The Cybersecurity and Infrastructure Security Agency (CISA) recently (Oct 31, 2022) released fact sheets urging all organizations to implement phishing-resistant multi-factor authentication (MFA). In this episode, George Gerchow, Chief Security Officer and Senior Vice President of IT, Sumo Logic, and I have an in-depth discussion on this very important security subject matter. The scope of coverage ranges from providing an overview of MFA and its benefits to discussing the challenges and hurdles of implementing phishing-resistant MFA, recommended implementation approaches, and the future of MFA.

Time Stamps

01:53 -- Please share with listeners some highlights of your professional journey.

02:51 -- Please provide listeners with an overview of what multifactor authentication is.

03:52 -- A recently published article on Dark Reading reports that a massive phishing campaign targeting GitHub users convinced at least one developer at Dropbox to enter in their credentials and the two-factor authentication code, leading to the theft of at least 130 software code repositories. Essentially, the perpetrators exploited the multi-factor authentication fatigue. George, your reactions.

06:51 -- You said that many organizations don't even have multifactor authentication. That begs the question, why is that the case? Is there a technology aspect to it, a technological complexity of having multifactor authentication integrated into existing legacy systems? Is there a cost aspect to it, is it very expensive? What does your experience tell you?

08:30 -- From personal experience, I haven't felt the fatigue. Even if I had to review several times or take that extra step to authenticate, I would because I am paranoid about ensuring that access is very secure. So I have brought about a change in my own mindset. I'm just curious to know if organizations are striving to bring about a change in the multifactor authentication mindset. What are your thoughts?

12:23 -- As humans, it is our natural tendency to assume, Oh, it's not going to happen to me. And if it does, we'll deal with it then. And I know that organizations also often have that mindset, some organizations know they will get bailed out. George, what are your thoughts?

22:21 -- Would you like to expand on how organizations go about implementing phishing-resistant MFA? What solutions are available out there?

25:09 -- George, I read about this FIDO authentication, the FIDO Alliance, where they have developed this protocol to enable phishing-resistant authentication. Can you expand on that?

26:50 -- During our planning meeting, you made a couple of very poignant statements, one of which is, "leaders should create a culture where employees feel they can slow down for the sake of security." Help tie this to our discussion on multifactor authentication.

30:44 -- Going back to this multi-factor authentication fatigue, is there really a fatigue? Or is it being hyped up? What's the real story?

35:33 -- George, I'd like to give you the opportunity to share some final words, some key messages for the listeners.

Memorable George Gerchow Quotes/Statements

"Absolute laziness is really what it comes down to in the beginning; I don't want to disrupt my organization by having them go through this extra step."

"Development organizations that are heavy with startups, the developers do not want to take that extra step. Sometimes executives are also unwilling to follow through with that extra authentication step -- Do I really have to do this? I know it's a policy, but can't I get around this? And the answer should be flat-out No, under any circumstances."

"Whenever you can help your employees, the people that work for your company, do something that not only benefits the company but also benefits them personally, the better off the organization is going to be."

"The two things that most hackers go after are health and wealth."

"Like, how cool would it be if you got into a car and went to start the engine, and the engine wouldn't even start unless you had the seatbelt on?"

"One-time code (OTC) is the way to go when implementing phishing-resistant multi-factor authentication. And let's ensure we implement MFA around critical applications, users, and data."

"I'm sorry, sometimes you (developers) need to be slowed down. What if we drove on the road with absolutely no speed limits whatsoever? We create all kinds of damage. So I just think that there's this perception, this emotional transition Dr. Dave that people have to make, and we have to help them get there."

"You need technology to back up the policy because people are people, and people will try to circumvent things a lot of times if they know there's no accountability."

