Artwork for podcast The Cybersecurity Readiness Podcast Series
Implementing Phishing Resistant Multifactor Authentication
Episode 407th December 2022 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:40:08

Share Episode

Shownotes

The Cybersecurity and Infrastructure Security Agency (CISA) recently (Oct 31, 2022) released fact sheets urging all organizations to implement phishing-resistant multi-factor authentication (MFA). In this episode, George Gerchow, Chief Security Officer and Senior Vice President of IT, Sumo Logic, and I have an in-depth discussion on this very important security subject matter. The scope of coverage ranges from providing an overview of MFA and its benefits to discussing the challenges and hurdles of implementing phishing-resistant MFA, recommended implementation approaches, and the future of MFA.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-40-implementing-phishing-resistant-multifactor-authentication/



Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Transcripts

Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Our discussion today will focus on phishing

Dr. Dave Chatterjee:

resistant multifactor authentication. Recently, CISA,

Dr. Dave Chatterjee:

the Cybersecurity and Infrastructure Security Agency,

Dr. Dave Chatterjee:

released two factsheets highlighting threats against

Dr. Dave Chatterjee:

accounts and systems. CISA strongly urges all organizations

Dr. Dave Chatterjee:

to implement phishing resistant MFA. MFA stands for multifactor

Dr. Dave Chatterjee:

authentication to protect against phishing, and other

Dr. Dave Chatterjee:

known cyber threats. I'm delighted to welcome George

Dr. Dave Chatterjee:

Gerchow, Chief Security Officer and Senior Vice President of

Dr. Dave Chatterjee:

Information Technology at Sumo Logic to share his thoughts and

Dr. Dave Chatterjee:

perspectives on this very important security subject

Dr. Dave Chatterjee:

matter. Welcome, George.

George Gerchow:

Thanks for having me. Dr. Dave. It's a

George Gerchow:

pleasure to be here.

Dr. Dave Chatterjee:

So George, before we get into the details

Dr. Dave Chatterjee:

of multifactor authentication, its strengths,weaknesses, let's

Dr. Dave Chatterjee:

talk about you a litte bit. Please share with listeners some

Dr. Dave Chatterjee:

highlights of your professional journey.

George Gerchow:

You're gonna make me blush. I've been lucky

George Gerchow:

Dr. Dave to have had two different roles. A role to a

George Gerchow:

CISO or CSO is a little different for everyone. I

George Gerchow:

started off in the private sector, mainly in government

George Gerchow:

contracting, and then financial companies. And then I

George Gerchow:

transitioned over to software where I held many roles from

George Gerchow:

sales engineer to PMs. And then I settled into VMware twice,

George Gerchow:

which was a really good role there. And I co founded the

George Gerchow:

Center for Policy and compliance and then eventually ended up at

George Gerchow:

Sumo Logic, where now I am lucky enough to serve and support a

George Gerchow:

team called RISC, which is real estate, IT security and

George Gerchow:

compliance. And I think that that's probably the biggest

George Gerchow:

feather in my cap is working with a really good group of

George Gerchow:

people at a really good company.

Dr. Dave Chatterjee:

Fantastic. And you have excellent

Dr. Dave Chatterjee:

credentials, I can't think of a better subject matter expert to

Dr. Dave Chatterjee:

talk about this topic. So George, to get the discussion

Dr. Dave Chatterjee:

going, I think it's only right to provide listeners with an

Dr. Dave Chatterjee:

overview of what is multifactor authentication.

George Gerchow:

Yeah, so multi factor authentication is almost

George Gerchow:

exactly how it sounds. Whenever you log into a system, you know,

George Gerchow:

so for the layman out there, think about like when you log

George Gerchow:

into your online banking account, or even your cellular

George Gerchow:

provider, it'll come back and say is this really you, either

George Gerchow:

identify it through a CAPTCHA, which is show me how many

George Gerchow:

pictures there are of a tractor, which is a very popular one, or

George Gerchow:

punch in a code going out to either your cell phone, or an

George Gerchow:

email that verifies that that's really you. It's a very

George Gerchow:

important second step to authentication and to logging

George Gerchow:

into critical systems.

Dr. Dave Chatterjee:

Exactly right. So if I could recap what

Dr. Dave Chatterjee:

George just said, multifactor authentication is a security

Dr. Dave Chatterjee:

technology that requires multiple methods of

Dr. Dave Chatterjee:

authentication from independent categories of credentials to

Dr. Dave Chatterjee:

verify a user's identity. The reason one uses the word

Dr. Dave Chatterjee:

multifactor, because one can get the credentials from different

Dr. Dave Chatterjee:

factors such as what the user knows, examples password, what

Dr. Dave Chatterjee:

the user has, example, a security token, and what the

Dr. Dave Chatterjee:

user is, example would be different types of biometric

Dr. Dave Chatterjee:

verifications, such as a retina scan. It's a very important part

Dr. Dave Chatterjee:

of the security protocol. It's part of a defense-in-depth

Dr. Dave Chatterjee:

strategy. So that's the good news that we have the

Dr. Dave Chatterjee:

technologies to enable multifactor authentication. But

Dr. Dave Chatterjee:

unfortunately, like every other defense, even this defense is

Dr. Dave Chatterjee:

being breached by the hackers. A recently published article on

Dr. Dave Chatterjee:

Dark Reading reports that a massive phishing campaign

Dr. Dave Chatterjee:

targeting GitHub users convinced at least one developer at

Dr. Dave Chatterjee:

Dropbox to enter in their credentials, and the two factor

Dr. Dave Chatterjee:

authentication code, leading to the theft of at least 130

Dr. Dave Chatterjee:

software code repositories. Essentially, the perpetrators

Dr. Dave Chatterjee:

exploited the multi factor authentication fatigue. George,

Dr. Dave Chatterjee:

your reactions.

