taken the
Dr. Dave Chatterjee:best possible approach that is feasible given your resources,
Dr. Dave Chatterjee:so there is a reasonable reasonableness associated with
Dr. Dave Chatterjee:that review of the judge. So nobody is expecting that you do
Dr. Dave Chatterjee:something extraordinary or go out of your way, go way beyond
Dr. Dave Chatterjee:way beyond your means. But there is an expectation to be
Dr. Dave Chatterjee:responsible. And that's what I want to emphasize in this
Dr. Dave Chatterjee:podcast, in this episode,
George Gerchow:The fact I mean, it there is I mean, that's the
George Gerchow:cost of doing business, really, but we need to make it part of
George Gerchow:everyone's everyday behavior. When you leave your house, you
George Gerchow:close your garage door, you lock your front door, it is just
George Gerchow:things that come naturally to you. Like I mentioned before you
George Gerchow:get in the car, you put on a seatbelt. It's those types of
George Gerchow:things that we have to make it muscle memory for people,
George Gerchow:period. And there just shouldn't even be a question as to why
George Gerchow:it's being done. Now back to what you mentioned about a
George Gerchow:staged rollout. I believe with rolling out MFA, you just do it
George Gerchow:like there is no stage to that for me. Now, when it comes to
George Gerchow:accessing sensitive data or critical users, you may when you
George Gerchow:start using like OTP, one time passwords and things like that.
George Gerchow:Maybe you do focus on that first, and then start working
George Gerchow:your way through the rest of the organization. But MFA to me now
George Gerchow:is just a must. I mean, especially as we move more into
George Gerchow:SAS based apps, working with large cloud providers like
George Gerchow:Azure, GCP, it's just a must you have to have it turned on day
George Gerchow:one. And then that way that muscle memory starts kicking
George Gerchow:into place.
Dr. Dave Chatterjee:Yeah, absolutely. In fact, CISA is
Dr. Dave Chatterjee:also recommending that even if an organization doesn't have in
Dr. Dave Chatterjee:place a phishing resistant MFA, they should employ additional
Dr. Dave Chatterjee:prevention and detection controls such as number
Dr. Dave Chatterjee:matching. Yep. So that's, that's the point, that, make the
Dr. Dave Chatterjee:effort, this is a three page guideline, it's very easily very
Dr. Dave Chatterjee:clearly written. It's literally you can create a checklist out
Dr. Dave Chatterjee:of this, use the checklist to evaluate what what you have in
Dr. Dave Chatterjee:place. And if you see any gaps, any deficiencies, address them.
Dr. Dave Chatterjee:That's that's what I would call due diligence. And do that. And
Dr. Dave Chatterjee:I think we are all better for it -- organizations, their
Dr. Dave Chatterjee:customers. So that seems like a no-brainer to me. But maybe it's
Dr. Dave Chatterjee:not because otherwise they wouldn't have come out with this
Dr. Dave Chatterjee:directive, or with this guideline. Moving along to this
Dr. Dave Chatterjee:topic of implementing phishing resistant MFA, so would you like
Dr. Dave Chatterjee:to expand on how does an organization go about
Dr. Dave Chatterjee:implementing that type of an MFA, that is phishing resistant?
Dr. Dave Chatterjee:What solutions are available out there?
George Gerchow:So the best one, I mean, look, there's one time
George Gerchow:passwords, there's biometrics. And then there's also having to
George Gerchow:put in a passcode. And punching that in which by the way, Dr.
George Gerchow:Dave takes about 15 seconds, you know, and I think that the last
George Gerchow:one is the most viable one because we live in this virtual
George Gerchow:world. So I'd love to say that it's biometrics. But what if I'm
George Gerchow:a developer, and I'm trying to access servers that are all the
George Gerchow:way across the globe, right, I can authenticate into my system.