"A lot of times, security used to be looked at as a business inhibitor, mow it's a business enabler. People will want to do business with you when you have really good security hygiene in place, especially as we're looking at supply chain attacks that we've seen over and over again over the last few years."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

the book Cybersecurity Readiness: A Holistic and

High-Performance Approach, a SAGE publication. He has been

studying cybersecurity for over a decade, authored and edited

scholarly papers, delivered talks, conducted webinars and

workshops, consulted with companies and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia. As a Duke University

Visiting Scholar Dr. Chatterjee has taught in the Master of

Engineering in Cybersecurity program at the Pratt School of

Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Our discussion today will focus on phishing

resistant multifactor authentication. Recently, CISA,

the Cybersecurity and Infrastructure Security Agency,

released two factsheets highlighting threats against

accounts and systems. CISA strongly urges all organizations

to implement phishing resistant MFA. MFA stands for multifactor

authentication to protect against phishing, and other

known cyber threats. I'm delighted to welcome George

Gerchow, Chief Security Officer and Senior Vice President of

Information Technology at Sumo Logic to share his thoughts and

perspectives on this very important security subject

matter. Welcome, George.

Thanks for having me. Dr. Dave. It's a

pleasure to be here.

So George, before we get into the details

of multifactor authentication, its strengths,weaknesses, let's

talk about you a litte bit. Please share with listeners some

highlights of your professional journey.

You're gonna make me blush. I've been lucky

Dr. Dave to have had two different roles. A role to a

CISO or CSO is a little different for everyone. I

started off in the private sector, mainly in government

contracting, and then financial companies. And then I

transitioned over to software where I held many roles from

sales engineer to PMs. And then I settled into VMware twice,

which was a really good role there. And I co founded the

Center for Policy and compliance and then eventually ended up at

Sumo Logic, where now I am lucky enough to serve and support a

team called RISC, which is real estate, IT security and

compliance. And I think that that's probably the biggest

feather in my cap is working with a really good group of

people at a really good company.

Fantastic. And you have excellent

credentials, I can't think of a better subject matter expert to

talk about this topic. So George, to get the discussion

going, I think it's only right to provide listeners with an

overview of what is multifactor authentication.

Yeah, so multi factor authentication is almost

exactly how it sounds. Whenever you log into a system, you know,

so for the layman out there, think about like when you log

into your online banking account, or even your cellular

provider, it'll come back and say is this really you, either

identify it through a CAPTCHA, which is show me how many

pictures there are of a tractor, which is a very popular one, or

punch in a code going out to either your cell phone, or an

email that verifies that that's really you. It's a very

important second step to authentication and to logging

into critical systems.

Exactly right. So if I could recap what

George just said, multifactor authentication is a security

technology that requires multiple methods of

authentication from independent categories of credentials to

verify a user's identity. The reason one uses the word

multifactor, because one can get the credentials from different

factors such as what the user knows, examples password, what

the user has, example, a security token, and what the

user is, example would be different types of biometric

verifications, such as a retina scan. It's a very important part

of the security protocol. It's part of a defense-in-depth

strategy. So that's the good news that we have the

technologies to enable multifactor authentication. But

unfortunately, like every other defense, even this defense is

being breached by the hackers. A recently published article on

Dark Reading reports that a massive phishing campaign

targeting GitHub users convinced at least one developer at

Dropbox to enter in their credentials, and the two factor

authentication code, leading to the theft of at least 130

software code repositories. Essentially, the perpetrators

exploited the multi factor authentication fatigue. George,

your reactions.

Yeah, I mean, it's there's also examples with

GitHub and Uber as well, too, recently. And, you know, as you

mentioned, which is right on point, we have the technology to

do it. But is it being implemented correctly, and in a

lot of places is not even being implemented? I think what I want

to start off with saying is that this shouldn't discourage anyone

from doing multi factor authentication, it's really

important to do that as part of defense in depth, as you

mentioned, that how you roll it out matters, it's people can

just become numb to anything. And so what happened in all of

those cases is the same thing. Someone just got a push to their

phone most likely or to their watch that said, Hey, do you

approve of this login? And the natural reaction when you have

to do that so many times and especially because of regulatory

compliance needs, is to go yes, I accept, without really

understanding were you trying to log into something like, it

seems like such an easy thing, but it's not. Because you can

sometimes have to authenticate many times in one day. And so

just like alert fatigue, when it comes to Sims, it's the same

thing. You sort of start ignoring these things when they

get pushed over and over again. So the implementation really

matters, as well as executive buy in which you have to

constantly get not only to roll it out, but then how you roll it

out as well to.