George Gerchow:

Yeah, I mean, it's there's also examples with

George Gerchow:

GitHub and Uber as well, too, recently. And, you know, as you

George Gerchow:

mentioned, which is right on point, we have the technology to

George Gerchow:

do it. But is it being implemented correctly, and in a

George Gerchow:

lot of places is not even being implemented? I think what I want

George Gerchow:

to start off with saying is that this shouldn't discourage anyone

George Gerchow:

from doing multi factor authentication, it's really

George Gerchow:

important to do that as part of defense in depth, as you

George Gerchow:

mentioned, that how you roll it out matters, it's people can

George Gerchow:

just become numb to anything. And so what happened in all of

George Gerchow:

those cases is the same thing. Someone just got a push to their

George Gerchow:

phone most likely or to their watch that said, Hey, do you

George Gerchow:

approve of this login? And the natural reaction when you have

George Gerchow:

to do that so many times and especially because of regulatory

George Gerchow:

compliance needs, is to go yes, I accept, without really

George Gerchow:

understanding were you trying to log into something like, it

George Gerchow:

seems like such an easy thing, but it's not. Because you can

George Gerchow:

sometimes have to authenticate many times in one day. And so

George Gerchow:

just like alert fatigue, when it comes to Sims, it's the same

George Gerchow:

thing. You sort of start ignoring these things when they

George Gerchow:

get pushed over and over again. So the implementation really

George Gerchow:

matters, as well as executive buy in which you have to

George Gerchow:

constantly get not only to roll it out, but then how you roll it

George Gerchow:

out as well to.

Dr. Dave Chatterjee:

Absolutely, in fact, you mentioned

Dr. Dave Chatterjee:

something, you said that many organizations don't even have

Dr. Dave Chatterjee:

multifactor authentication. That begs the question, why is that

Dr. Dave Chatterjee:

the case? Is there a technology aspect to it, a technological

Dr. Dave Chatterjee:

complexity of having multifactor authentication integrated into

Dr. Dave Chatterjee:

existing legacy systems? Is there a cost aspect to it, is

Dr. Dave Chatterjee:

very expensive? What does your experience tell you?

George Gerchow:

Well, the first one is absolute laziness is

George Gerchow:

really what it comes down to in the beginning is I don't want to

George Gerchow:

disrupt my organization by having them go through this

George Gerchow:

extra step. And it might seem crazy to you, Dr. Dave, and

George Gerchow:

crazy to me, but especially like think about development

George Gerchow:

organizations that are heavy with startups, like these

George Gerchow:

developers do not want to take that extra step. So then

George Gerchow:

sometimes executives as well, too, do I really have to do

George Gerchow:

this. I know it's a policy, but can't I get around this? And the

George Gerchow:

answer should be flat out No, under any circumstances. But you

George Gerchow:

said something interesting too, which is costs. The way you roll

George Gerchow:

it out matters. Just to give you a an example. So we use a

George Gerchow:

traditional vendor, which is Okta, Okta is a really good

George Gerchow:

company. They're well known in this space. However, to get a

George Gerchow:

push code, instead of just the push, you have to have a

George Gerchow:

different enterprise type license. And so to be able to

George Gerchow:

really roll it out correctly, it sometimes is going to cost you

George Gerchow:

more when you're dealing with one of the IAM vendors and

George Gerchow:

they're not alone. So Duo SailPoint, Ping, the list goes

George Gerchow:

on and on. They do the same thing, they will upsell, when it

George Gerchow:

comes to maybe doing the right thing, which is a little bit

George Gerchow:

crazy, but it is what it is.

Dr. Dave Chatterjee:

Yeah, I mean, just using common sense.

Dr. Dave Chatterjee:

If I'm leading an organization, or if I'm part of the leadership

Dr. Dave Chatterjee:

that provides oversight to cybersecurity, I do want to have

Dr. Dave Chatterjee:

the best possible defense in place that will protect the

Dr. Dave Chatterjee:

organization from phishing attacks, which is the most

Dr. Dave Chatterjee:

dominant form of attack. And talking about authentication

Dr. Dave Chatterjee:

methods. I myself, I was used to the traditional authentication,

Dr. Dave Chatterjee:

then I just sat up one day and I said, You know what, I need to

Dr. Dave Chatterjee:

go and visit every account that I have. And I need to enable

Dr. Dave Chatterjee:

multifactor authentication, unless the vendor has already

Dr. Dave Chatterjee:

enabled it. So I took that step. And I went through each and

Dr. Dave Chatterjee:

every account. And I did that at a personal level, because I felt

Dr. Dave Chatterjee:

strongly about having that additional layer of defense.

Dr. Dave Chatterjee:

Now, do I suffer from any kind of an MFA fatigue? Not yet, not

Dr. Dave Chatterjee:

really. But again, to be fair and realistic, I cant relate to

Dr. Dave Chatterjee:

some of the examples that are being shared about people being

Dr. Dave Chatterjee:

bombarded by requests for authentication, and then they

Dr. Dave Chatterjee:

are falling for it. So I can't relate to that. But from my own

Dr. Dave Chatterjee:

personal experience, I haven't felt the fatigue and even if I

Dr. Dave Chatterjee:

had to several times review that or go to that extra step, I

Dr. Dave Chatterjee:

would, because I am even more paranoid about ensuring that

Dr. Dave Chatterjee:

access is very secure. So I want to take the extra step. And if

Dr. Dave Chatterjee:

that requires a little bit of an inconvenience, it is worth it.

Dr. Dave Chatterjee:

So I have brought about a change in my own mindset. And I'm just

Dr. Dave Chatterjee:

curious to know from you, George, how are organizations,

Dr. Dave Chatterjee:

do they think very differently? What are what are your thoughts?