George Gerchow:But that's not going to work as I found the key authenticate
George Gerchow:into more complex virtual systems. So although that's very
George Gerchow:effective with something that's physical, and right in front of
George Gerchow:you, it doesn't solve all the problems. And so I think for me,
George Gerchow:it's and what we do is pushing that code, Hey, wake up, you're
George Gerchow:not going to just press Accept, you're actually going to have to
George Gerchow:look and see what this code is, and then what it is that you
George Gerchow:were trying to authenticate into. And I think that that's
George Gerchow:the one that covers the most because part of this is
George Gerchow:emotional, like we mentioned before, a lot of physical things
George Gerchow:like seatbelts, locking doors, garages, we live in such a
George Gerchow:virtual world now. And putting the this kind of hygiene in
George Gerchow:place is more important than ever. I mean, just look at
George Gerchow:things like meta universe and everything else that's going on.
George Gerchow:I mean, even for like my kids, like when they log into video
George Gerchow:games, I've always had them do multi factor authentication.
George Gerchow:It's a quick one time code that you punch in, and I think that's
George Gerchow:the best way to go. Now again, there's going to be some cost
George Gerchow:probably associated with that, but I think we need to get
George Gerchow:better as as a society saying, why are we paying these costs?
George Gerchow:And let's make sure we implement these around these critical
George Gerchow:applications, critical users and critical data.
Dr. Dave Chatterjee:Absolutely. I couldn't agree with you more.
Dr. Dave Chatterjee:So George, I read about this FIDO authentication, the FIDO
Dr. Dave Chatterjee:Alliance, where they have developed this protocol to
Dr. Dave Chatterjee:enable phishing resistant authentication. Can you expand
Dr. Dave Chatterjee:on that?
George Gerchow:Yeah, so they've been around for a while. So
George Gerchow:FIDO, Fido, whatever you want to call them, for a long time, they
George Gerchow:started off in the beginning, mainly with YubiKey was a big
George Gerchow:one, which was something that you would just plug into your
George Gerchow:system that would verify you going on and which it can be
George Gerchow:very effective. But at the same time to look, man, the
George Gerchow:technology changes, I'm on a Mac, and whatever I plug into my
George Gerchow:system is always different. What kind of USB is it going to be,
George Gerchow:in fact, a lot of organizations you got to do business with,
George Gerchow:especially in a FinTech market, will not allow you to plug
George Gerchow:anything in to your system at all. So I think that they're on
George Gerchow:to the right idea and right concepts. And again, YubiKey can
George Gerchow:be effective. But you know, it's also goes back in time like Like
George Gerchow:think about like when multi factor authentication, two
George Gerchow:factor authentication got started it was RSA and RSA you
George Gerchow:would carry around on your keychain, like this passcode
George Gerchow:that would revolve and change like, every 30 seconds or every
George Gerchow:minute, and you had to punch that in? Was it effective? Yes.
George Gerchow:Where was it disruptive? Well, when users forgot, or didn't
George Gerchow:have that, that piece of hardware, so I'm not a hardware
George Gerchow:person at all. And I think that they've sort of leaned into that
George Gerchow:a little bit more. But if you are a company that that works
George Gerchow:for you do it FIDO FIDO. Look at them, they definitely got some
George Gerchow:good guidance. But it doesn't work for a lot of us that live
George Gerchow:completely in a virtual world. And we don't necessarily
George Gerchow:leverage hardware for a lot of different things.
Dr. Dave Chatterjee:Good to know, good to know. And just for
Dr. Dave Chatterjee:the benefit of the listeners, FIDO or Fido stands for Fast ID
Dr. Dave Chatterjee:Online, you can visit their website, review what they have
Dr. Dave Chatterjee:to offer, I was referencing a recommendation from the CISA
Dr. Dave Chatterjee:guide here. So it might be worth your time to just take a look.
Dr. Dave Chatterjee:So moving along, George, I'm again, looking at our notes from
Dr. Dave Chatterjee:our planning meeting that we had, you made a couple of very
Dr. Dave Chatterjee:poignant statements, one of which is leaders should create a
Dr. Dave Chatterjee:culture where employees feel they can slow down, for the sake
Dr. Dave Chatterjee:of security. Help, kind of tie this to our discussion on
Dr. Dave Chatterjee:multifactor authentication.
George Gerchow:Yeah, and again, I don't mean to pick on
George Gerchow:developers, or I'm sorry, I'm gonna pick on developers,
George Gerchow:because that's usually where most of the resistance comes
George Gerchow:into play. You can have developers sometimes accessing.