Absolutely, in fact, you mentioned

something, you said that many organizations don't even have

multifactor authentication. That begs the question, why is that

the case? Is there a technology aspect to it, a technological

complexity of having multifactor authentication integrated into

existing legacy systems? Is there a cost aspect to it, is

very expensive? What does your experience tell you?

Well, the first one is absolute laziness is

really what it comes down to in the beginning is I don't want to

disrupt my organization by having them go through this

extra step. And it might seem crazy to you, Dr. Dave, and

crazy to me, but especially like think about development

organizations that are heavy with startups, like these

developers do not want to take that extra step. So then

sometimes executives as well, too, do I really have to do

this. I know it's a policy, but can't I get around this? And the

answer should be flat out No, under any circumstances. But you

said something interesting too, which is costs. The way you roll

it out matters. Just to give you a an example. So we use a

traditional vendor, which is Okta, Okta is a really good

company. They're well known in this space. However, to get a

push code, instead of just the push, you have to have a

different enterprise type license. And so to be able to

really roll it out correctly, it sometimes is going to cost you

more when you're dealing with one of the IAM vendors and

they're not alone. So Duo SailPoint, Ping, the list goes

on and on. They do the same thing, they will upsell, when it

comes to maybe doing the right thing, which is a little bit

crazy, but it is what it is.

Yeah, I mean, just using common sense.

If I'm leading an organization, or if I'm part of the leadership

that provides oversight to cybersecurity, I do want to have

the best possible defense in place that will protect the

organization from phishing attacks, which is the most

dominant form of attack. And talking about authentication

methods. I myself, I was used to the traditional authentication,

then I just sat up one day and I said, You know what, I need to

go and visit every account that I have. And I need to enable

multifactor authentication, unless the vendor has already

enabled it. So I took that step. And I went through each and

every account. And I did that at a personal level, because I felt

strongly about having that additional layer of defense.

Now, do I suffer from any kind of an MFA fatigue? Not yet, not

really. But again, to be fair and realistic, I cant relate to

some of the examples that are being shared about people being

bombarded by requests for authentication, and then they

are falling for it. So I can't relate to that. But from my own

personal experience, I haven't felt the fatigue and even if I

had to several times review that or go to that extra step, I

would, because I am even more paranoid about ensuring that

access is very secure. So I want to take the extra step. And if

that requires a little bit of an inconvenience, it is worth it.

So I have brought about a change in my own mindset. And I'm just

curious to know from you, George, how are organizations,

do they think very differently? What are what are your thoughts?

Yeah, that's right. So you bring up a great

point, which I think is whenever you can help your employees, the

people that work for your company, do something that only

benefits the company, but benefits them personally, the

better off you're going to be. And this is a great example. So

very simple things like do not use the same password over and

over and over again, that's hard for people to do, but they do

it. But if they're going to do it in their personal life,

they're going to do it at work, too. So you have to like give

them examples as to why that is such a horrible idea. Because if

you compromise one password, and you compromise it all over the

place, well you've seen examples of that for years. So basically,

a password hygiene. The second piece of that when it comes to

rolling it out, like you said, a lot of people are like, if I

have the option to not do it, should i The answer should

always be Yes, take that extra step. Because until you felt the

pain of having your identity compromised, it's a horrible

thing, because now you have like bank accounts and medical

records. And those are the two things that most hackers go

after is health and wealth. And it's going to really be

disruptive to your life. So take a look at what's going on out

there with that one extra step that 30 seconds can benefit

people so much. Now you brought up something that I want to tap

into as well too, which is vendors, do vendors force you to

do it. So banking environments do without a doubt, cellular

providers do as well, too. But here's the very interesting

thing like for us, well, we're a security vendor, right? So we

provide a cloud sim, but we provide observability and

everything else, but we don't force our customers to leverage

multi factor authentication. Why? Because a lot of them would

get mad. It's a simple fact, I'd love to I'd love to say before

you log into Sumo Logic, as a customer, you have to use

multifactor authentication and SSO But reality is, is that we

would get tremendous pushback and doing so. But I feel like

sometimes it's worth it as a vendor to do that. Because then

it shows that the vendor is starting to change your behavior

for you to do the right thing. Like how cool would it be if you

got into a car and you went to start the engine and the engine

wouldn't even start unless a seatbelt came on? I look at it

the same exact way.