George Gerchow:

Yeah, that's right. So you bring up a great

George Gerchow:

point, which I think is whenever you can help your employees, the

George Gerchow:

people that work for your company, do something that only

George Gerchow:

benefits the company, but benefits them personally, the

George Gerchow:

better off you're going to be. And this is a great example. So

George Gerchow:

very simple things like do not use the same password over and

George Gerchow:

over and over again, that's hard for people to do, but they do

George Gerchow:

it. But if they're going to do it in their personal life,

George Gerchow:

they're going to do it at work, too. So you have to like give

George Gerchow:

them examples as to why that is such a horrible idea. Because if

George Gerchow:

you compromise one password, and you compromise it all over the

George Gerchow:

place, well you've seen examples of that for years. So basically,

George Gerchow:

a password hygiene. The second piece of that when it comes to

George Gerchow:

rolling it out, like you said, a lot of people are like, if I

George Gerchow:

have the option to not do it, should i The answer should

George Gerchow:

always be Yes, take that extra step. Because until you felt the

George Gerchow:

pain of having your identity compromised, it's a horrible

George Gerchow:

thing, because now you have like bank accounts and medical

George Gerchow:

records. And those are the two things that most hackers go

George Gerchow:

after is health and wealth. And it's going to really be

George Gerchow:

disruptive to your life. So take a look at what's going on out

George Gerchow:

there with that one extra step that 30 seconds can benefit

George Gerchow:

people so much. Now you brought up something that I want to tap

George Gerchow:

into as well too, which is vendors, do vendors force you to

George Gerchow:

do it. So banking environments do without a doubt, cellular

George Gerchow:

providers do as well, too. But here's the very interesting

George Gerchow:

thing like for us, well, we're a security vendor, right? So we

George Gerchow:

provide a cloud sim, but we provide observability and

George Gerchow:

everything else, but we don't force our customers to leverage

George Gerchow:

multi factor authentication. Why? Because a lot of them would

George Gerchow:

get mad. It's a simple fact, I'd love to I'd love to say before

George Gerchow:

you log into Sumo Logic, as a customer, you have to use

George Gerchow:

multifactor authentication and SSO But reality is, is that we

George Gerchow:

would get tremendous pushback and doing so. But I feel like

George Gerchow:

sometimes it's worth it as a vendor to do that. Because then

George Gerchow:

it shows that the vendor is starting to change your behavior

George Gerchow:

for you to do the right thing. Like how cool would it be if you

George Gerchow:

got into a car and you went to start the engine and the engine

George Gerchow:

wouldn't even start unless a seatbelt came on? I look at it

George Gerchow:

the same exact way.

Dr. Dave Chatterjee:

I'm absolutely bewildered to hear

Dr. Dave Chatterjee:

this. You mentioned something about organizations being lazy.

Dr. Dave Chatterjee:

You mentioned something about organizations might get mad when

Dr. Dave Chatterjee:

the vendor is trying to push on to them multifactor. Once again,

Dr. Dave Chatterjee:

if I was running the show, or if I'm part of the team that's

Dr. Dave Chatterjee:

running the show, I would take the trouble of reading up on the

Dr. Dave Chatterjee:

expert guidance that is being provided by organizations such

Dr. Dave Chatterjee:

as CISA and trying to understand from where they are coming, and

Dr. Dave Chatterjee:

then looking at my own organization and making that

Dr. Dave Chatterjee:

call that is it worth the extra step. And I totally understand

Dr. Dave Chatterjee:

that balance between convenience and security. I get it. But

Dr. Dave Chatterjee:

having said that, I would strongly urge all listeners,

Dr. Dave Chatterjee:

there organizations, that if you have not enabled multifactor

Dr. Dave Chatterjee:

authentication, please do so to the extent possible feasible.

Dr. Dave Chatterjee:

But definitely move in that direction. It serves as a

Dr. Dave Chatterjee:

no-brainer. And we will get into the discussion of password-less

Dr. Dave Chatterjee:

authentication. Because that's that will hopefully be a more

Dr. Dave Chatterjee:

convenient approach. But we got to take the step first. And then

Dr. Dave Chatterjee:

other things can follow. I want to share a personal example that

Dr. Dave Chatterjee:

happened the other day. I woke up at around 1:30 in the

Dr. Dave Chatterjee:

morning. And as is my habit, I was checking my iPhone for

Dr. Dave Chatterjee:

messages. And I saw an alert from my financial institution

Dr. Dave Chatterjee:

saying that my password had been compromised, and I should change

Dr. Dave Chatterjee:

my password. So I came downstairs to my office, I

Dr. Dave Chatterjee:

alerted my wife, we both came down and we realized that

Dr. Dave Chatterjee:

password we had used for several accounts. So I went through each

Dr. Dave Chatterjee:

and every account to change that password. And as I was doing it,

Dr. Dave Chatterjee:

I was wondering, oh my God, now what kind of inconvenience am I

Dr. Dave Chatterjee:

gonna deal with? What's going to be the consequence of this? And

Dr. Dave Chatterjee:

like George, you said, I know people who have been victims of

Dr. Dave Chatterjee:

ID theft, and it's terrible what they have to go through. And I

Dr. Dave Chatterjee:

was just really worried that that's going to be my situation.

