MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have...
Transcript of MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have...
![Page 1: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/1.jpg)
MULTI-FACTOR AUTHENTICATION PROJECT
James Perry, CISOJeremy Parrott, Deputy CISO
![Page 2: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/2.jpg)
Why What
HowLessons Learned
![Page 3: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/3.jpg)
+ +Something you know…
Something you have…Something you are…
![Page 4: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/4.jpg)
![Page 5: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/5.jpg)
THE PROBLEM
![Page 6: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/6.jpg)
“81% of hacking-related breaches leveraged either stolen and/or weak passwords.”
![Page 7: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/7.jpg)
—2016 VERIZON DBIR
HACKING
MALWARE
SOCIAL
![Page 8: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/8.jpg)
URLS,ATTACHMENTS,&SOCIALENGINEERING
KNOWNMALICIOUSDOMAINS&URLS
DOWNLOADS&OTHERNETWORKTRAFFIC
STOLENUSERNAMES&PASSWORDS
FILESHARES,PORTABLEMEDIA,&PERSONALEMAIL
• >5,500PhishingEmailsReported• 67ConfirmedSecurityIncidents• TargetedExecutivePhishing• Blockingof*.ZIPfiles
• 19.4MBlockedRequests• 901KMalwaresPrevented
• ~60%ofnetworktrafficnowencrypted–limitseffectivenessofsecuritymonitoring
• Existingtoolslargelyalertonly
• >1,000accountscompromisedlastyear• Unauthorizedpayrolldirectdepositchanges
andIRStaxfraudatpeerinstitutions
• TraditionalsignaturebasedAnti-Malwareineffectiveduetopolymorphism
• Only~30%ofUniversitysystemshaveneededsecuritytoolsdeployed
ChallengesAttackArea
UISOThreatMitigationStrategyWEBAPPLICATIONATTACKS
#1IncidentPatternfortheEducationIndustry(2016VerizonDBIR)
—Datafrom1/1/17to2/28/17
![Page 9: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/9.jpg)
A SOLUTION
![Page 10: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/10.jpg)
RETIRE MFATRAININGCOMPLEX
PASSWORDS
![Page 11: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/11.jpg)
A PERFECT SOLUTION?
![Page 12: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/12.jpg)
IMPLEMENTATION
![Page 13: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/13.jpg)
Pre-project Phase I Phase II
2014
2016
2017• Procurement• Ad-hoc adoption
• April project launch• July Implementation
• June 5th deadline• 72,000 users
![Page 14: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/14.jpg)
May3,2016Slide14
MultifactorAuthenticationINITIATIONReview
Phase I Work Plan• Integrate servers– Scan network for SSH / RDP direct connections– Identify UTS owned– Onboard to UTS VPN or add MFA and test
• Execute Public Relations plan– Build awareness within the university system users – Call to action to enroll in the service in preparation– Notify vendors with local accounts to migrate to AD accounts
• Move all users from an old UTS VPN to the existing UTS VPN• Identify applications in scope for MFA by June 30, 2017
![Page 15: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/15.jpg)
May3,2016Slide15
MultifactorAuthenticationINITIATIONReview
Phase II Work Plan• Develop a communication plan to include– Notification process of applications that require multifactor
authentication – Continued call to action to enroll in the service in preparation
of multifactor authentication being added to applications
• Integration of multifactor authentication– Based on the authentication method. Some of those identified
include• CAS• Shibboleth• LDAP• Direct connect via SQL.NET 1521 Oracle
![Page 16: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/16.jpg)
LESSONS LEARNED
![Page 17: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/17.jpg)
Communication
![Page 18: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/18.jpg)
Communication Plan
![Page 19: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/19.jpg)
Communication Plan
![Page 20: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/20.jpg)
![Page 21: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/21.jpg)
3,200
June 5th17,25942 MESSAGES
![Page 22: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/22.jpg)
![Page 23: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/23.jpg)
June 5th
17,259
Aug 24th
69,291
24%
![Page 24: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/24.jpg)
![Page 25: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/25.jpg)
LESSONS LEARNED
![Page 26: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/26.jpg)
123
STRONG PROJECT DRIVERS
COMPREHENSIVE COMM. PLAN (+consequences)
PHASED THE DEPLOYMENT
SUCCESS FACTORS
![Page 27: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/27.jpg)
Fill in these questions with a name.
• Who’s reputation is actually at risk? ____• Who is asking about the status of tasks most often? ____• Who is driving the project—and has the influence to
make changes happen? ____• Who is making the technical decisions even if they are
unpopular? ____
*If the PM is the answer to the majority of these questions, then there is a problem.
![Page 28: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/28.jpg)
DECISIVEACTIVE
SENSE OF URGENCYREPUTATIONAL RISK
OWNERSHIP
MFA PROJECT
LEADERSHIP
![Page 29: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/29.jpg)
123
HAVE GATES
USE REAL, CONCRETE CONSEQUENCES
DEPT IT STAFF
ADOPTION RATE
![Page 30: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/30.jpg)
June 5th
17,259
Aug 24th
69,291
![Page 31: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/31.jpg)
123
USER TESTING (Comm & Site design)
REAL-WORLD TRAINING
SCALE THE SERVICE DESK
AREAS FOR IMPROVEMENT
![Page 32: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/32.jpg)
123
PROJECT NAME
SR LEADERSHIP DEMO
COMM WITH PARENTS
INTERESTING TAKEAWAYS
![Page 33: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/33.jpg)
?
![Page 34: MULTI-FACTOR AUTHENTICATION PROJECT MFA Lessons Learned.pdf · mfa project leadership. 1 2 3 have gates use real, concrete consequences dept it staff adoption rate. june 5th 17,259](https://reader033.fdocuments.in/reader033/viewer/2022060519/604cd66f6aaea478913ba6f0/html5/thumbnails/34.jpg)