I'm absolutely bewildered to hear

this. You mentioned something about organizations being lazy.

You mentioned something about organizations might get mad when

the vendor is trying to push on to them multifactor. Once again,

if I was running the show, or if I'm part of the team that's

running the show, I would take the trouble of reading up on the

expert guidance that is being provided by organizations such

as CISA and trying to understand from where they are coming, and

then looking at my own organization and making that

call that is it worth the extra step. And I totally understand

that balance between convenience and security. I get it. But

having said that, I would strongly urge all listeners,

there organizations, that if you have not enabled multifactor

authentication, please do so to the extent possible feasible.

But definitely move in that direction. It serves as a

no-brainer. And we will get into the discussion of password-less

authentication. Because that's that will hopefully be a more

convenient approach. But we got to take the step first. And then

other things can follow. I want to share a personal example that

happened the other day. I woke up at around 1:30 in the

morning. And as is my habit, I was checking my iPhone for

messages. And I saw an alert from my financial institution

saying that my password had been compromised, and I should change

my password. So I came downstairs to my office, I

alerted my wife, we both came down and we realized that

password we had used for several accounts. So I went through each

and every account to change that password. And as I was doing it,

I was wondering, oh my God, now what kind of inconvenience am I

gonna deal with? What's going to be the consequence of this? And

like George, you said, I know people who have been victims of

ID theft, and it's terrible what they have to go through. And I

was just really worried that that's going to be my situation.

So anyhow, I did the due diligence. I did change out the

passwords, went back to bed. Next morning. I called their

support and I asked him that I received this email. So what's

the story? Fortunately, they told me it was a technical

snafu, and that email had gone gone out to millions, but my

password wasn't compromised. Anyhow, that's a different story

about their process and how they manage their process. They could

have done it better. But however, that experience does

bring to light what we are all vulnerable and susceptible to.

But as humans, it is our natural tendency to assume, Oh, it's not

going to happen to me. Yep. And if it does, we'll deal with it

then. And I know that organizations also often have

that mindset, some organizations who know they will get bailed

out, and I don't think that's an acceptable practice. George,

your thoughts?

Yeah. Dr. David, you're exactly right. It all

starts at that executive level, you have to have board executive

buy-in to make sure that not only you have the right policies

in place to leverage complex password, continued password

changes, SSO, and an MFA in place as well to like, it's

gotta be buy-in from the absolute top. No exceptions

whatsoever. Like for us at Sumo Logic, if a developer creates

like an AWS account, for example, and doesn't turn on MFA

within 24 hours, that account is disabled. And that's the reality

of what you have to do. I do think that once people do have

it put in place, you've got to now take it to the next level,

you know, so let's go back to where you were digging in a

little bit, talking about MFA fatigue, it's a real thing. And

I think that password-less security, as you mentioned

before, is going to be the future like my Mac right now I

can put my thumbprint, my fingerprints, do biometrics,

that's a very easy way to get around that would solve a lot of

these issues. Another way is one time passwords. So OTP, which

folks like off l made that very, very popular. But I'm gonna

bring up an interesting point, because I'd like to get your

thoughts around this as well, too. One of the things that

we've struggled with as an industry forever has been these

questionnaires that people send out before they go do business

with a company like Sumo Logic. And one of the questions is

always do you use MFA? And think about the Okta compromise, which

was so interesting, because they are a single sign on MFA

company. When they got compromised, it was by a third

party vendor that checked the box and said they use MFA

working for an MFA company and didn't use it. And so like now,

as an industry, we're starting to really try to figure out

what's the best way to trust a vendor, trust the partner, and

ensure that they're actually doing these things, because it's

so easy to check that box because they want your business,

even though it's not the right thing to do. So penalties have

to start coming into place with a lot of these things.