Dr. Dave Chatterjee:

So anyhow, I did the due diligence. I did change out the

Dr. Dave Chatterjee:

passwords, went back to bed. Next morning. I called their

Dr. Dave Chatterjee:

support and I asked him that I received this email. So what's

Dr. Dave Chatterjee:

the story? Fortunately, they told me it was a technical

Dr. Dave Chatterjee:

snafu, and that email had gone gone out to millions, but my

Dr. Dave Chatterjee:

password wasn't compromised. Anyhow, that's a different story

Dr. Dave Chatterjee:

about their process and how they manage their process. They could

Dr. Dave Chatterjee:

have done it better. But however, that experience does

Dr. Dave Chatterjee:

bring to light what we are all vulnerable and susceptible to.

Dr. Dave Chatterjee:

But as humans, it is our natural tendency to assume, Oh, it's not

Dr. Dave Chatterjee:

going to happen to me. Yep. And if it does, we'll deal with it

Dr. Dave Chatterjee:

then. And I know that organizations also often have

Dr. Dave Chatterjee:

that mindset, some organizations who know they will get bailed

Dr. Dave Chatterjee:

out, and I don't think that's an acceptable practice. George,

Dr. Dave Chatterjee:

your thoughts?

George Gerchow:

Yeah. Dr. David, you're exactly right. It all

George Gerchow:

starts at that executive level, you have to have board executive

George Gerchow:

buy-in to make sure that not only you have the right policies

George Gerchow:

in place to leverage complex password, continued password

George Gerchow:

changes, SSO, and an MFA in place as well to like, it's

George Gerchow:

gotta be buy-in from the absolute top. No exceptions

George Gerchow:

whatsoever. Like for us at Sumo Logic, if a developer creates

George Gerchow:

like an AWS account, for example, and doesn't turn on MFA

George Gerchow:

within 24 hours, that account is disabled. And that's the reality

George Gerchow:

of what you have to do. I do think that once people do have

George Gerchow:

it put in place, you've got to now take it to the next level,

George Gerchow:

you know, so let's go back to where you were digging in a

George Gerchow:

little bit, talking about MFA fatigue, it's a real thing. And

George Gerchow:

I think that password-less security, as you mentioned

George Gerchow:

before, is going to be the future like my Mac right now I

George Gerchow:

can put my thumbprint, my fingerprints, do biometrics,

George Gerchow:

that's a very easy way to get around that would solve a lot of

George Gerchow:

these issues. Another way is one time passwords. So OTP, which

George Gerchow:

folks like off l made that very, very popular. But I'm gonna

George Gerchow:

bring up an interesting point, because I'd like to get your

George Gerchow:

thoughts around this as well, too. One of the things that

George Gerchow:

we've struggled with as an industry forever has been these

George Gerchow:

questionnaires that people send out before they go do business

George Gerchow:

with a company like Sumo Logic. And one of the questions is

George Gerchow:

always do you use MFA? And think about the Okta compromise, which

George Gerchow:

was so interesting, because they are a single sign on MFA

George Gerchow:

company. When they got compromised, it was by a third

George Gerchow:

party vendor that checked the box and said they use MFA

George Gerchow:

working for an MFA company and didn't use it. And so like now,

George Gerchow:

as an industry, we're starting to really try to figure out

George Gerchow:

what's the best way to trust a vendor, trust the partner, and

George Gerchow:

ensure that they're actually doing these things, because it's

George Gerchow:

so easy to check that box because they want your business,

George Gerchow:

even though it's not the right thing to do. So penalties have

George Gerchow:

to start coming into place with a lot of these things.

Dr. Dave Chatterjee:

Unfortunately, that is true. Like I have

Dr. Dave Chatterjee:

discussed several times in my talks. And also during these

Dr. Dave Chatterjee:

podcasts, that history tells us that organizations respond best

Dr. Dave Chatterjee:

to laws, laws with strong penalties, SOX is an example. So

Dr. Dave Chatterjee:

unfortunate, unfortunately, I, I do see a day not far from today,

Dr. Dave Chatterjee:

when a major legislation will come down the pipeline,

Dr. Dave Chatterjee:

requiring organizations to follow through with the

Dr. Dave Chatterjee:

recommended best practices, because that's the only way you

Dr. Dave Chatterjee:

will get real compliance. What's happening today, as you you

Dr. Dave Chatterjee:

shared with just an example of checking-the-box kind of

Dr. Dave Chatterjee:

compliance, trying to find a way of to get the contract, get the

Dr. Dave Chatterjee:

business. And I know this might sound idealistic, and people

Dr. Dave Chatterjee:

will say, Oh, you're a professor, that's what you do

Dr. Dave Chatterjee:

you preach the ideal. I don't, I don't, but I will say this, that

Dr. Dave Chatterjee:

you have to be as security conscious as practical. Even

Dr. Dave Chatterjee:

when I'm was reading the CISA guideline, they are not being

Dr. Dave Chatterjee:

very idealistic, they are saying, we understand that it

Dr. Dave Chatterjee:

may not be possible to protect all the resources at once. Pick

Dr. Dave Chatterjee:

the ones that are most important to either users that are high

Dr. Dave Chatterjee:

value targets. So they are they're basically suggesting an

Dr. Dave Chatterjee:

incremental approach to implementing phishing resistant

Dr. Dave Chatterjee:

MFAs. So it's not like it has to be a big bang implementation and

Dr. Dave Chatterjee:

overnight, we will achieve 100% compliance, but at least there

Dr. Dave Chatterjee:

has to be a recognition and then follow through steps. And as you

Dr. Dave Chatterjee:

rightly said, George, unless you get the buy-in from the

Dr. Dave Chatterjee:

leadership, from the top management, that is a very

Dr. Dave Chatterjee:

important security defense. And it's not just one of those add

Dr. Dave Chatterjee:

ons. That is more headache than it is worth it. Unless that

Dr. Dave Chatterjee:

buy-in is there, real buy-in, where you really want to be

Dr. Dave Chatterjee:

secure and safe. Not because you are being forced to not because

Dr. Dave Chatterjee:

you want to project to the world, how security conscious

Dr. Dave Chatterjee:

you are, you really believe it, and you follow through with it.

