I m getting MFA, you re getting MFA, we re ALL getting MFA. Richard Biever (richard.biever@duke.edu) Chuck Kesler (chuck.kesler@duke.

Transcription

1 I m getting MFA, you re getting MFA, we re ALL getting MFA Richard Biever (richard.biever@duke.edu) Chuck Kesler (chuck.kesler@duke.edu)

2 Durham, we have a problem

3 Passwords are the most used way to secure data, but People shared passwords People use and re- use weak passwords People fall for phishing messages

4 Cracking passwords is child s play 25 GPUs = 350 billion guesses per second (in 2013)

5 Phishing employees is even easier

6 Malicious vs. legitimate Malicious Spam Delivered Aug- 14 Sep- 14 Oct- 14 Nov- 14 Dec- 14 Jan- 15 Feb- 15 Mar- 15 Apr- 15 May- 15 Jun- 15 Jul- 15 Monthly Averages Blocked Malicious: 54% Delivered (includes unfiltered or targeted phishing messages): 23% Blocked Spam: 18%

7 Options? Hire these guys to watch our network Change password policy to 20 characters, changeable every 90 days Introduce multifactor authentication By the way, regular password changes and complex passwords don t solve the phishing problem

8 A New Hope

9 What should we use for 2 nd factors? (Technology)

10 Where should we apply it? (Integration)

11 How should we apply it? (Policy) Mandatory or Opt- in What applications Failure mode (open or closed) Get out of Jail Free Trusted devices or browsers

12 Tying it all together Policy Mandatory for IT staff Mandatory for Protected Network Mandatory for certain websites Temporary passcodes via challenge- response Fail open for websites Fail closed for SSH/RDP/VPN Remember me - 12 hours Integration Shibboleth RDP SSH VPN No integration for thick clients such as mail clients, employee systems, or student information systems Technology Duo Yubikey Phones

13 Who gets it first? (Rollout/Testing) Iterative process to improve the service Start with small group of IT personnel Expand to central IT and departmental IT volunteers Require for central IT By January 2014, ~600 people enrolled, primarily IT staff or early adopters. Focused on Shibboleth and SSH/RDP integration

14 I love the smell of napalm in the morning

15 Direct Deposit Phishing Scam Attack Resulting Measures

16

17 By Fall of Executive Memo Users enrolled in month Total users enrolled Phishing Incidents But even the nearly 1400% increase since February is only about 17% of the Duke faculty & staff population; extrapolating the 250/month rate since May would mean it would be October 2025 before we reach entire population

18 The secret of our success Duke Medicine Case Study

19 Getting the Board s attention: Healthcare under attack BCBS Tennessee 1M Stolen Hard Drives NYC Health & Hospitals 1.7M Stolen Backup Tapes TRICARE 4.9M Lost Backups Utah Dept. of Health 780K Hacking Advocate Medical 4M Computer Theft Community Health 4.5M Hacking Premera BCBS 11M Hacking Excellus BCBA 10M Hacking AvMed 1.2M Stolen Laptops Health Net 1.9M Lost Hard Drives Emory 315K Lost Backups Horizon BCBS 840K Laptop Theft Anthem BCBS 80M Hacking Source: Privacy Rights Clearinghouse, Nemours 1.6M Lost Backups Montana Public Health 1.3M Hacking CareFirst BCBS 1.1M Hacking

20 Making our case: recognizing users as the weak link By targeting Anthem employees with phishing s and luring them to the fake sites, it may have been possible for the attackers to collect the logins and passwords and eventually access the insurer's real systems. ThreatConnect, an Arlington, Virginia- based security company, found that Premera appears to have been targeted by the same style of attack. - ComputerWorld

21 The turning point: Leadership buys in Today, Multi- Factor Authentication should be considered table stakes for information security you just have to do it. (paraphrasing one Board member s comments) January 2015 Board formally endorses MFA initiative after a presentation on information security risks and strategy February 2015 Medical leadership approves MFA strategy and asks for a detailed roll- out plan March 2015 Pilot begins with requiring MFA for Duke Medicine IT staff April 2015 MFA policy and roll- out plan approved through governance; 9/1 established as target date for requiring MFA for remote access to clinical systems

22 Key provisions of the MFA policy System Scope User Scope Awareness Enforcement Exceptions Remote access to applications that house sensitive information All Duke Medicine workforce members required to enroll in MFA Ensure broad, multi- modal communications and training Managers track and enforce enrollment for their teams Managed through the Information Security Office

23 Challenges Manage Cost Manage Complexity Manage Timeline Piggybacked on theuniversity s contract with Duo Encouraged BYOD for MFA tokens Addressed hardship cases and other one- offs by centrally funding fallback solutions (e.g. Yubikeys) Goal was to minimize disruptions to clinical workflows Leveraged work already done by the University with Duo and Shibboleth Provided flexible options for MFA tokens to meet many needs Limited initial scope to highest risk areas, and build from there Needed to enroll and train 20,000+ users in 5 months Put our bosses to work! Executive support was crucial Communications: newsletters, memos, in- person outreach, direct s Created natural consequences for failing to enroll: no remote access

24 Turning up the heat on MFA in All staff memo Direct to user notifications All staff memo All staff memo Users enrolled in the given month Total users enrolled by the end of the current month

25 Crunch time enrollment for Duke Medicine 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 39% 39% 41% 43% 45% 46% 49% 01- Jun 08- Jun 15- Jun 22- Jun 29- Jun Newsletter article 06- Jul All staff memo 13- Jul 56% 61% Enrollment reports to leadership 20- Jul 27- Jul 67% 72% 76% 83% 90% 94% 03- Aug Newsletter article 10- Aug 17- Aug Direct user notifications 24- Aug 31- Aug 07- Sep Enrollment %

26 Support impact on Service Desk calls Sep 14- Sep 07- Sep 31- Aug 24- Aug 17- Aug 10- Aug 03- Aug 27- Jul 20- Jul 13- Jul 06- Jul 29- Jun 22- Jun 15- Jun 08- Jun 01- Jun Based off 30,000 Duke Medicine employees (faculty, staff, doctors and nurses)

27 Support impact on Service Desk calls 800 Go- Live Sep 14- Sep 07- Sep 31- Aug 24- Aug 17- Aug 10- Aug 03- Aug 27- Jul 20- Jul 13- Jul 06- Jul 29- Jun 22- Jun 15- Jun 08- Jun 01- Jun

28 Coming of age

29 What did we learn? Have a good communication plan and ACTIVE executive support Consider and document your policy Decide on an enrollment strategy (hands on sessions, and don t force- enroll) Set a date to complete enrollment and enforce on a service used by most people Focus on critical groups/assets first Think about other areas to add MFA it s not just a gateway service Think about edge cases that don t log into campus services regularly