George Gerchow:I mean, an organization like ours, I mean, we have 300 plus
George Gerchow:applications. And so if you start thinking about what it
George Gerchow:takes to access those, well, we've made that pretty easy with
George Gerchow:single sign on meaning that I have one place where I
George Gerchow:authenticate, going through someone like an Okta, Ping
George Gerchow:Identity, Duo or whoever it may be, and then that allows me
George Gerchow:access to all those other applications. But again, if that
George Gerchow:password gets compromised, now I'm in serious trouble. Now MFA
George Gerchow:coming across the top of that will verify that I'm actually
George Gerchow:that user, even if the password got compromised. Now, what
George Gerchow:happens typically with a developer, and let's go back to
George Gerchow:regulations, so regulations like FedRAMP, for example, they say
George Gerchow:that if a person is 15 minutes idle into an application, they
George Gerchow:have to re-authenticate. That's a lot of disruption. When you
George Gerchow:think about I'm in 30 apps 40 apps a day, do I really got to
George Gerchow:re authenticate into each one of those apps every 15 minutes,
George Gerchow:probably not. The best way to do that, again, would be through
George Gerchow:something like VPN, or SSO and do that, that layer, if I'm idle
George Gerchow:there, reauthenticate once and get back into them. But what
George Gerchow:typically happens is, developers are moving at trying to move at
George Gerchow:lightning speed to offer more services to our internal and
George Gerchow:external customers. And that's important, but it's not as
George Gerchow:important as making sure that seamless security is built into
George Gerchow:it. And so I think development cultures for years now, I've
George Gerchow:been working out of Silicon Valley since 2009. In that
George Gerchow:environment, especially there's always this thing of security
George Gerchow:and compliance are gonna slow me down and I'm not going to be
George Gerchow:able to do to innovate as much and it's like, I'm sorry, but
George Gerchow:what would you rather do carry around a pager for when all of a
George Gerchow:sudden whenever you develop the code eventually gets hacked, and
George Gerchow:you have to get reback into it and then we'll help work with a
George Gerchow:company and lose your brand identity and everything else.
George Gerchow:Get regulation fines, like you mentioned before, go against
George Gerchow:CISA guidance, the new SEC cybersecurity guidelines or take
George Gerchow:the time to put guardrails in place while you're working on
George Gerchow:code. The second one to me is a no-brainer, but we have to get
George Gerchow:people there because it's still not. In fact, I'll give me give
George Gerchow:Microsoft a big plug. Microsoft was one of the first companies
George Gerchow:because of the GitHub attacks. And we're gonna force developers
George Gerchow:now to use multifactor authentication when they get
George Gerchow:into our public libraries, period. And I applaud, I'm like,
George Gerchow:yes, that extra step JFrog should do the same Docker Hub
George Gerchow:should do the same, like all these public repositories should
George Gerchow:do the same thing. But there's just this perception of, it's
George Gerchow:going to slow me down. And I'm sorry, sometimes you need to be
George Gerchow:slow down. But what if we drove on the roads with absolutely no
George Gerchow:speed limits whatsoever, right. We create all kinds of damage.
George Gerchow:So I just think that there's this perception, this emotional
George Gerchow:transition Dr. Dave that people have to make, and we have to
George Gerchow:help them get there.