Dr. Dave Chatterjee:

So I have emphasized this genuineness in literally each of

Dr. Dave Chatterjee:

my podcasts, even in my book, that at the end of the day, if

Dr. Dave Chatterjee:

you if an organization as well as an individual, if they take

Dr. Dave Chatterjee:

genuine steps that comes under the category of due diligence

Dr. Dave Chatterjee:

and due care, and they do everything, even after that, if

Dr. Dave Chatterjee:

they get breached, which is absolutely possible, they have a

Dr. Dave Chatterjee:

fair shot before the jury. I'm not a lawyer. But I've had the

Dr. Dave Chatterjee:

pleasure of talking with several legal experts. And I've been

Dr. Dave Chatterjee:

told that that's where the judge reviews what you've done, have

Dr. Dave Chatterjee:

you done everything possible? Have you taken into

Dr. Dave Chatterjee:

consideration all the expert guidelines? Have you taken the

Dr. Dave Chatterjee:

best possible approach that is feasible given your resources,

Dr. Dave Chatterjee:

so there is a reasonable reasonableness associated with

Dr. Dave Chatterjee:

that review of the judge. So nobody is expecting that you do

Dr. Dave Chatterjee:

something extraordinary or go out of your way, go way beyond

Dr. Dave Chatterjee:

way beyond your means. But there is an expectation to be

Dr. Dave Chatterjee:

responsible. And that's what I want to emphasize in this

Dr. Dave Chatterjee:

podcast, in this episode,

George Gerchow:

The fact I mean, it there is I mean, that's the

George Gerchow:

cost of doing business, really, but we need to make it part of

George Gerchow:

everyone's everyday behavior. When you leave your house, you

George Gerchow:

close your garage door, you lock your front door, it is just

George Gerchow:

things that come naturally to you. Like I mentioned before you

George Gerchow:

get in the car, you put on a seatbelt. It's those types of

George Gerchow:

things that we have to make it muscle memory for people,

George Gerchow:

period. And there just shouldn't even be a question as to why

George Gerchow:

it's being done. Now back to what you mentioned about a

George Gerchow:

staged rollout. I believe with rolling out MFA, you just do it

George Gerchow:

like there is no stage to that for me. Now, when it comes to

George Gerchow:

accessing sensitive data or critical users, you may when you

George Gerchow:

start using like OTP, one time passwords and things like that.

George Gerchow:

Maybe you do focus on that first, and then start working

George Gerchow:

your way through the rest of the organization. But MFA to me now

George Gerchow:

is just a must. I mean, especially as we move more into

George Gerchow:

SAS based apps, working with large cloud providers like

George Gerchow:

Azure, GCP, it's just a must you have to have it turned on day

George Gerchow:

one. And then that way that muscle memory starts kicking

George Gerchow:

into place.

Dr. Dave Chatterjee:

Yeah, absolutely. In fact, CISA is

Dr. Dave Chatterjee:

also recommending that even if an organization doesn't have in

Dr. Dave Chatterjee:

place a phishing resistant MFA, they should employ additional

Dr. Dave Chatterjee:

prevention and detection controls such as number

Dr. Dave Chatterjee:

matching. Yep. So that's, that's the point, that, make the

Dr. Dave Chatterjee:

effort, this is a three page guideline, it's very easily very

Dr. Dave Chatterjee:

clearly written. It's literally you can create a checklist out

Dr. Dave Chatterjee:

of this, use the checklist to evaluate what what you have in

Dr. Dave Chatterjee:

place. And if you see any gaps, any deficiencies, address them.

Dr. Dave Chatterjee:

That's that's what I would call due diligence. And do that. And

Dr. Dave Chatterjee:

I think we are all better for it -- organizations, their

Dr. Dave Chatterjee:

customers. So that seems like a no-brainer to me. But maybe it's

Dr. Dave Chatterjee:

not because otherwise they wouldn't have come out with this

Dr. Dave Chatterjee:

directive, or with this guideline. Moving along to this

Dr. Dave Chatterjee:

topic of implementing phishing resistant MFA, so would you like

Dr. Dave Chatterjee:

to expand on how does an organization go about

Dr. Dave Chatterjee:

implementing that type of an MFA, that is phishing resistant?

Dr. Dave Chatterjee:

What solutions are available out there?

George Gerchow:

So the best one, I mean, look, there's one time

George Gerchow:

passwords, there's biometrics. And then there's also having to

George Gerchow:

put in a passcode. And punching that in which by the way, Dr.

George Gerchow:

Dave takes about 15 seconds, you know, and I think that the last

George Gerchow:

one is the most viable one because we live in this virtual

George Gerchow:

world. So I'd love to say that it's biometrics. But what if I'm

George Gerchow:

a developer, and I'm trying to access servers that are all the

George Gerchow:

way across the globe, right, I can authenticate into my system.

George Gerchow:

But that's not going to work as I found the key authenticate

George Gerchow:

into more complex virtual systems. So although that's very

George Gerchow:

effective with something that's physical, and right in front of

George Gerchow:

you, it doesn't solve all the problems. And so I think for me,

George Gerchow:

it's and what we do is pushing that code, Hey, wake up, you're

George Gerchow:

not going to just press Accept, you're actually going to have to

George Gerchow:

look and see what this code is, and then what it is that you

George Gerchow:

were trying to authenticate into. And I think that that's

George Gerchow:

the one that covers the most because part of this is

George Gerchow:

emotional, like we mentioned before, a lot of physical things

George Gerchow:

like seatbelts, locking doors, garages, we live in such a

George Gerchow:

virtual world now. And putting the this kind of hygiene in

George Gerchow:

place is more important than ever. I mean, just look at

George Gerchow:

things like meta universe and everything else that's going on.

