My next question actually comes in two parts so the first part is how can we match authentication methods to the security profiles of different groups of employees and third-party suppliers?
So that's the first part and then
How secure is 2fa and is it worth deploying what biometric devices are on the market or coming to market for remote for remote security?
So that's um quite a big sort of question which we've compiled together so we'll start with you simon on this one
Yeah this is a very wide range of subjects here so um almost time back to my first answer about a a strategy um document so how we off match authentication around different groups of employees again if you went back to having a strategy of this is our corporate solution that would help match those against the the existing strategy um and look at the question there says how secure is 2fa 2fa is a an older term we don't tend to use that anymore we tend to use mfa which 2fa is a subset of multifactor authentication so that goes back to the um something we know have and are two faces only two mfa is more it can can be more than two three four five factor authentication um on that market there there was lots and lots of different devices coming in um i would say it's definitely worth deploying putting in um i would say you'd be you'd be very susceptible to just basic email forward and everything else if you didn't have mfa or at least 2fa in place um that's how a number of the um all the compromises are being exploited via um people just exporting their username and password literally today i've seen another post from um here i've been pawned another big breach of millions of accounts and passwords being exposed um even if you're using them and passwords would expose if you had mfa in plates you would still have a level of protection in place they wouldn't be able to exploit it um but yeah the types of technologies in place there's a huge market out there there's face scanners hand scanners fingerprints retinas there's huge markets which again has other security concerns as how secure are these actual devices themselves yeah as a lot of us will be familiar with iot devices not having them built security and being able to hack the devices having a fake scanner or a fingerprint scanner is not very good if it itself can be scanned so there's a concerns around that but there's a huge market around that
Um i'll pass on to someone else to talk now
All right sure absolutely i mean one of the things i when i take an approach to authentication mechanisms i really like to step back and i write like i typically classified into two different categorizations you know the human side of things where there's a human human interactive side and then there's the non-human which tends to be machines or iot or service accounts or applications so i tend to kind of separate them into two categories because the security controls you apply to those are very different and you can apply much more aggressive security controls to things let's a machine identities or service accounts you can actually apply rotation so that no one in the organization ever knows the password and that is it's used on demand just in time it's basically elevated on you know in real time the human side of things you want to be making sure it's as effective as possible for the human to be able to use it you don't want to create any type of negative experience when it comes to security otherwise humans will find a way around it so for that side of things i like to categorize and classify the human side of interactive into different risk categories so then it comes into making sure you've got a very solid risk understanding about what types of applications those users are using is it a system administrator who's managing servers is a security analyst who's running vulnerability scans across the organization or is operation team deploying patches is it a business user who's accessing hr information or doctor accessing patient records so really getting into doing from a data classification and data risk assessment to understand about what is the satisfactory type of security controls i'm actually getting the point where almost all users in your organization are now privileged they're privileged because of the type of data they have access to but it doesn't mean that all privileged users are equal it doesn't mean that all theirs should be all classified the same so it means that you have to take a risk assessment and apply the right security controls based on that risk and this moves into the next portion of the question which is around 2fa again it comes into what are you protecting what is the what is the account what is the type of application or system that you're protecting um if it's something that isn't very high level very high sensitive very high risk to the organization and something that maybe just something basic like a twitter account or something that is something you know that is you know not very essential to the business then 2fa might be enough gfa might be satisfactory to the business in that regards um it's better than nothing it's better than just leaving a password as the only security control because we know time and time again the passwords basically will be correct it will be compromised so therefore yes 2fa is is enough for some accounts but it might not be enough for other accounts and therefore you know it really comes down to really deciding whether it's worth deploying an organization the second part of that question we're on the biometric side of things uh you have to step back and and the way i look at biometrics sometimes we get confused in biometrics some people tend to think that biometrics replace passwords or as a security control in fact biometrics is not biometrics replaces the identifier portion of authentication it's an identifier it's actually replaces usernames or replaces the email address that using the login because it's an identification and therefore it does have better security controls applied to it than a traditional email or username so it is a much better secure identifier but it should not be the only security control of the only thing that you're relying to a lot of authentication to fully access systems so it should always be complemented with other types of security controls whether it being push notification pins you know multi-factor authentication whatever it might be should always enhance biometrics with additional security controls and when the risk changes it really comes into how often you trigger it how often you require that user to verify themselves on top of that and it really comes down to that's the type of efficiency that you you can apply so biometrics and devices absolutely use them um they're great but you should not be looking at it as a password replacement it's a username replacement
Very good okay Ricky
Thanks john so um i've got quite a bit to say about multi-factor and biometric authentication i do quite a bit of work globally with investors and and people buying you know companies that do authentication first thing is passwords are have been said to be on their way out so i'm still yet to see the end of passwords but i do believe that one day we will get rid of them because they're easily compromisable and there's lots of them out there so when i turn on my last pass it says 97 of your past of your over a thousand passwords have been compromised and as joe mentioned you can go on to the dark web or go on to have i been pawned and troy's done a great job you can see all your accounts that have been compromised but that wasn't my fault there was someone else's systems are terrible and they've been compromised however i've got multi-factor on most of my accounts and the reason i have that is because i know that my passwords will get compromised because of lack security then the multi-factor will help me however i have something to say about the vendors that release accounts to the end user base without security by default just shocking so we've got cloud vendors today and i'm happy to name who they are previous you know organizations i've worked with in the past massive big monster companies and there's no multi-factor by default so they insecure by default that is absolutely unacceptable so when you get a username and password on any system it should be multi-factor by default otherwise their security will be relaxed those credentials will get out onto the dark web and there will be a breach and if you're in europe breaches are um something that the information commissioners now have teeth and they are biting at your ankles if you experience a breach and i hope they really knock them out you know so we've already seen this with the likes of ba and uh it's starting to happen so first thing i think that will happen is multi-factor will become de facto very very soon out of those thousands of accounts most of them you can turn multi-factor on now by default from a biometric perspective biometrics are just another way of saying any human measurement of your human being or your personal data being able to identify you your behaviors etc those are going to be used to identify you more and more and i'm working with several companies in silicon valley that have got some really cool stuff but what i see coming very soon is continuous authentication so you're sitting behind your your system it knows dynamically who you are google already do this by the way you can take an android out the box and before you've started browsing they already know who you are just by using by signature dynamics just by the way you use your phone and the accelerometers tilt in the device they already know you i can easily prove that so that's a form of biometric so that's going to start happening more and more and eventually the password will disappear and that will be your multi-factor contextualized authentication so the world is about to get a lot more interesting but one of the things i ask the audience and everyone else is why isn't it on by default we are insecure by default which is just against all cyber security uh best practice and i i don't agree with that i think that um you know the big cloud vendors that get us to put all our data in the cloud should have us secure by default and multi-factor is another barrier to stop uh the bad guys from getting in you know so we're dealing with breaches all the time in our organization for our customers doing the incident response and the first thing we see is that the credentials have been have been captured and it's very difficult to capture a dynamic credential it's possible but very difficult much more challenging to capture the multi-factor you know the unique code otp or whatever it is so i'm a big advocate of that and if you go to black cats and you sit with hackers and you talk to them and you say what's the biggest obstacle most of them go multifactor they go that's really a difficult thing to overcome they can do it there's sim swapping another i can teach you guys how to do it if you want that's not the point the point is it should be on by default so i'll pass on to my fellow panelists because i don't want to talk about this all day
All right Lorraine
Follow up that one yeah i would be interested to see how many personalities that that assessment comes up with for me that'd be interesting how many lorraines are there in that way um but for me it's about risk i'm looking at the perspective looking at the conditions of access so you know risk really determines the challenge the authentication i'm going to take my individuals through their journey they can be a an individual user corporate device on the corporate network looking to access a low-level application i'm really setting the conditions of you know what i'm going to challenge them with it might just be password or single sign-on etcetera but you know they start same people same environment start to elevate into a different classification of application you know a higher level sensitivity and yeah i'm going to give you two factors now i'm going to well i'm going to give you another um authentication challenge and push you up and elevate you up that process so for me it's about risk it's not just about the single identity itself and whether it's privileged or not about what is that individual doing where are they in what environment they're in and what challenge do i need to give them to make sure that the access that they're getting is challenged enough that i feel secure in that environment that i'm giving the right person the right access at the right time for the right length of time so it's ensuring that we've we've got a lot of time bound and critical aspects on that um you know and that's why i think the the profiles and user groups that the question asked for in the the beginning doesn't necessarily really come into play as much because it's about me as an individual i could be on a pboid a third party could be on a boise source is looking at the environment around them and the action they want to perform and then looking at what challenge you want to give them and you elevate those challenges through as they move through the cycle of your environment or the different levels of application so very much drawn it from a risk classification about what are they doing where are they how risky are they at this point in time um and then giving them the right challenges and making sure that you've got breadth of challenge and that you you can accept and the systems you have are able to accept that because you know what if you're getting right up and you think i think we've run out of digits and eyes and your feet to be able to authenticate what you know what am i actually going to ask this person to do next and make sure that in the business we've got the ability to recognize it and manage and maintain it because starting getting all these you know other authentications and it's just a whole raft of other data we have on people what are we going to be doing with that information how are we going to protect even that information so it just adds a layer of complexity but that's you know that's how we look at it from our perspective it's about risk based
Brilliant okay alright so that's the second question down