Dr. Dave Chatterjee:Well said, very well said. When you say
Dr. Dave Chatterjee:slow me down, you know, what I was thinking of, I was thinking
Dr. Dave Chatterjee:of, a very deliberate approach to securit. You know, often,
Dr. Dave Chatterjee:taking a step back, looking at the whole picture, and coming up
Dr. Dave Chatterjee:with a very holistic cybersecurity strategy defense,
Dr. Dave Chatterjee:it might seem like you're slowing things down by taking a
Dr. Dave Chatterjee:step back, reflecting at everything, taking stock of
Dr. Dave Chatterjee:where you are, where you should be. But, in the long run, just
Dr. Dave Chatterjee:like you said, it can avert problems, which would really
Dr. Dave Chatterjee:slow you down, which would really send you back in
Dr. Dave Chatterjee:different ways, whether you have to fix a code, or whether you
Dr. Dave Chatterjee:have to address a reputational issue or in the most extreme
Dr. Dave Chatterjee:case, you may not have a business, you may not have a
Dr. Dave Chatterjee:job. So I'm so glad you you have highlighted this slowing down
Dr. Dave Chatterjee:business, because we are in a culture where it's, we're
Dr. Dave Chatterjee:working at warp speed, as fast as we can go. And we do not want
Dr. Dave Chatterjee:anything to come in the way of efficiency, but we have to be a
Dr. Dave Chatterjee:little more savvy about that. Speed is not necessarily
Dr. Dave Chatterjee:directly correlated with efficiency. So I think that's
Dr. Dave Chatterjee:where some wisdom needs to kick in. There has to be a
Dr. Dave Chatterjee:multi-functional perspective where leaders from different
Dr. Dave Chatterjee:organizational groups, both from the tech side and the business
Dr. Dave Chatterjee:side, needs to come together and make some calls, which makes
Dr. Dave Chatterjee:practical business sense, as opposed to going with this kind
Dr. Dave Chatterjee:of notion, oh, at least exempt me from multi-factor
Dr. Dave Chatterjee:authentication, because I'm having to constantly sign on to
Dr. Dave Chatterjee:different things. And it's slowing me down. And like you
Dr. Dave Chatterjee:said, well, you have the single sign-on option. But if that
Dr. Dave Chatterjee:wasn't there, even then I think it's worth the trouble. But
Dr. Dave Chatterjee:going back to this multi-factor authentication fatigue, is it
Dr. Dave Chatterjee:really a fatigue? Or is it being hyped up? What's what's the, I wonder?
George Gerchow:Oh, I think it's a fatigue. I really do. I, I
George Gerchow:just think that human nature, we see something over and over
George Gerchow:again, and then we stop getting it goes back to muscle memory
George Gerchow:the wrong way. We start just reacting to it. And again, like
George Gerchow:like, now it's time to pause and slow down. And one of my
George Gerchow:favorite stories ever. Dr. Dave, if you don't mind, please. And
George Gerchow:our users can go back and look this up. There was a company was
George Gerchow:a company called Code Spaces, and right around 2014 or so they
George Gerchow:had their AWS credentials are compromised. So when you have
George Gerchow:your AWS credentials compromised, like your master
George Gerchow:key, it's over for you. And so the hackers came back and said,
George Gerchow:Hey, like, give us like, I think it was like a million dollars in
George Gerchow:next 24 hours, or routable gonna bring down your company. And
George Gerchow:they kind of laughed it off and said, Yeah, we're good. We're
George Gerchow:not gonna give you a million dollars and the company was out
George Gerchow:of business within 48 hours. If they would have taken the simple
George Gerchow:step, simple step of having multi factor authentication,
George Gerchow:that would have never happened, it would have never happened
George Gerchow:with those credentials. Now, going back to MFA fatigue, what
George Gerchow:can we do? Again, I think you said something that was key that
George Gerchow:came out of the Sisa guidelines as well, which is stage it out.
George Gerchow:Like if you're using multi factor authentication. Today,
George Gerchow:they're using a push mechanism, which is very easy. Again, it
George Gerchow:goes to your watch goes to your phone, it can go anywhere, take
George Gerchow:the time to understand the critical users critical data
George Gerchow:within the environment to be able to come back in and say,
George Gerchow:let's run a one time passcode when you're trying to access
George Gerchow:these things, it's going to take you an extra 15 to 20 seconds,
George Gerchow:that is not too much out of your work life, to to punch in that
George Gerchow:code and start getting the muscle memory to get people to
George Gerchow:look at what they're actually authenticating. I'll tell you
George Gerchow:another thing people can do as well too. When you're using
George Gerchow:logging systems like ours, you want it people always look at is
George Gerchow:Dr. Dave logging in from California and London at the
George Gerchow:same time, and that's good information. But great
George Gerchow:information is okay. Where's Dr. Dave logging in from? But
George Gerchow:where's the MFA push going? And is there an MFA push? So then
George Gerchow:that way you can start recognizing the gaps? And if you
George Gerchow:really want to take it to another level brute force
George Gerchow:attack, is there a VPN in between? So tech matters. And
George Gerchow:this is like, one of the arguments all the time is people
George Gerchow:are like, we have a policy in place. And I'm like, well,
George Gerchow:that's cool. But you need technology to back up the
George Gerchow:policy, because people are people and people are going to
George Gerchow:try to circumvent things. A lot of times, if they know there's
George Gerchow:no accountability.
Dr. Dave Chatterjee:Absolutely. In fact, you highlighted
George Gerchow:Yeah, that's what so thanks for that. Dr.
George Gerchow:something that I wanted to get to. And that is the latest
George Gerchow:technological approach to authentication, which is
George Gerchow:Dave. I think the way to look at it is a lot of times security
George Gerchow:adaptive authentication, where machine learning is being used
George Gerchow:to understand user behavior, identify anomalies, and
George Gerchow:anomalous anomalous behavior, then triggers a reaction, which
George Gerchow:used to be looked at as a business inhibitor. Now it's a
George Gerchow:could be you might be blocked from using your account, because
George Gerchow:it seems you're logging in from a location at an hour, that is
George Gerchow:business enabler, people will want to do business with you
George Gerchow:not normal to your normal login behavior. So we have some great
George Gerchow:technologies that are out there, it's just a matter of seeking
George Gerchow:when you have really good security hygiene in place. And
George Gerchow:them out, searching for it. And you would do that, if you really
George Gerchow:cared about, I want to get to the bottom of it, I want to get
George Gerchow:especially as we're looking at supply chain attacks that we've
George Gerchow:the best possible the best-in-class authentication in
George Gerchow:place for my organization. And it really doesn't take that much
George Gerchow:effort or time, it just, it's a matter of making a mental
George Gerchow:seen over and over again over the last few years. So three
George Gerchow:commitment. And then once you set the ball rolling, and I'm
George Gerchow:talking about the senior leadership, and I'm not
George Gerchow:suggesting that they become multi-factor authentication
George Gerchow:major takeaways I get from our discussion. The first one is use
George Gerchow:experts, but it's a matter of charging a team and saying, hey,
George Gerchow:I was just reading about adaptive authentication,
George Gerchow:SSO, don't use the same password for everything and use SSO
George Gerchow:password-less authentication, please connect the dots for me
George Gerchow:and tell me where we are, where we need to be, and how do we get
George Gerchow:there, simple. And then once I get the recommendation, at least
George Gerchow:please to make life easier. The second one is don't stop using
George Gerchow:I'm informed, and then I act on them. So that's kind of as
George Gerchow:simple or as complicated as it can be. But it is something that
George Gerchow:MFA. even though Dr. Dave and I talked a lot about MFA fatigue,
George Gerchow:cannot be ignored. You gave a telling example, of a
George Gerchow:significant loss incurred, because the company didn't have
George Gerchow:something like multi-factor authentication. So this has been
George Gerchow:at least implement MFA. And then finally, the third one is when
George Gerchow:a great discussion. Enjoyed your stories. But before we go,
George Gerchow:George I'd like to give you an opportunity to share some final
George Gerchow:it comes to critical users, critical data critical systems
George Gerchow:words, some key messages for the listeners.
George Gerchow:codes for MFA. So make people slow down a little bit, see what
George Gerchow:it is that they're approving. And take that extra step, it's
George Gerchow:only going to be 15 or 20 seconds, and then all of a
George Gerchow:sudden it becomes muscle memory. And you'll definitely be able to
George Gerchow:secure your critical systems much better that way.
Dr. Dave Chatterjee:Thank you very much, George. And I want to
Dr. Dave Chatterjee:re emphasize what Georgia just said. The intent here was not to
Dr. Dave Chatterjee:suggest that multi factor-authentication is weak or
Dr. Dave Chatterjee:doesn't work. Quite to the contrary, multi-factor
Dr. Dave Chatterjee:authentication is extremely important. We're trying to
Dr. Dave Chatterjee:encourage listeners, their organizations, to at least have
Dr. Dave Chatterjee:the basic implementation, if not the more sophisticated ones, by
Dr. Dave Chatterjee:that we mean the more resilient forms of multi-factor
Dr. Dave Chatterjee:authentication. George, thanks again for your time. It's been a
Dr. Dave Chatterjee:pleasure.
George Gerchow:Thank you Dr. Dave. The pleasure was mine.
Dr. Dave Chatterjee:A special thanks to George Gerchow for his
Dr. Dave Chatterjee:time and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.