George Gerchow:

I mean, even for like my kids, like when they log into video

George Gerchow:

games, I've always had them do multi factor authentication.

George Gerchow:

It's a quick one time code that you punch in, and I think that's

George Gerchow:

the best way to go. Now again, there's going to be some cost

George Gerchow:

probably associated with that, but I think we need to get

George Gerchow:

better as as a society saying, why are we paying these costs?

George Gerchow:

And let's make sure we implement these around these critical

George Gerchow:

applications, critical users and critical data.

Dr. Dave Chatterjee:

Absolutely. I couldn't agree with you more.

Dr. Dave Chatterjee:

So George, I read about this FIDO authentication, the FIDO

Dr. Dave Chatterjee:

Alliance, where they have developed this protocol to

Dr. Dave Chatterjee:

enable phishing resistant authentication. Can you expand

Dr. Dave Chatterjee:

on that?

George Gerchow:

Yeah, so they've been around for a while. So

George Gerchow:

FIDO, Fido, whatever you want to call them, for a long time, they

George Gerchow:

started off in the beginning, mainly with YubiKey was a big

George Gerchow:

one, which was something that you would just plug into your

George Gerchow:

system that would verify you going on and which it can be

George Gerchow:

very effective. But at the same time to look, man, the

George Gerchow:

technology changes, I'm on a Mac, and whatever I plug into my

George Gerchow:

system is always different. What kind of USB is it going to be,

George Gerchow:

in fact, a lot of organizations you got to do business with,

George Gerchow:

especially in a FinTech market, will not allow you to plug

George Gerchow:

anything in to your system at all. So I think that they're on

George Gerchow:

to the right idea and right concepts. And again, YubiKey can

George Gerchow:

be effective. But you know, it's also goes back in time like Like

George Gerchow:

think about like when multi factor authentication, two

George Gerchow:

factor authentication got started it was RSA and RSA you

George Gerchow:

would carry around on your keychain, like this passcode

George Gerchow:

that would revolve and change like, every 30 seconds or every

George Gerchow:

minute, and you had to punch that in? Was it effective? Yes.

George Gerchow:

Where was it disruptive? Well, when users forgot, or didn't

George Gerchow:

have that, that piece of hardware, so I'm not a hardware

George Gerchow:

person at all. And I think that they've sort of leaned into that

George Gerchow:

a little bit more. But if you are a company that that works

George Gerchow:

for you do it FIDO FIDO. Look at them, they definitely got some

George Gerchow:

good guidance. But it doesn't work for a lot of us that live

George Gerchow:

completely in a virtual world. And we don't necessarily

George Gerchow:

leverage hardware for a lot of different things.

Dr. Dave Chatterjee:

Good to know, good to know. And just for

Dr. Dave Chatterjee:

the benefit of the listeners, FIDO or Fido stands for Fast ID

Dr. Dave Chatterjee:

Online, you can visit their website, review what they have

Dr. Dave Chatterjee:

to offer, I was referencing a recommendation from the CISA

Dr. Dave Chatterjee:

guide here. So it might be worth your time to just take a look.

Dr. Dave Chatterjee:

So moving along, George, I'm again, looking at our notes from

Dr. Dave Chatterjee:

our planning meeting that we had, you made a couple of very

Dr. Dave Chatterjee:

poignant statements, one of which is leaders should create a

Dr. Dave Chatterjee:

culture where employees feel they can slow down, for the sake

Dr. Dave Chatterjee:

of security. Help, kind of tie this to our discussion on

Dr. Dave Chatterjee:

multifactor authentication.

George Gerchow:

Yeah, and again, I don't mean to pick on

George Gerchow:

developers, or I'm sorry, I'm gonna pick on developers,

George Gerchow:

because that's usually where most of the resistance comes

George Gerchow:

into play. You can have developers sometimes accessing.

George Gerchow:

I mean, an organization like ours, I mean, we have 300 plus

George Gerchow:

applications. And so if you start thinking about what it

George Gerchow:

takes to access those, well, we've made that pretty easy with

George Gerchow:

single sign on meaning that I have one place where I

George Gerchow:

authenticate, going through someone like an Okta, Ping

George Gerchow:

Identity, Duo or whoever it may be, and then that allows me

George Gerchow:

access to all those other applications. But again, if that

George Gerchow:

password gets compromised, now I'm in serious trouble. Now MFA

George Gerchow:

coming across the top of that will verify that I'm actually

George Gerchow:

that user, even if the password got compromised. Now, what

George Gerchow:

happens typically with a developer, and let's go back to

George Gerchow:

regulations, so regulations like FedRAMP, for example, they say

George Gerchow:

that if a person is 15 minutes idle into an application, they

George Gerchow:

have to re-authenticate. That's a lot of disruption. When you

George Gerchow:

think about I'm in 30 apps 40 apps a day, do I really got to

George Gerchow:

re authenticate into each one of those apps every 15 minutes,

George Gerchow:

probably not. The best way to do that, again, would be through

George Gerchow:

something like VPN, or SSO and do that, that layer, if I'm idle

George Gerchow:

there, reauthenticate once and get back into them. But what

George Gerchow:

typically happens is, developers are moving at trying to move at

George Gerchow:

lightning speed to offer more services to our internal and

George Gerchow:

external customers. And that's important, but it's not as

George Gerchow:

important as making sure that seamless security is built into

George Gerchow:

it. And so I think development cultures for years now, I've

George Gerchow:

been working out of Silicon Valley since 2009. In that

George Gerchow:

environment, especially there's always this thing of security

George Gerchow:

and compliance are gonna slow me down and I'm not going to be

George Gerchow:

able to do to innovate as much and it's like, I'm sorry, but

George Gerchow:

what would you rather do carry around a pager for when all of a

George Gerchow:

sudden whenever you develop the code eventually gets hacked, and

George Gerchow:

you have to get reback into it and then we'll help work with a

George Gerchow:

company and lose your brand identity and everything else.