Unfortunately, that is true. Like I have

discussed several times in my talks. And also during these

podcasts, that history tells us that organizations respond best

to laws, laws with strong penalties, SOX is an example. So

unfortunate, unfortunately, I, I do see a day not far from today,

when a major legislation will come down the pipeline,

requiring organizations to follow through with the

recommended best practices, because that's the only way you

will get real compliance. What's happening today, as you you

shared with just an example of checking-the-box kind of

compliance, trying to find a way of to get the contract, get the

business. And I know this might sound idealistic, and people

will say, Oh, you're a professor, that's what you do

you preach the ideal. I don't, I don't, but I will say this, that

you have to be as security conscious as practical. Even

when I'm was reading the CISA guideline, they are not being

very idealistic, they are saying, we understand that it

may not be possible to protect all the resources at once. Pick

the ones that are most important to either users that are high

value targets. So they are they're basically suggesting an

incremental approach to implementing phishing resistant

MFAs. So it's not like it has to be a big bang implementation and

overnight, we will achieve 100% compliance, but at least there

has to be a recognition and then follow through steps. And as you

rightly said, George, unless you get the buy-in from the

leadership, from the top management, that is a very

important security defense. And it's not just one of those add

ons. That is more headache than it is worth it. Unless that

buy-in is there, real buy-in, where you really want to be

secure and safe. Not because you are being forced to not because

you want to project to the world, how security conscious

you are, you really believe it, and you follow through with it.

So I have emphasized this genuineness in literally each of

my podcasts, even in my book, that at the end of the day, if

you if an organization as well as an individual, if they take

genuine steps that comes under the category of due diligence

and due care, and they do everything, even after that, if

they get breached, which is absolutely possible, they have a

fair shot before the jury. I'm not a lawyer. But I've had the

pleasure of talking with several legal experts. And I've been

told that that's where the judge reviews what you've done, have

you done everything possible? Have you taken into

consideration all the expert guidelines? Have you taken the

best possible approach that is feasible given your resources,

so there is a reasonable reasonableness associated with

that review of the judge. So nobody is expecting that you do

something extraordinary or go out of your way, go way beyond

way beyond your means. But there is an expectation to be

responsible. And that's what I want to emphasize in this

podcast, in this episode,

The fact I mean, it there is I mean, that's the

cost of doing business, really, but we need to make it part of

everyone's everyday behavior. When you leave your house, you

close your garage door, you lock your front door, it is just

things that come naturally to you. Like I mentioned before you

get in the car, you put on a seatbelt. It's those types of

things that we have to make it muscle memory for people,

period. And there just shouldn't even be a question as to why

it's being done. Now back to what you mentioned about a

staged rollout. I believe with rolling out MFA, you just do it

like there is no stage to that for me. Now, when it comes to

accessing sensitive data or critical users, you may when you

start using like OTP, one time passwords and things like that.

Maybe you do focus on that first, and then start working

your way through the rest of the organization. But MFA to me now

is just a must. I mean, especially as we move more into

SAS based apps, working with large cloud providers like

Azure, GCP, it's just a must you have to have it turned on day

one. And then that way that muscle memory starts kicking

into place.

Yeah, absolutely. In fact, CISA is

also recommending that even if an organization doesn't have in

place a phishing resistant MFA, they should employ additional

prevention and detection controls such as number

matching. Yep. So that's, that's the point, that, make the

effort, this is a three page guideline, it's very easily very

clearly written. It's literally you can create a checklist out

of this, use the checklist to evaluate what what you have in

place. And if you see any gaps, any deficiencies, address them.

That's that's what I would call due diligence. And do that. And

I think we are all better for it -- organizations, their

customers. So that seems like a no-brainer to me. But maybe it's

not because otherwise they wouldn't have come out with this

directive, or with this guideline. Moving along to this

topic of implementing phishing resistant MFA, so would you like

to expand on how does an organization go about

implementing that type of an MFA, that is phishing resistant?

What solutions are available out there?

So the best one, I mean, look, there's one time

passwords, there's biometrics. And then there's also having to

put in a passcode. And punching that in which by the way, Dr.

Dave takes about 15 seconds, you know, and I think that the last

one is the most viable one because we live in this virtual

world. So I'd love to say that it's biometrics. But what if I'm

a developer, and I'm trying to access servers that are all the

way across the globe, right, I can authenticate into my system.

But that's not going to work as I found the key authenticate

into more complex virtual systems. So although that's very

effective with something that's physical, and right in front of

you, it doesn't solve all the problems. And so I think for me,

it's and what we do is pushing that code, Hey, wake up, you're

not going to just press Accept, you're actually going to have to

look and see what this code is, and then what it is that you

were trying to authenticate into. And I think that that's

the one that covers the most because part of this is

emotional, like we mentioned before, a lot of physical things

like seatbelts, locking doors, garages, we live in such a

virtual world now. And putting the this kind of hygiene in

place is more important than ever. I mean, just look at

things like meta universe and everything else that's going on.

I mean, even for like my kids, like when they log into video

games, I've always had them do multi factor authentication.

It's a quick one time code that you punch in, and I think that's

the best way to go. Now again, there's going to be some cost

probably associated with that, but I think we need to get

better as as a society saying, why are we paying these costs?

And let's make sure we implement these around these critical

applications, critical users and critical data.

Absolutely. I couldn't agree with you more.

So George, I read about this FIDO authentication, the FIDO

Alliance, where they have developed this protocol to

enable phishing resistant authentication. Can you expand

on that?

Yeah, so they've been around for a while. So

FIDO, Fido, whatever you want to call them, for a long time, they

started off in the beginning, mainly with YubiKey was a big

one, which was something that you would just plug into your

system that would verify you going on and which it can be

very effective. But at the same time to look, man, the

technology changes, I'm on a Mac, and whatever I plug into my

system is always different. What kind of USB is it going to be,

in fact, a lot of organizations you got to do business with,

especially in a FinTech market, will not allow you to plug

anything in to your system at all. So I think that they're on

to the right idea and right concepts. And again, YubiKey can

be effective. But you know, it's also goes back in time like Like

think about like when multi factor authentication, two

factor authentication got started it was RSA and RSA you

would carry around on your keychain, like this passcode

that would revolve and change like, every 30 seconds or every

minute, and you had to punch that in? Was it effective? Yes.

Where was it disruptive? Well, when users forgot, or didn't

have that, that piece of hardware, so I'm not a hardware

person at all. And I think that they've sort of leaned into that

a little bit more. But if you are a company that that works

for you do it FIDO FIDO. Look at them, they definitely got some

good guidance. But it doesn't work for a lot of us that live

completely in a virtual world. And we don't necessarily

leverage hardware for a lot of different things.

Good to know, good to know. And just for

the benefit of the listeners, FIDO or Fido stands for Fast ID

Online, you can visit their website, review what they have

to offer, I was referencing a recommendation from the CISA

guide here. So it might be worth your time to just take a look.

So moving along, George, I'm again, looking at our notes from

our planning meeting that we had, you made a couple of very

poignant statements, one of which is leaders should create a

culture where employees feel they can slow down, for the sake

of security. Help, kind of tie this to our discussion on

multifactor authentication.

Yeah, and again, I don't mean to pick on

developers, or I'm sorry, I'm gonna pick on developers,

because that's usually where most of the resistance comes

into play. You can have developers sometimes accessing.

I mean, an organization like ours, I mean, we have 300 plus

applications. And so if you start thinking about what it

takes to access those, well, we've made that pretty easy with

single sign on meaning that I have one place where I

authenticate, going through someone like an Okta, Ping

Identity, Duo or whoever it may be, and then that allows me

access to all those other applications. But again, if that

password gets compromised, now I'm in serious trouble. Now MFA

coming across the top of that will verify that I'm actually

that user, even if the password got compromised. Now, what

happens typically with a developer, and let's go back to

regulations, so regulations like FedRAMP, for example, they say

that if a person is 15 minutes idle into an application, they

have to re-authenticate. That's a lot of disruption. When you

think about I'm in 30 apps 40 apps a day, do I really got to

re authenticate into each one of those apps every 15 minutes,

probably not. The best way to do that, again, would be through

something like VPN, or SSO and do that, that layer, if I'm idle

there, reauthenticate once and get back into them. But what

typically happens is, developers are moving at trying to move at

lightning speed to offer more services to our internal and

external customers. And that's important, but it's not as

important as making sure that seamless security is built into

it. And so I think development cultures for years now, I've

been working out of Silicon Valley since 2009. In that

environment, especially there's always this thing of security

and compliance are gonna slow me down and I'm not going to be

able to do to innovate as much and it's like, I'm sorry, but

what would you rather do carry around a pager for when all of a

sudden whenever you develop the code eventually gets hacked, and

you have to get reback into it and then we'll help work with a

company and lose your brand identity and everything else.

Get regulation fines, like you mentioned before, go against

CISA guidance, the new SEC cybersecurity guidelines or take

the time to put guardrails in place while you're working on

code. The second one to me is a no-brainer, but we have to get

people there because it's still not. In fact, I'll give me give

Microsoft a big plug. Microsoft was one of the first companies

because of the GitHub attacks. And we're gonna force developers

now to use multifactor authentication when they get

into our public libraries, period. And I applaud, I'm like,

yes, that extra step JFrog should do the same Docker Hub

should do the same, like all these public repositories should

do the same thing. But there's just this perception of, it's

going to slow me down. And I'm sorry, sometimes you need to be

slow down. But what if we drove on the roads with absolutely no

speed limits whatsoever, right. We create all kinds of damage.

So I just think that there's this perception, this emotional

transition Dr. Dave that people have to make, and we have to

help them get there.

Well said, very well said. When you say

slow me down, you know, what I was thinking of, I was thinking

of, a very deliberate approach to securit. You know, often,

taking a step back, looking at the whole picture, and coming up

with a very holistic cybersecurity strategy defense,

it might seem like you're slowing things down by taking a

step back, reflecting at everything, taking stock of

where you are, where you should be. But, in the long run, just

like you said, it can avert problems, which would really

slow you down, which would really send you back in

different ways, whether you have to fix a code, or whether you

have to address a reputational issue or in the most extreme

case, you may not have a business, you may not have a

job. So I'm so glad you you have highlighted this slowing down

business, because we are in a culture where it's, we're

working at warp speed, as fast as we can go. And we do not want

anything to come in the way of efficiency, but we have to be a

little more savvy about that. Speed is not necessarily

directly correlated with efficiency. So I think that's

where some wisdom needs to kick in. There has to be a

multi-functional perspective where leaders from different

organizational groups, both from the tech side and the business

side, needs to come together and make some calls, which makes

practical business sense, as opposed to going with this kind

of notion, oh, at least exempt me from multi-factor

authentication, because I'm having to constantly sign on to

different things. And it's slowing me down. And like you

said, well, you have the single sign-on option. But if that

wasn't there, even then I think it's worth the trouble. But

going back to this multi-factor authentication fatigue, is it

really a fatigue? Or is it being hyped up? What's what's the, I wonder?

Oh, I think it's a fatigue. I really do. I, I

just think that human nature, we see something over and over

again, and then we stop getting it goes back to muscle memory

the wrong way. We start just reacting to it. And again, like

like, now it's time to pause and slow down. And one of my

favorite stories ever. Dr. Dave, if you don't mind, please. And

our users can go back and look this up. There was a company was

a company called Code Spaces, and right around 2014 or so they

had their AWS credentials are compromised. So when you have

your AWS credentials compromised, like your master

key, it's over for you. And so the hackers came back and said,

Hey, like, give us like, I think it was like a million dollars in

next 24 hours, or routable gonna bring down your company. And

they kind of laughed it off and said, Yeah, we're good. We're

not gonna give you a million dollars and the company was out

of business within 48 hours. If they would have taken the simple

step, simple step of having multi factor authentication,

that would have never happened, it would have never happened

with those credentials. Now, going back to MFA fatigue, what

can we do? Again, I think you said something that was key that

came out of the Sisa guidelines as well, which is stage it out.

Like if you're using multi factor authentication. Today,

they're using a push mechanism, which is very easy. Again, it

goes to your watch goes to your phone, it can go anywhere, take

the time to understand the critical users critical data

within the environment to be able to come back in and say,

let's run a one time passcode when you're trying to access

these things, it's going to take you an extra 15 to 20 seconds,

that is not too much out of your work life, to to punch in that

code and start getting the muscle memory to get people to

look at what they're actually authenticating. I'll tell you

another thing people can do as well too. When you're using

logging systems like ours, you want it people always look at is

Dr. Dave logging in from California and London at the

same time, and that's good information. But great

information is okay. Where's Dr. Dave logging in from? But

where's the MFA push going? And is there an MFA push? So then

that way you can start recognizing the gaps? And if you

really want to take it to another level brute force

attack, is there a VPN in between? So tech matters. And

this is like, one of the arguments all the time is people

are like, we have a policy in place. And I'm like, well,

that's cool. But you need technology to back up the

policy, because people are people and people are going to

try to circumvent things. A lot of times, if they know there's

no accountability.

Absolutely. In fact, you highlighted

Yeah, that's what so thanks for that. Dr.

something that I wanted to get to. And that is the latest

technological approach to authentication, which is

Dave. I think the way to look at it is a lot of times security

adaptive authentication, where machine learning is being used

to understand user behavior, identify anomalies, and

anomalous anomalous behavior, then triggers a reaction, which

used to be looked at as a business inhibitor. Now it's a

could be you might be blocked from using your account, because

it seems you're logging in from a location at an hour, that is

business enabler, people will want to do business with you

not normal to your normal login behavior. So we have some great

technologies that are out there, it's just a matter of seeking

when you have really good security hygiene in place. And

them out, searching for it. And you would do that, if you really

cared about, I want to get to the bottom of it, I want to get

especially as we're looking at supply chain attacks that we've

the best possible the best-in-class authentication in

place for my organization. And it really doesn't take that much

effort or time, it just, it's a matter of making a mental

seen over and over again over the last few years. So three

commitment. And then once you set the ball rolling, and I'm

talking about the senior leadership, and I'm not

suggesting that they become multi-factor authentication

major takeaways I get from our discussion. The first one is use

experts, but it's a matter of charging a team and saying, hey,

I was just reading about adaptive authentication,

SSO, don't use the same password for everything and use SSO

password-less authentication, please connect the dots for me

and tell me where we are, where we need to be, and how do we get

there, simple. And then once I get the recommendation, at least

please to make life easier. The second one is don't stop using

I'm informed, and then I act on them. So that's kind of as

simple or as complicated as it can be. But it is something that

MFA. even though Dr. Dave and I talked a lot about MFA fatigue,

cannot be ignored. You gave a telling example, of a

significant loss incurred, because the company didn't have

something like multi-factor authentication. So this has been

at least implement MFA. And then finally, the third one is when

a great discussion. Enjoyed your stories. But before we go,

George I'd like to give you an opportunity to share some final

it comes to critical users, critical data critical systems

words, some key messages for the listeners.

codes for MFA. So make people slow down a little bit, see what

it is that they're approving. And take that extra step, it's

only going to be 15 or 20 seconds, and then all of a

sudden it becomes muscle memory. And you'll definitely be able to

secure your critical systems much better that way.

Thank you very much, George. And I want to

re emphasize what Georgia just said. The intent here was not to

suggest that multi factor-authentication is weak or

doesn't work. Quite to the contrary, multi-factor

authentication is extremely important. We're trying to

encourage listeners, their organizations, to at least have

the basic implementation, if not the more sophisticated ones, by

that we mean the more resilient forms of multi-factor

authentication. George, thanks again for your time. It's been a

pleasure.

Thank you Dr. Dave. The pleasure was mine.

A special thanks to George Gerchow for his

time and insights. If you like what you heard, please leave the

podcast a rating and share it with your network. Also

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.