George Gerchow:

Get regulation fines, like you mentioned before, go against

George Gerchow:

CISA guidance, the new SEC cybersecurity guidelines or take

George Gerchow:

the time to put guardrails in place while you're working on

George Gerchow:

code. The second one to me is a no-brainer, but we have to get

George Gerchow:

people there because it's still not. In fact, I'll give me give

George Gerchow:

Microsoft a big plug. Microsoft was one of the first companies

George Gerchow:

because of the GitHub attacks. And we're gonna force developers

George Gerchow:

now to use multifactor authentication when they get

George Gerchow:

into our public libraries, period. And I applaud, I'm like,

George Gerchow:

yes, that extra step JFrog should do the same Docker Hub

George Gerchow:

should do the same, like all these public repositories should

George Gerchow:

do the same thing. But there's just this perception of, it's

George Gerchow:

going to slow me down. And I'm sorry, sometimes you need to be

George Gerchow:

slow down. But what if we drove on the roads with absolutely no

George Gerchow:

speed limits whatsoever, right. We create all kinds of damage.

George Gerchow:

So I just think that there's this perception, this emotional

George Gerchow:

transition Dr. Dave that people have to make, and we have to

George Gerchow:

help them get there.

Dr. Dave Chatterjee:

Well said, very well said. When you say

Dr. Dave Chatterjee:

slow me down, you know, what I was thinking of, I was thinking

Dr. Dave Chatterjee:

of, a very deliberate approach to securit. You know, often,

Dr. Dave Chatterjee:

taking a step back, looking at the whole picture, and coming up

Dr. Dave Chatterjee:

with a very holistic cybersecurity strategy defense,

Dr. Dave Chatterjee:

it might seem like you're slowing things down by taking a

Dr. Dave Chatterjee:

step back, reflecting at everything, taking stock of

Dr. Dave Chatterjee:

where you are, where you should be. But, in the long run, just

Dr. Dave Chatterjee:

like you said, it can avert problems, which would really

Dr. Dave Chatterjee:

slow you down, which would really send you back in

Dr. Dave Chatterjee:

different ways, whether you have to fix a code, or whether you

Dr. Dave Chatterjee:

have to address a reputational issue or in the most extreme

Dr. Dave Chatterjee:

case, you may not have a business, you may not have a

Dr. Dave Chatterjee:

job. So I'm so glad you you have highlighted this slowing down

Dr. Dave Chatterjee:

business, because we are in a culture where it's, we're

Dr. Dave Chatterjee:

working at warp speed, as fast as we can go. And we do not want

Dr. Dave Chatterjee:

anything to come in the way of efficiency, but we have to be a

Dr. Dave Chatterjee:

little more savvy about that. Speed is not necessarily

Dr. Dave Chatterjee:

directly correlated with efficiency. So I think that's

Dr. Dave Chatterjee:

where some wisdom needs to kick in. There has to be a

Dr. Dave Chatterjee:

multi-functional perspective where leaders from different

Dr. Dave Chatterjee:

organizational groups, both from the tech side and the business

Dr. Dave Chatterjee:

side, needs to come together and make some calls, which makes

Dr. Dave Chatterjee:

practical business sense, as opposed to going with this kind

Dr. Dave Chatterjee:

of notion, oh, at least exempt me from multi-factor

Dr. Dave Chatterjee:

authentication, because I'm having to constantly sign on to

Dr. Dave Chatterjee:

different things. And it's slowing me down. And like you

Dr. Dave Chatterjee:

said, well, you have the single sign-on option. But if that

Dr. Dave Chatterjee:

wasn't there, even then I think it's worth the trouble. But

Dr. Dave Chatterjee:

going back to this multi-factor authentication fatigue, is it

Dr. Dave Chatterjee:

really a fatigue? Or is it being hyped up? What's what's the, I wonder?

George Gerchow:

Oh, I think it's a fatigue. I really do. I, I

George Gerchow:

just think that human nature, we see something over and over

George Gerchow:

again, and then we stop getting it goes back to muscle memory

George Gerchow:

the wrong way. We start just reacting to it. And again, like

George Gerchow:

like, now it's time to pause and slow down. And one of my

George Gerchow:

favorite stories ever. Dr. Dave, if you don't mind, please. And

George Gerchow:

our users can go back and look this up. There was a company was

George Gerchow:

a company called Code Spaces, and right around 2014 or so they

George Gerchow:

had their AWS credentials are compromised. So when you have

George Gerchow:

your AWS credentials compromised, like your master

George Gerchow:

key, it's over for you. And so the hackers came back and said,

George Gerchow:

Hey, like, give us like, I think it was like a million dollars in

George Gerchow:

next 24 hours, or routable gonna bring down your company. And

George Gerchow:

they kind of laughed it off and said, Yeah, we're good. We're

George Gerchow:

not gonna give you a million dollars and the company was out

George Gerchow:

of business within 48 hours. If they would have taken the simple

George Gerchow:

step, simple step of having multi factor authentication,

George Gerchow:

that would have never happened, it would have never happened

George Gerchow:

with those credentials. Now, going back to MFA fatigue, what

George Gerchow:

can we do? Again, I think you said something that was key that

George Gerchow:

came out of the Sisa guidelines as well, which is stage it out.

George Gerchow:

Like if you're using multi factor authentication. Today,

George Gerchow:

they're using a push mechanism, which is very easy. Again, it

George Gerchow:

goes to your watch goes to your phone, it can go anywhere, take

George Gerchow:

the time to understand the critical users critical data

George Gerchow:

within the environment to be able to come back in and say,

George Gerchow:

let's run a one time passcode when you're trying to access

George Gerchow:

these things, it's going to take you an extra 15 to 20 seconds,

George Gerchow:

that is not too much out of your work life, to to punch in that

George Gerchow:

code and start getting the muscle memory to get people to

George Gerchow:

look at what they're actually authenticating. I'll tell you

George Gerchow:

another thing people can do as well too. When you're using

George Gerchow:

logging systems like ours, you want it people always look at is

George Gerchow:

Dr. Dave logging in from California and London at the

George Gerchow:

same time, and that's good information. But great

George Gerchow:

information is okay. Where's Dr. Dave logging in from? But

George Gerchow:

where's the MFA push going? And is there an MFA push? So then

George Gerchow:

that way you can start recognizing the gaps? And if you

George Gerchow:

really want to take it to another level brute force

George Gerchow:

attack, is there a VPN in between? So tech matters. And

George Gerchow:

this is like, one of the arguments all the time is people

George Gerchow:

are like, we have a policy in place. And I'm like, well,

George Gerchow:

that's cool. But you need technology to back up the

George Gerchow:

policy, because people are people and people are going to

George Gerchow:

try to circumvent things. A lot of times, if they know there's

George Gerchow:

no accountability.

Dr. Dave Chatterjee:

Absolutely. In fact, you highlighted

George Gerchow:

Yeah, that's what so thanks for that. Dr.

George Gerchow:

something that I wanted to get to. And that is the latest

George Gerchow:

technological approach to authentication, which is

George Gerchow:

Dave. I think the way to look at it is a lot of times security

George Gerchow:

adaptive authentication, where machine learning is being used

George Gerchow:

to understand user behavior, identify anomalies, and

George Gerchow:

anomalous anomalous behavior, then triggers a reaction, which

George Gerchow:

used to be looked at as a business inhibitor. Now it's a

George Gerchow:

could be you might be blocked from using your account, because

George Gerchow:

it seems you're logging in from a location at an hour, that is

George Gerchow:

business enabler, people will want to do business with you

George Gerchow:

not normal to your normal login behavior. So we have some great

George Gerchow:

technologies that are out there, it's just a matter of seeking

George Gerchow:

when you have really good security hygiene in place. And

George Gerchow:

them out, searching for it. And you would do that, if you really

George Gerchow:

cared about, I want to get to the bottom of it, I want to get

George Gerchow:

especially as we're looking at supply chain attacks that we've

George Gerchow:

the best possible the best-in-class authentication in

George Gerchow:

place for my organization. And it really doesn't take that much

George Gerchow:

effort or time, it just, it's a matter of making a mental

George Gerchow:

seen over and over again over the last few years. So three

George Gerchow:

commitment. And then once you set the ball rolling, and I'm

George Gerchow:

talking about the senior leadership, and I'm not

George Gerchow:

suggesting that they become multi-factor authentication

George Gerchow:

major takeaways I get from our discussion. The first one is use

George Gerchow:

experts, but it's a matter of charging a team and saying, hey,

George Gerchow:

I was just reading about adaptive authentication,

George Gerchow:

SSO, don't use the same password for everything and use SSO

George Gerchow:

password-less authentication, please connect the dots for me

George Gerchow:

and tell me where we are, where we need to be, and how do we get

George Gerchow:

there, simple. And then once I get the recommendation, at least

George Gerchow:

please to make life easier. The second one is don't stop using

George Gerchow:

I'm informed, and then I act on them. So that's kind of as

George Gerchow:

simple or as complicated as it can be. But it is something that

George Gerchow:

MFA. even though Dr. Dave and I talked a lot about MFA fatigue,

George Gerchow:

cannot be ignored. You gave a telling example, of a

George Gerchow:

significant loss incurred, because the company didn't have

George Gerchow:

something like multi-factor authentication. So this has been

George Gerchow:

at least implement MFA. And then finally, the third one is when

George Gerchow:

a great discussion. Enjoyed your stories. But before we go,

George Gerchow:

George I'd like to give you an opportunity to share some final

George Gerchow:

it comes to critical users, critical data critical systems

George Gerchow:

words, some key messages for the listeners.

George Gerchow:

codes for MFA. So make people slow down a little bit, see what

George Gerchow:

it is that they're approving. And take that extra step, it's

George Gerchow:

only going to be 15 or 20 seconds, and then all of a

George Gerchow:

sudden it becomes muscle memory. And you'll definitely be able to

George Gerchow:

secure your critical systems much better that way.

Dr. Dave Chatterjee:

Thank you very much, George. And I want to

Dr. Dave Chatterjee:

re emphasize what Georgia just said. The intent here was not to

Dr. Dave Chatterjee:

suggest that multi factor-authentication is weak or

Dr. Dave Chatterjee:

doesn't work. Quite to the contrary, multi-factor

Dr. Dave Chatterjee:

authentication is extremely important. We're trying to

Dr. Dave Chatterjee:

encourage listeners, their organizations, to at least have

Dr. Dave Chatterjee:

the basic implementation, if not the more sophisticated ones, by

Dr. Dave Chatterjee:

that we mean the more resilient forms of multi-factor

Dr. Dave Chatterjee:

authentication. George, thanks again for your time. It's been a

Dr. Dave Chatterjee:

pleasure.

George Gerchow:

Thank you Dr. Dave. The pleasure was mine.

Dr. Dave Chatterjee:

A special thanks to George Gerchow for his

Dr. Dave Chatterjee:

time and insights. If you like what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube