On 25th July 2019, the New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, making it a state law. This act amends and broadens the coverage of the existing data breach notification law by expanding the definition of:

1. Covered Entities to include any individual or entity that holds the private information of a New York State resident, regardless of whether that individual or entity does business in the state of New York.
2. Private Information to include - username or email address in combination with a password or security question; biometric information such as fingerprints, voice print, retina or iris image; account number, credit or debit card number that can be used to access an individual's financial account without additional identifying information.
3. Data Breach to include unauthorized access to private information regardless of whether that data has been acquired by unauthorized personnel. The data breach notification law would be triggered indications if private information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.

The New York Law Journal reports:

"The SHIELD Act does two things, primarily: It amends New York’s data breach notification statute, General Business Law §899-aa to update its definitions, and also creates a new §899-bb requiring substantive data security controls of any person or business that owns or licenses computerized data including the defined “private information” of a New York resident. In doing this, New York has brought itself into line with a number of states concerning how they define a data breach, and, where applicable, what substantive security controls they require. The SHIELD Act also adopts the approach of several states, including Massachusetts, Florida, and Nevada, which purport to extend their jurisdictional reach to any person or business, anywhere in the world, that owns or licenses data concerning a resident of that state. In this regard, New York has converted §899-aa into, and created a new §899-bb that functions as, a possession statute: 

If you process computerized private information concerning a New Yorker, you now fall under the statute’s requirements. This change in territorial scope, of course, vastly increases the pool of persons and entities that are subject to possible enforcement under §899-aa, and creates an entirely new ground for enforcement against this increased pool under §899-bb. The statute’s expanded definition of “private information” also increases the likelihood of enforcement."

The SHIELD Act also amends the general business law by adding a new data security protections section 899-bb. This section outlines the compliance requirements for a data security program with “reasonable safeguards” to protect private information. The reasonable safeguards extends to the service providers of the covered entities and the safeguards must be required by contract.

The SHIELD Act’s amendments to the breach notification law take effect on October 23, 2019. And the data security amendments to the general business law take effect on March 21, 2020.

Who Does the Shield Act Apply To?

The SHIELD Act applies to any person or entity, regardless of their location, that owns or licenses computerized data which includes private information of New York State residents.

What Should Businesses Do to Comply?

Organizations that comply with HIPAA, GBLA, NYDFS and other federal or New York State data security regulations are considered compliant with the reasonable safeguards requirements section of the SHIELD Act. The reasonable safeguards include:

1. Administrative Safeguards
1. Designate one or more employees to coordinate the security program
2. Identify internal and external risks
3. Training employees on security program practices
4. Select service providers capable of maintaining appropriate safeguards and require those by contract
2. Technical Safeguards
1. Assess risks in network and software design and in information processing, transmission and storage
2. Detect, prevent and respond to attacks or system failures
3. Regularly test and monitor the effectiveness of key features of the security program
3. Physical Safeguards
1. Assess risks associated with information storage and disposal.
2. Detect, prevent and respond to intrusions.
3. Protect against unauthorized access to or use of private information during or after collection, transportation or destruction of information.
4. Dispose of private information within a reasonable amount of time

According to the SHIELD Act:

“Small businesses are also subject to the reasonable safeguards requirement; however, safeguards may be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” A small business is any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets”.

What Is the Consequence?

The SHIELD Act does not authorize a private right of action and a class action litigation. But, the Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For reckless and knowing violations courts may impose penalties of the greater of $5000 dollars or up to $20 per instance but no greater than $250,000. For reasonable safeguard requirement violations, the court may impose penalties of not more than $5,000 per violation.

How Can Duo Help?

A strong data security program must include an adaptive multi-factor authentication mechanism to safeguard against unauthorized access. Your organization can easily comply with the SHIELD Act and strengthen security posture using Duo. Duo enforces strong access security policies to prevent unauthorized users and devices from gaining access to private information, even when the users’ credentials are compromised.

Multi-Factor Authentication - Duo verifies users’ identities with strong two-factor authentication before granting access to applications that may contain personal information. This protects user identities and ensures that only authorized users are able to access PI/sensitive data.

Device Visibility - Duo provides IT teams with visibility into which corporate-managed and unmanaged devices are accessing company applications and data. This provides organizations with the ability to set security policies to protect their sensitive resources

Trusted Endpoints- Duo checks the security hygiene of devices before granting access, giving complete control over what and who has access to systems storing PI/sensitive data. By leveraging Trusted Endpoints organizations can augment their security posture to ensure that only healthy, trusted devices gain access to sensitive resources and can block unauthorized devices.

Access Policies - Enforcement of strong policies ensures only trusted and authorized users and healthy devices can access critical business applications and the data they store while blocking unauthorized access. By enabling enforcement of access policies at an app level organizations can differentiate critical corporate apps (ex: ERP) from generic work apps (say cafe menu).

Reporting/Audit - Duo’s dashboard and reports enables administrators to monitor authentication attempts and identify suspicious login events in case of compromised credentials. Duo also records comprehensive logs that help businesses demonstrate compliance during audits.

Conclusion

Complying with regulatory requirements helps prevent penalties and fines due to willful violations. More importantly, compliance minimizes risk of a breach. Many organizations choose Duo because of the ease with which they can achieve compliance and improve security posture.

Read the following blogs to learn more on how Duo can help achieve compliance for HIPAA, CCPA and NYDFS regulations.

Download this Duo for Compliance datasheet to get an overview on how Duo’s solutions satisfies specific controls.

See how some customers have leveraged Duo to satisfy compliance requirements: HIPAA, GBLA, NYDFS

Sign-up for a free trial to experience the product and see how Duo can satisfy some of the requirements outlined by various data privacy regulations

Amazon Web Services (AWS) stores a history of API calls to the data storage service S3 via a service named CloudTrail. These logs are important for auditing what has happened in an AWS account. They can be used to understand errors that have occurred, review historical usage so that tighter IAM policies can be implemented (such as with CloudTracker), test ideas for new detection rules, investigate incidents and more. To search these logs, you can download them and use grep or jq to search through them, but that can be slow. You could ingest them into a log analytics platform—but that can be expensive, difficult to maintain and require consideration of resource consumption. 

To solve these problems, we’re excited to announce cloudtrail-partitioner which automatically organizes your CloudTrail logs in a format suitable for quick, cheap and simple querying with Athena. 

How it works

The cloudtrail-partitioner is based on work by Alex Smolen in his blog post Partitioning CloudTrail Logs in Athena. Our contribution is to make that work easier to run by incorporating it into a CDK (Cloud Development Kit) app and adding functionality to incorporate new regions and logs from new accounts automatically. Athena is a serverless AWS service that allows you to use a SQL interface to query data stored in S3 buckets.

When using Athena one needs to define a table to describe where your data is located and its format. You can additionally define “partitions”, which are based on the folder path structure to limit the amount of data read. This is useful because the Athena pricing model is based on the amount of data read, so by defining which files should be looked at you can reduce your costs. In my experience, querying less data also results in the queries running faster.

The file path used by CloudTrail logs includes the year, month, and day. As these values change every day, you’ll need to regularly create new partitions daily. AWS also periodically adds new regions, which are also part of the file path, so again, you’ll need to ensure you create new partitions to account for the new regions. Finally, your company may add new AWS accounts, which you’ll have to create new Athena tables for. It is due to all this work that we built the cloudtrail-partitioner to perform all those tasks automatically.

To use the cloudtrail-partitioner, you’ll need to first edit a configuration file to define the S3 bucket that contains the logs and an SNS to send any errors to. Then we recommend you run the  cloudtrail-partitioner manually, which not only helps ensure things are setup correctly and allows you to use Athena tables immediately, but also creates partitions for the past 90 days by default. After you then deploy the CDK app, a Lambda will be created that runs on a nightly schedule to create the new partitions. This will figure out what CloudTrail logs you have, whether they are configured by the account or via AWS Organizations.

Using the Athena tables

Tables are created for each AWS account, which will look like cloudtrail_000000000000. You can query those directly, or if you want to run a query across all account logs, a view is created named “cloudtrail”. An example query that makes use of the different partitions is:

A more advanced query can be used to find counts errors by user across all accounts.  This can be useful for finding applications that aren’t working correctly, or could identify compromised applications that are attempting API calls they aren’t allowed to make:

Conclusion

Using Athena can be a cost effective and low maintenance solution to provide your teams with an easy way to query their CloudTrail logs using SQL. This solution makes setting up the required tables and maintaining the partitions easy and with best practices of infrastructure as code, least privilege, and monitoring for errors. 

Try it out for yourself at https://github.com/duo-labs/cloudtrail-partitioner

The financial services industry is broad and roomy as it covers everything from stocks and investment portfolios, to banking and insurance, to technology that caters to the FinServ industry. There is that old saying “follow the money” and when it comes to breaches with high impact, they typically involve bad actors trying to get to the money. The impact of a breach for financial services is significant, with one study reporting an average cost of $1.3 million to restore services after every DNS attack and an average of 10 attacks per year, and that is not including downtime or resources required to address the breach. The good news is essential financial services breach protection begins with with an affordable solution, two-factor authentication (2FA). 

As financial institutions move into the hybrid cloud and incorporate more mobile technology, new data shows that 45% of access requests to protected applications come from outside the firewalls. To stay compliant with the new federal, state and local laws financial firms are putting 2FA in place as a preventative measure and to stay compliant. 

The perimeter has shifted, and to reduce the risk of a breach amid this shift, financial organizations of all sizes are enforcing 2FA as a cost-effective security control that can establish user and device trust before granting access to applications (this process is known as a zero-trust security approach where no device or user is trusted until authenticated and authorized by multiple factors vs. just a password). 

These security controls include strengthening user authentication, requiring screenlocks and disc encryption, disallowing devices with out-of-date browsers and operating systems, or blocking anonymous IP addresses, designating safe regions, among other steps. Organizations are able to use zero-trust tactics by implementing 2FA to quickly mitigate threats posed by zero-day vulnerabilities.

Passwords Just Aren’t Enough Protection

The main reason why two-factor authentication matters is that a password is no longer strong protection for financial services data. Here are a few statistics as to why: 

• 81% of data breaches have been the result of weak or stolen passwords
• 92% of organizations have credentials for sale on the Dark Web
• 61% of people reuse the same or similar password everywhere
• “123456” and “password” were still the top two password choices in 2018

How Duo’s 2FA Can Be a Preemptive Barrier to a Financial Services Breach

The overwhelming majority of financial services breaches begin with stolen credentials. Credentials are stolen in a multitude of ways but the most common is by phishing or spear phishing, new technology like persistent keyword stuffing or weak passwords. The adoption of business on-the-go via mobile can make it less apparent that an email or link is fake due to shortened information displayed. Breaches happen, but to those who take a defense stance and adopt 2FA have a huge advantage to thwarting breaches because 2FA has been proven to prevent stolen credentials and is sanctioned by the White House as an important measure to prevent security breaches. 

Why Financial Organizations Choose Duo’s 2FA Solution 

Cisco recently released the 2019 CISO Benchmark Study that confirms gaining clear visibility into network threats and getting to zero trust is a top priority for Financial Services CISOs. Duo Beyond is a zero-trust security platform that addresses user and device risk for every application so that CISOs can relax and rest easy, saving their energy for real problems. D0u helps financial companies:

• Stay compliant. Duo provides end-to-end visibility, reporting and logs of assets. Duo's endpoint visibility gives a detailed overview of users' devices (managed or unmanaged, mobile and laptops/desktops) with compliance-friendly reporting and logs
• Reduce time to security: Duo's native integrations protect on-premises, cloud, remote access, VPNs, etc. to enable business agility, allowing admins to roll out security in a matter of hours and days
• Compromised credential prevention. Eliminate the threat of attacks that stem from compromised credentials with Duo's easy and effective. When a user logs into an application, they verify their identity with Duo’s two-factor authentication (2FA), preventing the risk of unauthorized access due to stolen or weak passwords
• Duo’s platform detects and tracks every device accessing protected applications, including desktop, laptop, mobile, corporate and personally-owned devices – without using an agent like MDM. Identify mobile devices with certain security features enabled or disabled, as well as their security posture. BYOD, no problem
• Secure cloud infrastructure access: DevOps and engineering teams can SSH to servers remotely and securely with Duo to access development environments and deploy code, as required by compliance regulations
• Duo does the work of many different security tools, all in one platform: strong/adaptive authentication, endpoint visibility and control, remote access and single sign-on – increasing the value of your security investment
• Duo's technology and security partnership ecosystem makes it easy for you to eliminate complexity while protecting your existing IT investments
• Notify users to update. Duo alerts users to install required updates to prevent risk
• Have more policy control. Start adopting zero-trust security. Manage contextual policies, role-based policies, app-specific policies, location-specific policies and more with Duo. 

Duo Helps Align Security Operations with IT Operations

The Chinese symbol for danger doubles as the same symbol meaning opportunity. This paradox is similar to the competing priorities between CSOs and CISOs. On one hand, the CISO manages the security operations team with the goal of enforcing and controlling trust to keep data safe; while on the other hand the CIO manages the IT operations team and is tasked with completing projects and increasing revenue with a focus on expanding business with new technology. They often have similar but competing goals to modernize the way business is done and to be secure while maximizing efficiency and business objectives. 

Duo 2FA helps to align security operations with IT operations by streamlining multiple security tools in one agnostic platform.

Sign-up for a free trial to experience the product and see how Duo can preemptively help protect your financial organization from a cyber security breach and stay complaint.

Blog Recommendations:

#Winning: Securing FinServ Hybrid Clouds with MFA

How Duo Enables Compliance and Improves Security for the NYDFS Finance Regulation 23 NYCRR 500

What is Criminal Justice Information Services (CJIS) Security Policy?

Law enforcement officers, first responders, district attorneys and officials from other justice agencies need timely access to criminal justice information (CJI). The Federal Bureau of Investigation (FBI) in collaboration with other government agencies have put together the Criminal Justice Information Services (CJIS) Security Policy. The policy provides a minimum set of security requirements to access the CJI data.

How Duo Can Help:

The CJIS security policy lists control requirements across 13 policy areas. Duo can specifically help criminal and justice agencies meet the advanced authentication requirements under policy area 6.

Policy Area 6: Identification and Authentication

5.6.2.2 Advanced Authentication: 

“Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based digital certificates… or “Risk-based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification…”

Duo provides easy to use multi-factor authentication products to help meet CJIS authentication requirements. Duo’s granular access control policies and supports secure authentication methods such as Universal 2nd Factor (U2F), biometrics, push notification, passcodes, smart cards and hardware tokens. 

In addition, admins can use Duo’s policy engine to implement risk-based authentication based on factors such as user location, network address ranges, device security status and more. For example: If an access is attempted from outside the country, Duo can block  access based on policy controls that deem access outside the country is not permitted.

Further, Duo uses Federal Information Processing Standards (FIPS) 140-2 validated cryptographic modules to achieve FIPS 140-2 compliance. Duo Push and Duo Mobile passcode authentication methods are FIPS 140-2 compliant by default with no configuration required by administrators. Duo Push and Passcode authentication methods are built in-alignment with NIST 800-63-3 AAL2 requirements.

A Typical Use Case For Law Enforcement Officers:

Field police officers are always on the move in their squad cars. These field officers need to access the criminal justice information systems in order to verify an individual’s identity or a driver’s record. Duo’s MFA solution with support for multiple authentication methods and easy integration NetMotion VPN helps police departments satisfy the CJIS requirement. With Duo, law enforcement officers are prompted for a second factor authentication when logging into VPN on their mobile data terminals (MDTs). The officer uses his smart card or a hardware token to fulfill the 2FA and is allowed to access the CJI database.

A Typical Use Case For Justice Department Officials:

A prosecutor from the office of District Attorney visits a correctional facility and needs to access his email, which contains CJIS information. When the prosecutor uses a secure terminal to access his email. Duo detects that the user is logging in from a new device prompts for a second factor authentication. Duo also captures the device information and maintains a comprehensive audit trail. Duo’s solution integrates with complementary CJI data sharing solutions to provide advanced authentication capabilities for secure access.

Duo Is FedRAMP In Process

Duo is FedRAMP in process and works with federal, government, local and state organization to meet compliance regulations and stay secure. 

Sign-up for a free trial to experience the product and see how Duo empowers Public Safety and Justice Agencies with secure and compliant access to criminal inform.

As we get ready for the Gartner IT Symposium/Xpo in Orlando, we’ve been thinking more about every element and imperative in their CARTA model: Continuous Adaptive Risk and Trust Assessment. Since ‘C’ also stands for Cisco, let’s start there.

Gartner uses the word “continuous” in a lot of places, including in their seven imperatives. It’s a reaction to the former practice of using what they call “one-time security gates”: you made a decision based on a static set of information (such as a source IP address or a username and password combination), and then you never revisited it. We know that this practice isn’t sufficient to maintain the proper level of trust. Trust is neither binary nor permanent: you don’t trust something or someone to do everything, and you don’t trust forever. Based on the changing nature of risk and the environment, you have to check more than once.

....Read more at Cisco

Duo has recently partnered with two of the leading providers of physical access security: Tyco Software House and BioConnect. The partnership tells a complementary story. Duo was born in the cloud. Since our inception, we’ve focused on providing a simple, secure authentication workflow into any business application. Tyco and BioConnect live in the concrete world of building and office access.

Duo offers a broad integration portfolio that includes hundreds of cloud and on-premises applications. Thousands of customers leverage Duo to protect a diverse set of applications, from Office 365 to the AnyConnect VPN or even custom on-premises applications. Our technical integrations and partnerships have primarily focused on protecting the workforce from compromised digital credentials and data breaches. 

However, we’ve come together with Tyco Software House and BioConnect to to answer the question: how can we also protect physical workplaces and physical credentials? 

Physical credentials can take many forms but often come as key cards or badges that are used to enter business critical facilities. Many of us are familiar with physical credentials and access control from their supporting roles in heist movies. In most cases, a ragtag group of would-be thieves includes a pickpocket whose responsibilities involve lifting a key card from an unsuspecting VIP. While this fictionalized version of credential theft is not the most common case for losing physical credentials, at its heart it still reveals a potential hole in physical access control. When the crown jewels are at stake, these partnerships and integrations can help you verify that the holder of a physical credential is the person who belongs to the card.

Tyco Software House

Tyco Software House is committed to providing a robust security and event management solution for buildings across the globe with its C•CURE 9000 platform to protect any company’s people, buildings, and assets. This solution scales to protect buildings of any age, layout, or location, whether a company is protecting one door or hundreds. 

And now, C•CURE 9000 seamlessly integrates with Duo’s multi-factor authentication (MFA) solution to provide an additional layer of security at points of access. The integration is simple to set up and provides an easy and effective end-user experience at a company’s most critical locations. C•CURE 9000 customers will not have to change any infrastructure or card readers, and employees can self-enroll in Duo. When deployed, an employee simply taps their access card as they would normally, but instead of gaining direct access they are challenged with a second form of authentication on their preferred device. For more information about the integration and the Tyco Software House’s product portfolio, check out this informational video and this integration announcement.

BioConnect

BioConnect is spearheading the unification of the digital and physical access management sectors. Their previous solutions are known for leveraging biometric credentials (face, voice, fingerprint and eyeprint) to secure access to both physical assets, like data centers, and digital assets, like corporate portals. The outcome is higher identity assurance of who is accessing what and provides in-depth reporting and analysis regarding a company’s physical and digital access points.

BioConnect has realized a gap in the physical access market where certain customers’ physical access points are not equipped with biometric readers. In these cases, a BioConnect customer may need to use a badge on a door that currently does not provide a second factor of authentication. In order to address this use case, BioConnect has integrated with Duo’s MFA, adding it to BioConnect’s authentication flow. With Duo and a retro-fit solution that is integrated into 80% of the top access control system providers, it becomes easy and cost-effective for BioConnect customers to provide step-up authentication on all doors or access points. 

To learn more about how this integration ensures security in every case, check out BioConnect’s documentation or their video guide to using Duo at the door.

Security Back-To-Basics

Social media accounts can be prone to hackers. Whether you are a social media influencer, journalist, student or the President — you definitely want your Twitter account to be protected. Good news! Duo Mobile's 2FA can help. 

Chances are you or someone you know has had their social media accounts stolen. This is a big bummer on many levels from trying to get your accounts back, to someone messaging your networks without your knowledge or permission. 

Want to up your security game and prevent hackers from getting access to your accounts?

Today, almost all major social media platforms allow you to add an additional layer of protection to your accounts. Two-factor authentication settings can usually be enabled under your account’s security and login settings. You may find settings with names like “Additional Verification” or “Login Verification” or “2FA” (two-factor authentication) but know that these are all talking about the same thing: Two-factor!

Today we will walk you through step-by-step on how to keep your Twitter account on lock, and secure from hackers.

How To Set-Up Duo 2FA With Your Twitter Account

Let’s first take a look at how to protect your Instagram account using Duo Mobile. First, download Duo Mobile from the app store. 

Step 1

Visit Twitter.com and on the left side, click “More”

Step 2
Select “Settings and privacy”

Step 3
Under the Account settings, select “Security”

Step 4
Click “Login verification”

Step 5
Click the box to enable Login verification

You’ll be sent an SMS verifying your phone number. Once you verify, you’ll see this screen. Click the “Mobile security app” box.

Step 7
Click “Start”

You’ll be presented a QR code. You will use Duo Mobile to scan this code.

Step 8
Open Duo Mobile, and tap the “+” button in the top right of the app and scan the QR code.

Put the passcode Duo Mobile provides into Twitter in your browser.

Step 10
Add the code and verify

Done! You are all set

Duo Mobile makes it easy to restore your third-party personal accounts with Duo Restore. But...you should save recovery codes. It’s important to save these recovery codes if you have not enabled Duo Restore. 

They’ll help you regain access to your Twitter account in the event your phone is sold, lost, stolen or broken if you have not enabled Duo Restore.

And now your Twitter is hackerproof! Check out Duo 2FA today!

Here at Duo, we think about authentication a lot. We’re constantly on the lookout for new techniques and technologies that will make it easier for users to authenticate, more difficult for attackers to impersonate a user, or both at once. WebAuthn is a great example of this. What really grinds our gears is when we see bad auth decisions, such as mandatory password rotations, security images, or the use of social security numbers as passwords. But in this article, we’d like to avoid focusing on bad auth, and instead focus on uncertain auth.

There are a multitude of different techniques used to authenticate someone or something, and it can sometimes be difficult to reason about a given technique’s security properties, which makes trusting it difficult. Without clarity of how an authentication technique actually works, it can be difficult if not impossible for users to make a reasoned decision about its security. In this article, we aim to surface uncertainty as a qualitative metric by which authentication techniques can be judged, as well as illuminate some pitfalls this uncertainty can lead to in practice.

Authentication Basics

Authentication is the act of identifying a user or other entity. A given authentication technique, such as verifying a user’s password, is considered strong if it is difficult for an adversary to impersonate the user. However, performing strong authentication can be cumbersome, depending on the technique, and so many applications perform a stronger, less convenient, authentication only at certain high-consequence points in time. For instance, when logging in to a website. For convenience, these applications often then rely on a temporary proxy of that authentication, such as a session token bundled in a user’s browser cookies, for continued authentication with every page request. Not every authentication mechanism must be strong. Often, we can use multiple mechanisms to compensate for weaknesses in one or another.

Over time, more convenient authentication mechanisms have been developed, such as using biometrics. These authentication mechanisms aim to reduce user friction and make the process of manually authenticating as simple and easy as possible. Perhaps someday we humans will develop a strong, automatic, continuous authentication mechanism, but today increasing authentication usability usually comes with a tradeoff. And unfortunately, It can often be difficult to reason about the security properties of the authentication mechanisms that are easiest to use.

Dependable Authentication Techniques

Let’s start by considering a few authentication techniques that are simpler and easier to reason about. The first of these is password authentication, still likely the most common authentication mechanism in use today. Passwords are something you know and are therefore difficult to steal in the physical world unless the human does something like write the password down on a post-it (these are things that grind our gears). Humans can be tricked into disclosing their passwords, database breaches can lead to passwords being cracked and stolen, and poor password choices can lead to major headaches for both users and administrators. Because of these problems, we hope passwords die and are replaced with something better. However, passwords are conceptually very simple. If you possess a user’s password, you can authenticate as that user. This makes passwords very dependable (if not always convenient) and users can choose to take straightforward precautions such as using complex passwords and different passwords for each site to help protect their accounts.

A security key, such as the Yubikey, is also a simple and dependable mechanism for authentication. Security keys store a secret link to an identity, similar to a long complex password. Like passwords, if you know a user’s secret, you can authenticate as that user. However, the secret can never leave the security key, and security keys aren’t susceptible to phishing or credential reuse attacks like passwords are. While the math that proves these security properties aren’t simple, they are verifiable and standardized, and so we can reason about the overall security of security keys in a straightforward manner. The two most promising attacks against security keys are 1) physical theft of the key itself and 2) tricking a user into tapping (i.e. activating) a security key for an authentication attempt they didn’t initiate, which can be mitigated in some cases.

Another authentication mechanism that is simple to reason about is authentication delegation. That is, delegating the authentication to a trusted third-party, and then accepting the result. We see this commonly with email and SMS verification codes, email password reset links and sign-in with (Google, Facebook, Apple). If the user can prove access to another account that is known to be linked to the same identity, they can be authenticated. Of course, if an adversary is able to compromise that other account, then they can compromise all linked accounts. This is why email provider accounts are often the most critical accounts to keep protected, even more so than your bank accounts, since with access to your email account an adversary can reset any other linked account credentials they want. Whether it is desirable or not, authentication delegation is certainly dependable and easy to reason over. Users know that to protect their Spotify playlists, they must also protect their linked email account.

Uncertain Authentication Techniques

However, things get trickier with other kinds of authentication. One mechanism that seems simple at first glance is proximity. Proximity is often used to automatically lock a computer screen when the user walks away, or to automatically unlock car doors when a key fob comes within range. However, even understanding how the technology works, it’s unclear whether we can rely upon this proximity detection in important contexts. Using the car unlocking situation as an example, how far can the user’s key fob be located from the car? It depends on the strength of the wireless signal and whether objects or walls obstruct the signal. If it’s too short, it may not work properly, but if it’s too long, it may allow a car thief to steal the car. Further, proximity authentication is vulnerable to relay attacks in which an adversary effectively extends the range of the proximity detector without the user’s consent. Tight timing constraints can be placed on proximity methods to attempt to defend against relay attacks, but this potentially comes at the cost of reliability. 

Biometrics are another area rife with uncertainty. Perhaps the most common biometric authentication mechanism is the fingerprint scanner. It scans a user’s fingerprint, compares it to a previously-recorded image, and if the two images are similar enough, authenticates the user. And in only that cursory description, we have a number of ambiguities that make fingerprint authentication difficult to reason about. Let’s discuss how the fingerprint itself is scanned. Depending on whether the scanner is optical, capacitive, or ultrasonic, it may be possible to fool with a 2D or 3D printed image of a victim’s fingerprint. Then, beyond the hardware imaging of the fingerprint itself, can we trust the image comparison algorithm to be both sound and correct? Fingerprint scanning software tends to be an opaque black box, even on somewhat open platforms such as Android. Because of this, it becomes more a matter of trusting the vendor (Apple, Google, Samsung, Microsoft, Lenovo, Dell, etc.) to have a secure fingerprint scanning implementation, rather than confidence in the entire technology. Fingerprint authentication may be enough to deter the average phone thief, but it is uncertain whether a given implementation will protect against a targeted attack.

Next, we have facial recognition, which has been used in traditional and mobile OSes for logins, as well as by law enforcement and world governments for tracking purposes. Despite the ease of use, it is difficult to reason about the security properties of any given facial recognition solution when used for authentication. Focusing on the most-advanced such as Apple’s FaceID, we are still left with many questions. Apple claims the false positive rate of FaceID is 1 in 1,000,000, using depth perception via an infrared camera to build a 3D facial model before unlocking the device. This is to protect against 2D printed face attacks. However, this number is apparently based on the probability that a random face will unlock your device, indicating that there are perhaps 7500 other people on Earth whose faces can natively unlock your phone. And there are very few details provided by Apple about how this number was reached.

To avoid false negatives when users change their facial attributes (facial hair, sunglasses, etc.), FaceID must be somewhat permissive. Because of this, researchers periodically demonstrate new attack methods against even its most-recent versions. And this author is actually a fan of Apple’s implementation in practice. Looking at other vendors that may use only a single camera for face unlock, the results are far, far worse. The confusion about which vendor’s technology is secure and which one is not surely leads to a false sense of security in some cases. Facial recognition is another biometric technology that may be incredibly convenient, but it is difficult to quantify its security properties.

Voice authentication is an interesting mechanism, simply because it is often used for telephony and call-center applications where other, stronger, authentication techniques like security keys are infeasible. Voice authentication may attempt to serve as an alternative to the operator’s confirmation of personal data to authenticate, such as asking for a user’s account number and/or security questions. In voice authentication, a user records an assigned verbal phrase to build a profile then repeats the phrase at a later date to authenticate themselves to the provider. The provider will use the tone and inflections in the user’s voice to differentiate a legitimate user from an imposter. 

Intuitively, this technique appears to be trivially exploitable by an adversary taking a voice recording and then playing it back. This is akin to using a 2D image for face unlock, or an optical scan of a fingerprint; both techniques that are still used, but really shouldn’t be. Commercial solutions claim they can detect anomalies and repeated recordings, and perhaps some can. However, all criticisms of the above biometric techniques apply here. How does the classifier work? Whose implementation is being used by the commercial entity the user is calling? While voice authentication may seem to make the account more secure by requiring an adversary to capture a voice recording, in practice, human voices often change due to temperature, stress, sickness and other physiological reasons. How permissive is the classifier that must handle these continual changes? Voice deepfakes are a thing. It is entirely unclear how resistant to attack this technology is. Additionally, when voice authentication fails, the alternative is typically to fall back to another authentication mechanism anyway, such as verifying personal data. Consequently, attackers may gain more options to attack accounts when providers use voice authentication.

On the far end of the biometric space lie Implicit Authentication (IA) or continuous authentication techniques, such as measuring the accelerometer data as a user taps the virtual keyboard or monitoring a user’s gait. To date, IA is not something we’ve seen outside of early research, but finger vein scanning technology appears poised to bring it to a wider audience. However, while vein patterns look pretty unique, it is difficult to find quantifiable data about how unique they really are. Most IA studies seem to test for false positives and false negatives within a very small population (less than 1000 participants) and without large population testing, it is unclear whether these biometric features are even unique to each user, let alone resistant to adversarial spoofing. It is very difficult to reason about the security properties of such techniques without much more information than we currently have.

Consequences of Uncertainty

Despite the criticisms listed above, we believe having biometric and other authentication techniques available is a great thing, especially when threat models are considered and the technique’s strengths and weaknesses are well suited to the use case. Biometrics tend to be extremely convenient, and the best implementations can raise the bar high enough to provide a very secure authentication mechanism. The purpose of identifying uncertainty as a qualitative metric by which to evaluate authentication methods is to highlight its potential negative effect when these are not considered properly, which is often the case.

Uncertainty brings about the potential for misuse, leading to an actual reduction in security. For instance, FaceID is pretty secure and Apple spends a lot of effort to make it so. It also advertises to users that FaceID is a secure solution. But will users recognize that face unlock on Android devices is often trivially bypassable? Should we expect users to know how each vendor’s product works? Is it even possible to do so, with each biometric authentication system being essentially a black box? We’ve reached a point where in many cases, we must place our trust in the vendor instead of the technology because, unlike well-published best-practices for password storage or the design documentation for security keys, no major vendor seems to publish their fingerprint or facial recognition algorithms, or even statistics on their efficacies.

Build for the Future

As security professionals, we can do better. We can turn to standards bodies like the IEEE and W3C to help foster secure biometrics standards in a way that is visible and transparent and reduces the uncertainty around these authentication mechanisms. We can encourage third-party testing and analysis of these authentication mechanisms, with published data that can be used to verify the efficacy of these techniques. With the help of standards and certification organizations, we can ensure that snake oil techniques can no longer masquerade as legitimate security measures. By reducing the uncertainty surrounding these authentication techniques we can make them more secure.

In honor of National Cyber Security Awareness Month (NCSAM) we’re taking the conversation back to security basics. Throughout the month of October, Duo will be posting helpful security tips to ensure you stay secure and safe online during your day-to-day digital activities.

Plus Engaging Security Activities

We made a bunch of free tools and activities to foster security education and awareness.

To learn more, please visit: http://duo.com/security-123

Without further ado, here is today’s security tip:

Tip No. 7: Protect Your Apps With 2FA

2FA or two-factor authentication is an excellent way to drastically improve the security of your accounts. Two-factor authentication strengthens your account security by requiring two factors to verify your identity. These factors can include something you know - like a username and password – plus something you have - like a smartphone app to approve authentication requests.

2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.

This video helps explain how 2FA works

See the video at the blog post.

These videos explain the multiple options for second-factor authentication.

Tip No. 6: Use A Password Manager

If our previous tips sound tough, harness the power of a password manager to help!  A password manager will do all of the remembering, creating, and sharing of a strong password for you. 

What is a Password Manager?

CNET says, “Simply, a password manager ... is an encrypted digital vault that stores the login information you use to access websites, apps and other services. Besides keeping your credentials, identity and sensitive data safe, a password manager can generate unique, strong passwords to ensure you aren't reusing them across your services.

You can even share a password like a login for coworkers or family members to a shared application or account without necessarily revealing the password to your share recipient. 

Tip No. 5: When to Change Your Password

I know, I know, you just figured out a snazzy password you can access, you didn’t share it and now we are asking you to change your password.

There are times you should consider changing your password right away. Here are few:

• After a website or company you use discloses a security breach
• There is evidence of unauthorized access to your account - many popular sites allow you to look at your access history
• There is evidence of malware or another compromise of your device
• Someone with shared access to an account has left the business, relationship, or role required for the access provided
• You logged in to the account on a shared or public computer (such as at a library or hotel)
  
• Your roommate moved out.
• You suspect your password has been shared without your consent
• You have proof your account was compromised as a service you use was breached, or your security monitoring service has alerted you

2FA security helps protect against password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.

See the video at the blog post.

Tip No. 4: Safely Share Your Passwords

It used to be that sharing your password for any reason was frowned upon. And while it’s not necessarily recommended that you share your passwords, our digital lives make it a necessity in some instances. For example, there may be accounts that you share with a family member that require you to use the same password. There may also be times when passwords must be shared among colleagues.

Some instances in which you might share a password include:

• Paying household and family bills
• Managing joint credit card or bank accounts
• Using a shared wi-fi network
• Using a shared online storage service for photos, documents
• Using a shared online shopping account

If you have to share a password, it’s recommended that you do so safely. How? 

A password manager (see tip No. 6) gives you the option to safely and securely share a password – passwords stored in a password manager are encrypted and can be shared in an encrypted format with others. Certain password managers allow you to share passwords without revealing the characters if you'd like to keep the true password confidential and revoke-able. Sharing encrypted passwords through a password manager is much more secure, and much safer than writing them down, emailing them, or texting them.

Tip No. 3: Avoid Reusing Passwords

I know what you are thinking, your brain hurts at the idea of a unique password for every digital login in your life, because that is a lot of logins. But trust us, you should make unique passwords, starting with your most important accounts.

Password reuse could allow an attacker to use a password they compromised on one account to attack the rest of your accounts. If you used the same credentials on a music site as your bank account, if the music site gets compromised, so does your bank password. You can't always prevent a website getting breached, but you can make sure the concern stops with that singular account.

Tip No. 2: What Makes A Good Password?

It is easy to say, make a good password, but what makes a good password? Here are some helpful password strategies.

What TO Do: Random Word Approach

● BananaStapleZoroCanada2016forElPresident

● CatBoat2000UtilizePandaBacon

What TO Do: Passphrase Approach

● The74dingoscarriedawaymyoatmealsalad.Sadday.

To Be Even More Secure

● Think beyond the password with two-factor authentication (2FA)

● Use a password manager

● Use the max number of characters allowed with as much complexity as allowed (including upper and lowercase letters, numbers and symbols.

Avoid

●  Singular words or common phrases, such as the term “password”

● Personal information as a password (name, birthdate, etc.)

● A single type of character, such as only uppercase letters or only numbers

● Repeating characters or consecutive characters, like “1234567” or “abcdefgh”

If you have made poor passwords because it is easier to remember in the past, you are not alone – it can happen to anyone. Creating a stronger, more secure password doesn’t have to be complicated. This is actually much easier than the alternative.

Tip No. 1: Use A Strong Password

Making a strong password is important because, let’s face it, humans are a bit predictable — and that makes it easier for hackers to guess passwords.

A GOOD Passwords must:

1. Be unique and never before used
2. Have a minimum of 16 characters
3. Get creative. Use “ph” instead of “f” or “1” instead of “i”
4. Include two of the three: upper/lowercase letters, special characters, numbers

To Be Even More Secure

1. Think beyond the password with two-factor authentication (2FA)
2. Use a password manager

If you have to remember your password by writing it down (which isn’t recommended, but, again, we’re human), never list any identifying information as to who it belongs to or what account it is tied to. Treat it as you would your social security card or passport. Always maintain physical control!

Enjoy our "Compromised Credentials" video.

See the video at the blog post.

Do you know someone who could have better passwords? Maybe someone who has been “meaning to set up a password manager” for a year or two? What about someone who just needs a helping hand? Could your co-workers, your family, or your friends use a quick password tutorial? You can help them make an immediate and impactful difference to their security posture online by hosting a Password Party, an event that lets everyone take on the password problem together. 

What’s a Password Party?

People love a party! A Password Party helps educate and establish best practice for passwords. The party dedicates time to improve account security by moving passwords into a password manager and strengthening weak passwords. The event is set up like a party — think balloons, cake, and prizes — to make an otherwise tedious task more engaging. 

At Duo’s Password Parties we have given out rubber duckies for strong password management, raffled off gift cards and had everything from cookies to pizza to get the party going! 

The Goal

To ensure everyone’s passwords are up-to-snuff by moving them into a password manager and regenerating weak passwords, can sound stressful and monotonous, especially if the individual does not see themselves as technical or security-focused. Tackling the need in a group helps everyone stay on task and allows everyone to learn from each other. 

At the end of a Password Party, the attendees should have a password manager set up, and have added their most important accounts. The attendees should have learned what makes a good password and understand the basics of two-factor authentication to add even greater security to their accounts. The attendees should know how to generate a random password using the password manager, and become confident in how to secure their online accounts.

What is Expected of the Host?

The Password Party host will act as a coach and guide the group through the set-up of the password manager of their choice, explaining how a password manager works to generate and store passwords. The host will explain and emphasize the importance of two-factor authentication, and help participants add it to their accounts.

At Duo, our hosts were members of the Cloud Security team, allowing us to introduce ourselves to new coworkers, and strengthen relationships between teams.

What is Expected of Attendees?

Password Party participants should be asked to bring their laptop and their mobile device. They should be ready to install a password manager — if they don’t have one already — and have an awareness of what websites they use, with an ability to access those accounts or recover the passwords (i.e. access to the email recovery). 

The Password Party is targeting the folks who know their passwords aren’t quite there yet and who have been looking for time to sit down and just do it. The Password Party provides the perfect excuse, the plan, the time and assistance to help attendees take charge of their online security and protect their accounts.

Where Should We Party?

Host the event somewhere comfortable and open. A cafeteria, living room, or lounge area is perfect! The Password Party attendees are going to need to be able to work with their laptop and mobile device easily, while remaining comfortable and in tune with the group. If this is a work setting, attendees may need to come and go, and that’s okay! 

At Duo, we used the kitchen eating area which provided a friendly low key atmosphere.

When?

The event doesn’t need to be that long. Encouraging folks to work on passwords for even an hour is a win! At Duo Security, our goal was to have attendees stay for an hour. We held the event for three hours, with the intention of allowing attendees to come and go as needed for their schedules. 

Pick a time of day folks are ready to do something a little different with their brain power. At work? Maybe a Thursday afternoon. With family or friends? Try a weekend brunch.

Giving your invitees advance notice helps eliminate the “I don’t have time” excuse. If this is a work event, having set time in the calendar lets employees know that this is work-sanctioned. If possible, get a note of endorsement from management to let potential attendees know it’s okay to spend work hours on security maintenance.

Rewards and Atmosphere

Consider a small prize for working diligently on passwords. At Duo, we gave all attendees a rubber duckie for participating (Choosing a duck was popular! There were all kinds of different ducks available). If participants finished inputting their passwords into a manager, or stayed at least an hour doing their best, they were added to a drawing for one of two gift cards.

We also provided lunch, or treats, depending on the time of day the event was held. Cookies were devoured almost immediately. If this is a work setting, food is a great way to signal to folks who missed the invite that something special is going on.

Music helps to liven up the atmosphere and balloons are a toy to bat around in between password generation. Keep the party atmosphere in mind while planning for the event as it will elevate the mood of your attendees and create excitement. 

Ready to Host?

Step 1: Create the Event

Invite your coworkers, friends or family to the event and make sure to block off the time in the calendar. If you’re in an office, don’t be afraid to put up some posters or send out announcements. Consider making real invitations — it is a party after all!

Step 2: Prepare Your Attendees for Success

Know What Password Manager You’ll Support

Choose a friendly password manager or utilize the recommended manager from your organization. A good password manager choice will have step-by-step documentation easily available, will be able to generate random passwords and will be designed with security newbies in mind. If possible, choose something you’re familiar with as you’ll become the default “expert” for the people attending the event. 

Print Out Documentation  

This may seem counterintuitive for an event focused on using online resources, but participants often find paper solid and comforting. Provide links to the password manager’s online documentation, but also print out the basics: 

• How to generate a password
• How to save a password
• How to link a personal password manager account to a corporate one (if offered)

At Duo we had two documentation packets for each 6 person table, and that seemed to be enough.

Create Account/Website Prompts

Participants won’t always know where to start. Help out by providing lists of commonly used websites or accounts you’d like them to prioritize. 

Looking for a shortcut? Wikipedia has a good list to begin with: https://en.wikipedia.org/wiki/List_of_most_popular_websites#List_of_websites. 

Don’t be afraid to tailor your account lists and search regionally with something like “most popular websites in [location].” Participants should update their most critical accounts first (like their primary email address and financial institutions.) The host should assist the attendees in prioritizing their accounts.

Make a Summary Sheet

Some folks like a checklist. Print out a document that summarizes what they’re doing at the Password Party. It should give just the basics, something like:

Welcome to the Password Party!! 

Today we will learn how to:

1. Place passwords into a password manager & re-generate any that need strengthening. 
2. Find out if 2-Factor Authentication is available for those sites. Set that up too!
3. Add as many accounts to the password manager as you can, and receive a prize!

• Want to learn more? [Link to the Password Manager’s documentation]
• Check if 2FA is available for an account you want to secure: https://twofactorauth.org 
• Always remember, we’re here to help each other! Ask questions. 

Do a Short Presentation 

Take 10 minutes at the beginning of the event to explore password managers and two-factor authentication. 

Your attendees have RSVP'd to attend the Password Party because they want to have greater account security. Your goal is to make password managers accessible and two-factor authentication attainable. 

Describe how to generate passwords, walk through the first pieces of the step-by-step documentation and invite participants to examine the password manager’s website. Explain the importance of two-factor authentication and how it works to protect accounts.

Encourage participants to add two-factor authentication to the password manager’s account, and remind them that the email they link their online accounts to is very important to protect as it holds the “keys to the kingdom” and access to reset passwords to other accounts.

Try to empower your attendees to be self-service as much as possible. Let them know you’re available for questions and reassure participants there are no bad questions. Get participants talking with each other by asking them to turn to their neighbor and share 3 accounts they plan to protect today! It’s amazing what collective experience can accomplish.

Common Questions

Be prepared to answer common questions and concerns about password managers and two-factor authentication. For people new to the idea of protecting their passwords behind a single password it can be a little scary. 

For example, some of the common questions I’ve encountered at Duo are:

1. How do I share passwords safely?
2. How do I recover my password manager’s password?
3. What do I do if I lose or no longer have the device I use to set up two-factor authentication? 

Think about the questions you’ve already heard prior to hosting your Password Party, and be ready to answer.

At Duo, we quickly noticed coworkers helping coworkers. This event is a great way to encourage attendees to meet people from other teams as well!

End the Party with Empowerment

Empower your party people to create a culture of security. The Password Party isn’t meant to completely alleviate the attendees password concerns. It is supposed to give them the impetus to start protecting themselves and provide the first set of tools they’ll need to become more secure online. 

Remind all of the participants that it’s okay not to finish today. The work the attendees did do is meaningful, and they’re better protected now than even a few hours ago. As long as they move a few passwords every day, or even once a week, they’ll be fully invested in their new password manager in no time. 

Password Parties are designed to help your team make time for implementing secure practices while learning and working in a relaxed environment. Getting passwords into a security manager often feels daunting due to the number of accounts we all have, but this party makes it manageable. Every time we make a password stronger or we add 2FA to an account we become a little bit more secure. These little steps add up. Let’s celebrate those iterative successes! Let’s have a Password Party!

Security Education Freebies 

We made a bunch of free tools and activities to foster security education and awareness. To learn more, please visit: http://duo.com/security-123 

Learn more about Duo's two-factor authentication by signing up for a free trial.

Security Back-To-Basics

Your social media game has been strong, but chances are you or someone you know has had their social media accounts stolen. This is a big bummer on many levels from trying to get your accounts back, to someone messaging your networks without your knowledge or permission.

Want to up your security game and prevent hackers from getting access to your accounts?

Today, almost all major social media platforms allow you to add an additional layer of protection to your accounts. Two-factor authentication settings can usually be enabled under your account’s security and login settings. You may find settings with names like “Additional Verification” or “Login Verification” or “2FA” (two-factor authentication) but know that these are all talking about the same thing: Two-factor!

In this post I’ll walk you through step-by-step and show you how easy it is to set up Duo Mobile and enable 2FA for Instagram, Twitter, Facebook and all of your social media accounts.

How To Set-Up Duo 2FA With Your Instagram Account

Let’s first take a look at how to protect your Instagram account using Duo Mobile. First, download Duo Mobile from the app store. 

Step 1
Launch the Instagram app on your phone and go to your profile.

Step 2
Open the Menu at the top right.

Step 3
Tap “Settings” (at the bottom of the menu)

Step 4
Tap “Security”

Step 5
Tap “Two-Factor Authentication”

Step 6
Tap “Get Started”

Step 7
Toggle on the “Authentication App” setting

Step 8
You’ll be prompted to use Duo Mobile - Tap Next.
If you don’t have Duo Mobile installed, it’s important to download it from the app store before this step!

Step 9
After tapping the button, you’ll be redirected into Duo Mobile where you’ll see a new account has been added!

Step 10
We need to verify things were set up correctly. First, tap the passcode to copy the 6 digits. Then, switch back to Instagram.

Step 11
Back in the Instagram App, tap “Next”

Paste the 6 digit code into the 6 boxes.
iPhone Tip: Tap over the first empty line for the “Paste” prompt.

Tap “Next”

Step 12
Two-Factor is now set up! But we have one more step. Hit “Next”

Step 13
Duo Mobile makes it easy to restore your third-party personal accounts with Duo Restore. Or on the next screen you’ll see recovery codes. It’s important to save these recovery codes.

They’ll help you regain access to your Instagram account in the event your phone is sold, lost, stolen or broken if you have not enabled Duo Restore.

And now your Insta is on lock! Check out Duo 2FA today!

See the video at the blog post.

(Members of The EMEA Team at Duo)

What happens when you gather your best strategic partners and MSP, a microphone and a laptop into a room? Awesomeness!

 Last week was the return of our most anticipated EMEA Partner Kick-off 2019, and this year we  hosted it within the grounds of Sopwell House, the prestigious venue that once called itself home to the royal family of the Mountbattens.

Over the course of two days we welcomed some of our key strategic partners and top Managed Service Providers (MSPs) to come together and recap on the successes of the past twelve months and discover what the future holds.

 But aside from the beautiful venue and enthusiastic guest speakers (don’t worry David Meade you can thank me later for that) there was an underlying theme, togetherness. Together as one Duo, one Cisco and most importantly one partnership. The theme “together” was a message that carried itself through all sessions and it really showed how important the partnership of working together to achieve joint success was.

Most importantly I would like to say a huge congratulations to all of our award winners, they truly are an example of dedication.At Duo, we pride ourselves on having the best partners and managed service providers in the industry. Out of the best, there were a few outstanding that have really gone above and beyond for Duo and our joint customers. 

The Winners of 2019 

Strategic Partner of The Year - Saepio Technology

Saepio has been a Duo partner for over two years now,and has continually demonstrated a strong determination to be a great partner. They drive a strong revenue stream and work diligently with the Duo team. We applaud their commitment to Duo, and look forward to a long and mutually successful relationship.

(From left to right. Fiona Doak, EMEA Partner Manager at Duo. Sean Wright, sales at Saepio. Matt Smith, VP of Channel at Duo)

MSP of The Year - Options Technology

Over the years Options Technology has shown great effectiveness in guiding customer conversations within the finance industry to demonstrate the value that Duo can provide at all stages of a customer's 2FA journey, be it starting from scratch or replacing an incumbent 2FA solution. 

Best Partner Newcomer - Natilik

It’s a pleasure to see a new partner have such an impact as Natilik have demonstrated. From day one, they have proactively positioned Duo within their go-to-market strategy, and embraced our sales team, driving active engagement and opportunity. We are delighted to partner with them, and we are excited to see what the future holds for us both.

(From left to right. Stella Maricic, Cyber Security Partner Account Manager UK at Cisco. Robert Eldridge, Experienced Pre Sales Consultant at Natilik. Fiona Doak, EMEA Partner Manager at Duo. Josh Simpson, Enterprise Business Development at Natilik. Yves Mertens, Director, Cyber Security Partner Organization EMEAR at Cisco.)

Best MSP Newcomer - Netstar

(From left to right. Malcolm Diack,Senior Strategist at Netstar. Esther Kho, MSP AE at Duo. Matt Smith, VP of Channel at Duo)

Netstar joined the Duo MSP Partner Program in February 2018, and spent much of last year building out their Duo offering emphasising the intrinsic value of 2FA, the value of Duo while ensuring that their various sales and account management teams could lead these conversations confidently with customers. It goes to show that putting the effort and energy into laying a solid foundation reaps great rewards.

To summarize, I will leave you with a final remark by Darren Lewis, RVP Sales EMEA:  

“At Duo, our success is your success. We are making a strategic commitment to support our partners across EMEA.”

More information on our partners can be found at https://duo.com/partners. Find out what Duo can do for you too. Take advantage of the free 30-day trial and experience Duo for yourself at https://signup.duo.com/.

We look forward to welcoming you to our next EMEA partner event 2020!

In early 2018, Duo open-sourced CloudMapper for visualizing AWS network environments. The tool collected a large amount of metadata from accounts to accomplish this, and made it easy to both collect additional metadata and work with the data that had been collected. Having that local copy of metadata turned out to be very useful, because multiple use cases could benefit from it without having to worry about each one being rate-limited or experiencing other problems in collection.

Within a few months, CloudMapper became more than a single purpose tool, and instead became a platform. It became a swiss-army knife for all sorts of needs security teams had when auditing or understanding AWS environments. New commands were added to it to give counts of the number of resources in an account; provide a listing of the publicly accessible EC2s and other network resources; generate a diagram of the trust relationships between accounts; identify the IAM users and roles with admin privileges in the account; and more.

One of the commands added to CloudMapper was the ability to perform a one-time audit for security concerns of multiple AWS accounts based on the data that had been collected. This included things like public S3 buckets, IAM roles with admin privileges that could be granted to EC2 instances, and more. There were existing tools like Prowler and ScoutSuite already available, but again, having this functionality built into CloudMapper meant it could leverage the local copy of the metadata that CloudMapper had already collected. This capability expanded over time, with over 50 types of checks currently performed, and the ability to generate an HTML report from this audit was eventually added. 

See a demo report here.

The Need for Making CloudMapper a Continuous Monitoring Solution

Duo monitors its AWS environment in real-time using CloudWatch Events and CloudTrail logs, but there was some additional detection capabilities in CloudMapper that we wanted to benefit from on a more regular basis than whenever someone took the time to manually run CloudMapper. We also wanted to ensure, through a defense-in-depth strategy, that if the real-time monitoring system experienced any issues, we could ensure another solution was alerting us to problems as well. There were already other open-source solutions, and a multitude of vendors, that focused on this problem, but after considering the options, it was decided that making CloudMapper run regularly would best fulfill our interests.

One primary consideration was the barrier to entry for many of these tools. Although Duo has a strong team of developers to setup any tool and the security budget to run them, one of our goals is to democratize security, and we knew we could convert CloudMapper to be a tool that is easy to install and extremely affordable to run, giving everyone the ability to regularly scan their environments and receive alerts.

We also needed a solution that was both being actively maintained with new detections (which CloudMapper has kept up with) and was using a different set of techniques than our real-time monitoring. There are reasons to avoid polling AWS environments like CloudMapper does (namely that in large environments it can be very slow), but for our use case, and for our need to have a separate defense-in-depth strategy, this was actually preferred.

How It Works

The deployment of CloudMapper as a continuous monitoring solution begins as a CDK (Cloud Development Kit) app. The CDK is an abstraction layer over AWS CloudFormation, allowing you to define your infrastructure through programming languages such as javascript or Python, instead of YAML or specialized languages.

You create an S3 bucket and then edit and copy some configuration files into it. When the CDK app is deployed, it will create a Docker container that will run CloudMapper nightly via Fargate. CloudMapper will collect data from all of the accounts you configured it for, then perform an audit over that data. Any issues found will be sent to a Slack channel. A report will then be generated and saved to the S3 bucket along with all of the metadata that was collected. You'll want to be careful in ensuring that you secure access to this S3 bucket, as it contains not only the report of security issues with the accounts, but also the metadata and config files.

A sample screenshot of the issues sent to a Slack channel is shown below.

By running nightly via Fargate for only as long as it takes to collect account data and audit it, the solution should cost less than $1 per month for most environments.

If any errors are encountered, whether in collection or elsewhere, a message is sent to an SNS, which can then email you.

All these features of the architecture are shown below.

Daily Usage

With any security auditing solution for AWS, you'll quickly find there are issues detected that you don't care about. The finding may only be informational, you may have decided on a different strategy than the tool, or some other reason that causes you to need to make exceptions for either an entire finding category, or for specific resources. This solution makes it possible to define these exceptions.

The ability to define exceptions is important because this solution has no memory of what issues it previously alerted on. This means that when problems are found, this will repeatedly generate alerts every night until the issue is either fixed or an exception is configured.

Conclusion

CloudMapper continues to be actively developed, with contributions from 45 people so far who aren't Duo employees. It has become one of the most popular open-source AWS security projects. We believe having CloudMapper as a continuous monitoring solution can play a role as the initial security auditing solution for individuals and small companies, or act as a second layer of defense for more mature enterprises. 

Try it out today at https://github.com/duo-labs/cloudmapper. 

Zero trust is a phrase that gets invoked a lot these days when talking about security. As companies move to cloud environments and their employees begin to use personal devices from all parts of the globe — the traditional approaches to securing an evolving perimeter are going to get more complicated — if they work at all. That being said, zero trust can still sound pretty opaque. How does zero trust apply to cloud applications? Can I implement a zero-trust strategy for accessing resources like AWS?

Secure Your Workforce and Their Devices 

At Duo, our speciality is providing zero-trust security for the workforce. Zero trust for the workforce means not assigning automatic trust through one password, rather securely connecting a user and their device to workplace applications based on multiple factors and then allowing trust and access. Our solutions verify the identity of users, enable visibility into the health (is it safe?) of their devices, and gives the right users the right authorized access to applications. Instead of simply allowing access to critical applications based on primary authentication, Duo challenges the user with a second factor. Whether or not primary credentials are compromised, this second authentication factor ensures that Duo provides an additional layer of security. Duo’s role in the authentication workflow enables us to evaluate the security of the authentication request based on factors like user role, geography or access network

AWS Management Console Use Case 

To illustrate the principles more fully, let’s look at a concrete use case: enabling zero-trust access to the AWS resources like the Management Console.

Given the flexibility and scalability of cloud infrastructure, many companies are moving portions of their environment to the cloud. AWS often hosts critical components of a company’s infrastructure or codebase. Developers use AWS Management Console to access, review, and build out their AWS environment. Another common resource is the AWS remote desktop service WorkSpaces.

However, providing a simple second factor for access on AWS is often a challenge. Customers recreating users in AWS IAM lose out on the value of consistent corporate credentials and a multi-factor authentication (MFA) solution with coverage beyond AWS resources. For customers porting their corporate credentials via AWS Directory Service, AWS does not currently offer an MFA solution. In both cases, Duo can provide a seamless integration, enabling a second factor of authentication.

Duo offers two options for AWS customers to secure access to their AWS resources: 

1. Duo’s single sign-on (SSO)

If a company is using a variety of other cloud applications alongside their AWS environment, utilizing the Duo SSO is an excellent option. 

If a company has an existing SAML IdP or SSO, integrating Duo with the current environment provides an additional access security layer. If a company doesn’t have an existing IdP, Duo can act as the SAML IdP! 

The Duo Access Gateway can provide secure access to both the AWS Management Console and the other applications that speak SAML in the company’s environment. It can also act as an SSO solution for employees by effectively federating access. Finally, administrators can enable granular access controls for users based on application sensitivity, corporate role, geography, and more.

1. Quick Start with AWS

On the other hand, if a company is already leveraging Amazon Directory Service to port data from an on-premises Active Directory to AWS for primary authentication, then Duo’s Quick Start can enable MFA for a variety of AWS resources like the Management Console, Workspaces, WorkDocs, and QuickSight in less than 10 minutes. Quick Start guides are built with a focus on reducing manual steps, which in turn decreases time to security.

In either case, Duo helps companies implement a zero-trust strategy for the workforce by ensuring that users accessing AWS resources are verified with a second authentication factor. Though zero trust may still seem a bit overwhelming, hopefully thinking about zero trust for the workforce specifically helps to dispel a little skepticism or confusion. If your company is transitioning resources or workloads to AWS, and would like to learn more about a zero-trust approach to accessing AWS resources, check out our AWS documentation or sign-up for a free trial of Duo to start protecting the Management Console today.

Administrators and users often have a lot of sensitive information stored in their Windows laptops and desktops or local machines. Even with the availability of cloud file sharing and storage services such as Office 365, Google Docs, Box and Dropbox, users tend to keep copies of a file on their local machine. Users may download these files to make edits/changes or keep backup copies on their local machine. Once on the local drive, they remain on the device until actively removed by the user. Depending on their roles and responsibilities, users can have information about the company product, customers, financial, legal, etc. 

While information on local machines is less prone to remote attacks, there are other risks to consider. A lost or stolen device could expose sensitive information to unauthorized users. In addition regulated industries such as healthcare, financial services, government require organizations protect login access to local machines. One of the ways to protect login access is to use multi-factor authentication (MFA) when users login to their devices. For example, government affiliated organizations such as military contractors are regulated by the Defense Federal Acquisition Regulation Supplement (DFARS). 

DFARS requires these organizations follow strict data protection standards outlined in NIST SP 800-171, which mandates “multi-factor authentication for local and network access to privileged accounts.” DFARS requires that local machine logins are secure regardless of whether the machine is online or offline. 

Compliance and Protection for Microsoft Windows Logins

To help protect against data exposure and easily meet industry compliance requirements, Duo provides administrators several easy options to protect Microsoft Windows machines. Duo protects the machines whether they are online or offline. 

To protect Windows logins, Duo provides a simpler installer which can be installed in a few minutes. After the installation, admins can automatically enroll users through one of the techniques outlined in this document. After enrollment, Duo prompts the users to authenticate when they log into their Windows machines. 

To learn more about how this integration works, click here.

If you are interested in using Duo with your Windows login, sign up for a 30-day free trial in less than 30 seconds. 

Learn more about protecting your MIcrosoft applications with our new ebook, An Essential Guide to Zero Trust for Microsoft Applications.

Editor’s Note: Our Hobbit theme is in honor of Hobbit Day

“You - shall not - pass!” This could easily be the refrain of any security team, but these words were uttered by one of Tolkien’s characters, Gandalf, deep in the Mines of Moria in the movie the "Fellowship of the Ring."

If you think about it, the entire sequence in the Mines of Moria is an intriguing allegory about cybersecurity practices. But my burning question is, should the Fellowship be viewed as a company of bad actors or are they a security team?

Barriers to Entry

The Fellowship finds themselves at the entrance of the mines, which is where our comparison begins. There is a hidden sign posted on the doors that reads “The Doors of Durin, Lord of Moria, Speak Friend and Enter.” Firstly, the door for entry is hidden and needs to be hacked to determine the parameters that need to be passed for entry. Secondly, we witness a team using brute force password attempts to get past the barrier. After using combinations of complex phrases they find that the simplest shared admin password, the word “friend,” is the key to get them past the security measure. 

In this scenario, we can compare the door with the security perimeter organizations have traditionally used for protection . While this approach to security has stood the test of time, in today's digital world it lacks a certain luster and needs an upgrade. Protecting our businesses with a single gateway or entry point is no longer adequate, because we have more points of entry than we ever did before. Think of remote workers and contract workers who may not be inside of the network; or the adoption of applications hosted in the cloud.

With multiple entry points, we need strong security measures that rely on verifying the user attempting access. It is not viable to assume trust in those who have the password; we have to continuously verify the identity that is attempting access. One way businesses are doing this is by adopting a zero-trust security approach for the workforce, which starts with the implementation of multi-factor authentication (MFA).

But is MFA enough?  

As the Fellowship descends deeper into the Mines of Moria, they come under attack in Balin’s Tomb. One team member curiously touches a skeleton, exposing a vulnerability that sets off a chain of events. The group is set upon by a hoard of attackers, goblins and orcs and they are tested and tried in a harrowing battle where the main protagonist of the saga, the hobbit Frodo, is ultimately struck down. Thankfully a Mithril vest protects him. Could you imagine where the story would have gone if he had been compromised? It would have been game over. The same concept applies if your admin credentials were ever hijacked and you had no protection in place – you’d have goblins running amuck masquerading as a friendly hobbit.

Back to the vulnerability that was exposed by the actions of an unsuspecting user. Is the user to blame? Perhaps the skeleton should have been more secure. If we consider the elements that reside in our infrastructure, how can we be sure that there are no potential vulnerabilities that could be exposed? Think of the devices or endpoints that access sensitive resources in an environment; are they all up to date with the latest patches? Or is there perhaps one weak point that could set off an undesired chain of events?

By verifying the devices and endpoints that have access to sensitive applications in our environments we can mitigate the risk of an attack. If there had been a check in place in the Tomb of Balin before the skeleton was touched, the vulnerable component could have been isolated and there wouldn’t have been an entry opportunity exposed to the attackers.

The Team

I still can’t decide if the Fellowship is a security team or a group of bad actors though. I think I need to go deeper into the mines, perhaps to Durin’s Bridge, or the Bridge of Khazad-dum, where the famous phrase above was said to find my answer. 

It turns out the events in the tomb set off a cascade of catastrophic issues as the attackers start to move laterally through the mine, sound familiar? The Fellowship is forced to flee only to face an even more serious threat, a Balrog (a demon of the ancient world) which could be parallelled to a data breach. Gandalf claims this threat is beyond any of the team and he alone steps up to block the Balrog from further access to the environment. An epic battle of fire and lighting ensues and ultimately Gandalf sacrifices himself after successfully denying the Balrog passage. 

"Glorfindel and Balrog" by Moumou38 is licensed under CC BY-NC-ND 3.0

Here we see a fearless team leader who fights the fires and sacrifices themself, their sleep and sanity, to ensure that the organization is protected. That settles it: the Fellowship is a security red team. But as evidenced, this isn’t a sustainable model for security. While the access policies set by Gandalf result in mitigating the threat to the broader group, wouldn’t it have been more effective if the team had worked together? 

Just think, if everyone had followed appropriate security practices, they probably wouldn’t be in the dire situation and fighting for their lives (or to protect their data) in the first place. 

The fact that the Fellowship knew the password to get into the mines solidifies that they were, in fact, the security team from the very beginning. The goblins and orcs were the bad actors who gained access when they shouldn’t have been able to, and the entire sequence is the security team trying to save themselves from the attack. 

So what did we learn? 

If the Mines of Moria had multi-factor authentication in place from the start, the bad actors wouldn’t have been able to impersonate the administrator and gain access. If there were endpoint or device validation in place in the Tomb to prevent a vulnerability from being exposed, then the attackers wouldn’t have been able to move laterally through the environment. Lastly, access policies shouldn’t be reliant on just one person. Even though Gandalf was effective at thwarting the threat on Durin’s Bridge, if there had been a team approach to security and enforcing access policies no one would have needed to be sacrificed. 

If only the Dwarves of Moria and Fellowship had known about zero trust for the workforce and the tools that Duo Security provides. 

Don’t be like the Fellowship, learn more about how zero trust can help you protect the expanding perimeter. 

Sign up for a trial of Duo today to see how you can prevent the goblins and orcs from infiltrating your organization. Save your security team from needless sacrifice. 

The No. 1 driver for financial services organizations to update and maintain cyber security is compliance. 

Staying in compliance costs financial institutions $70 billion annually, a price tag fueled by the need for cyber security and data protection. With 65% more persistent threats than other industries, financial services organizations keep cyber security top of mind. International, federal, and many state and local governments are adopting compliance standards that require financial institutions to implement multi-factor authentication (MFA) security protection into their systems as quickly as possible. 

Financial Firms Slow to Adopt Cloud

The FinServ vertical has been slow to adopt to cloud compared to other industries, relying on traditional data centers more so than other industries. The Wall Street Journal reports that although European banks plan to make over $77 billion in aggregate technology investments to compete with America’s $105 billion investment in a tech overhaul, most of Europe’s spend will go to patching old legacy systems, with less than a quarter being spent on new tech. Five years ago the U.S. was in the same boat, but now at least half the budget goes in to innovation and modernization of legacy systems. 

The sales cycle to upgrade or introduce a new infrastructure for financial services is at least five years and extremely expensive. Legacy systems work with necessary applications but are too costly to stop using while also too costly to maintain – it’s a true catch 22. The challenges for financial institutions to update systems includes securing massive amounts of data, finding skilled hybrid cloud talent to help modernize legacy systems, finding companies that integrate with all of their apps and staying competitive with modern solutions customized for their customers. 

The Pros Outweigh the Cons for Cloud Adoption

There are six transformative cloud attributes for the financial services sector: cost flexibility, market adaptability, masked complexity, contextual variability and ecosystem connectivity. Cloud-first financial institutions have an advantage over their rivals. They can keep the customer experience personalized, develop and release more prolific tools and applications and incorporate new technologies, like artificial intelligence, to get smarter, while getting to market faster. There are many advantages for the financial services sector to move to a hybrid cloud.

Many FinServ companies skipped the first generation of public cloud services, but are opting into second generation with microservices and containers. The ability to access or delineate the massive amounts of stored data that is often inaccessible is one of the major advantages of the hybrid cloud. Companies can use the large public cloud resources for heavyweight tasks that use non-sensitive data. While keeping sensitive data stored in local environments, data analysis can be done with advanced application development in the cloud. The silos of information can become integrated. After maintaining compliance, security is a top concern of the industry. 

Securing the Cloud Can Be Broken Into Three Key Areas 

The Three Pillars to Cloud Security

1. Network & Infrastructure Security: This protects virtual infrastructure and network traffic, while hardening endpoints (API gateways) and protecting services.
2. Identity & Access Management: This protects various cloud requirements for authorization and authentication through multi-factor authentication, access and policy governance and accountability management. 
3. Data Protection: This controls for data, at rest, in transition and in use with encryption, key and certificate management. 

Getting to Perimeter-less Security Through Zero Trust 

As identity IP can change moment to moment—such as when someone accesses WiFi in a hotel first with a laptop and then with a smartphone—access can pivot and change. The attack surface has changed and more companies are moving into an offensive position versus a defensive one. 

The perimeter pushed toward “mobile first” and “bring your own device (BYOD)” and continues to expand to include cloud applications. This has changed the definition of what trusted users, trusted devices and safe traffic looks like. Organizations need to expand the perimeter across on-premises, cloud and hybrid environments.

One Solution for All Applications

According to Cisco’s top security trends, the first step is securing the perimeter and getting to perimeter-less. By incorporating a zero-trust approach with multi-factor authentication managing credential and application access regardless of location, companies can rapidly adopt perimeter-less security, without a rip and replace, making it extremely cost effective while expanding protection across surfaces. 

Know What Is Happening on Your Network Right Now

With identity and access management technologies, organizations can define policies based on specific users and applications, limiting worker access to only the information they need to do their jobs. Some device visibility solutions only give you limited insight into certain platforms and operating systems. Duo uses a single centralized dashboard that gives admins oversight across the network, hardware and software.

Duo empowers you to limited access and flag risks before they become problems

• Stay compliant. Duo provides end-to-end visibility, reporting and logs of assets. Duo's endpoint visibility gives a detailed overview of users' devices (managed or unmanaged, mobile and laptops/desktops) with compliance-friendly reporting and logs
• Get granular control with continuous reporting and monitoring of systems. Streamline data reporting and policies. Duo continuously monitors and reports on the health of your infrastructure. Identify mobile devices with certain security features enabled or disabled, as well as their security posture. BYOD, no problem
• Duo centralizes access policies across platforms with zero-trust security. Admins can consolidate dashboards and get a single view of overall security status. Duo's Admin Panel flags risky devices allowing policy controls that limit access based on device and user trust (adaptive authentication)
• Support several authentication methods based on user choice: Duo Push, phone calls, U2F, etc. for all applications and services
• Limit or restrict access based on location or IP ranges. Grant or deny access to applications based on where the user/device is coming from and what they are accessing with an easy to use interface
• Stop unauthorized authentications. Block authentication attempts from anonymous networks like Tor and proxies
• Duo is software agnostic, accessible and open to everyone — democratizing security. Duo supports all users, types of devices, and integrates with on-premises and cloud applications.

Customer case studies:

CFFBank, Citizens Union Bank and Clarient.

Want to learn more? Start a free trial today, and learn how Duo can help your organization.

**Zero Trust: Going Beyond the Perimeter** A zero-trust approach shifts the secure perimeter to any place where you make an access control decision and prompts you to question your assumptions of trust every time there’s an access event. In this guide, Zero Trust: Going Beyond the Perimeter, we examine the genesis of the zero-trust approach and introduce the three pillars of zero-trust security: Zero Trust for the Workforce, Zero Trust for the Workload, Zero Trust for the Workplace.

Get The Free Guide

Duo Security is the first customer of Duo Security. We eat our own dog food, so to speak; that is, we use Duo to protect Duo, because how can we expect customers to trust Duo without also exceeding the expectations of our own employees? Duo Beyond, which enables secure access to all applications, for any user, from any device, anywhere, is a central pillar of our information security program. 

It should come as no surprise that weak authentication is the number one cause of breaches today. Duo utilizes its own product to protect its business and customer data. 

Duo can be configured to be flexible enough to fit into any organization. Internally, we’ve made policy decisions to keep our company as secure as possible from the risk of credential compromise while still providing an accommodating and convenient end-user experience.

Factor Choices

We want security at Duo to be something that our users enjoy participating in rather than an unnecessary obstacle to getting their work done. So while we do only allow the strongest factors, these are also the ones that require the least amount of an end user’s time. On day one, every Duo employee receives a hardware U2F token and enrolls it along with their mobile device using the Duo Mobile application. U2F and WebAuthn are the strongest authentication methods available today, and they are also the most convenient from an end user’s perspective. U2F and WebAuthn, however, only work in the context of a web browser, so we also utilize Duo Push which is secure, convenient, and gives us insight into the security hygiene of our users’ phones so that we can ensure devices are healthy before they are allowed to access Duo systems.

Duo Mobile passcodes, phone callback, hardware tokens, and SMS-delivered passcodes are less convenient for the end user and introduce friction into the authentication process. In addition, these factor choices do not provide security properties that are as strong as Duo Push and U2F. 

Policy Decisions

In Duo Access and Beyond editions, administrators can make a number of policy configurations to improve the experience for their end users. For example, enabling the “Remembered Devices” policy will reduce the amount of friction users encounter by allowing them to reauthenticate less frequently from devices that recently accessed Duo-protected applications, without sacrificing security.

Because we encourage our users to use Duo Push, we can also ensure that their mobile devices are configured in a secure manner, and up-to-date with the latest security patches. When critical security updates to mobile devices become available, we are able to apply a more aggressive policy to ensure that devices are updated before accessing any Duo systems. We pair these more aggressive update requirements with internal communications so our end users are aware of the importance of upgrading as soon as possible.

Duo also utilizes the Trusted Endpoints feature, which requires the device to be managed with our security tooling in order for it to access our critical applications. This provides one final failsafe in the event of a multi-factor compromise.

Sometimes edge cases come up where we need to deviate from our normal policies. For example, there may be a legitimate need for a Duo-protected application to support an additional authentication method. Because we’re able to apply policy on a per-application and even per-group basis, it’s easy for us to create new policies that empower us to enable business without opening up the factor to the rest of our users or systems.

Detection and Alerting

Duo’s authentication logs provide us with a unified single point of visibility across all of our systems (and using the same timezone!), enabling one-stop shopping for critical authentication information during investigations. We pull our logs into our centralized SIEM to enable automated security response activity and to identify trends such as which factors are most popular with which users to identify policy improvements. For example, if we found that users never accessed a Duo-protected application, we could assume that it is safe to deprecate that application. These logs also give us the ability to raise alerts and respond when our end users report fraud or when their account becomes locked out (these could indicate a compromise of primary credentials).

Each organization that uses Duo will have different needs and risk tolerances, which is why Duo provides the flexibility to right-size security and convenience with application and group level precision. It is important for Duo administrators to regularly review factor choices, policies, and the authentication logs in order to make policy decisions that continue to reflect the organization’s risk appetite.

**Zero Trust: Going Beyond the Perimeter** A zero-trust approach shifts the secure perimeter to any place where you make an access control decision and prompts you to question your assumptions of trust every time there’s an access event. In this guide, Zero Trust: Going Beyond the Perimeter, we examine the genesis of the zero-trust approach and introduce the three pillars of zero-trust security.

Free Guide

The increasing costs of higher education mean that more students are taking on more debt than ever before. Tuition costs have spiked over the last 30 years, leaving parents and students coming up short when looking to pay for higher education. There is currently over $1.56 trillion dollars in outstanding student loan debt in the U.S. In order to provide scale, StudentLoanHero points out that this is “$521 billion more than the total U.S. credit card debt.” For the class of 2018 alone, 69% of students graduated with some sort of debt, with an average debt amount of $29,800. Unfortunately, the rise of student debt has attracted and emboldened a variety of bad actors looking to steal funds as they pass to the enrolled individuals. 

At the beginning of last school year, the Department of Education reported an increase in attempts to steal student loan disbursements. These attacks aim to redirect loan funds to a new direct deposit controlled by the bad actor. This shouldn’t come as a surprise, given the prevalence of identity theft within the credit card market; but many universities and students may be unequipped to recognize or thwart the potential attack.

Don’t worry, the first step in combating malicious activity is understanding how bad actors typically go about their dirty work. In order to illustrate how student loan disbursement is targeted, let’s review how the attack works logistically. Then, we can provide some insight into how the attack can be prevented.

Hack Phase 1: Phishing Students

The attack typically begins with a phishing email campaign targeted at the student body. Sophisticated attackers will have done their homework, so these emails usually reflect the communication aesthetic of the institution. The content of the emails will also often incorporate urgent or accusatory language. Late bills, missed payments, or incorrect banking information are all subjects used in phishing campaigns.  

If a student is coerced or intimidated, they may quickly enter their credentials, FSA ID, or other critical piece of personal information. Students using mobile devices may not have access to see information that would help them spot a phish or may be more susceptible to snap decisions when entering credentials. The attacker can now move quickly to phase two.

Hack Phase 2: Access & Edit Student Deposit Accounts

There is often an area for a student to designate a direct deposit account for any loan amount that won’t be applied to tuition - accounts like this are the target of this attack. Now that the attacker has the credentials or personal information required to access the university’s student portal, they can log in to the portal and edit the student’s banking profile. The attacker changes the deposit information to an account within their control and waits for the disbursement to come through.

Solution: Proactive Prevention Through MFA

There are a couple of key ways to address the threat of loan disbursement fraud. The first is a strong MFA workflow. By challenging student access attempts with a second factor authentication, administrators reduce the chance that the login is compromised. If the attacker has phished the student’s credentials, they’d still need access to the student’s phone or second factor to complete the fraud. 

Given the efficacy of MFA, the Department of Education specifically encourages institutions to “strengthen their cybersecurity posture through the use of two-factor or multi-factor authentication authentication practices.”

At Duo, we provide an MFA solution that is easy to implement for administrators and easy to use for students. It can protect any application, even customized on-premises applications, and students can use a variety of methods to provide a second factor. Don’t just take our word for it, institutions like Duke University, Bowling Green State University, and Eastern Michigan University have all seen reductions in compromised accounts by deploying Duo.

A second way to address the loan disbursement threat is through phishing awareness. If students are trained to spot the telltale signs of a phishing campaign and given proper channels to report suspicious email activity, then the probability that they will be tricked by a phishing campaign diminishes. Effective reporting channels also allow IT administrators to investigate and potentially block malicious email domains. 

Many institutions even set up a cybersecurity training day early in the school year. These dedicated days focus on best practice for individual security, how to avoid phishing attempts, and setting up tools like Duo or a password manager.

The challenge of dealing with loan fraud can seem daunting, but Duo can help prepare any university, and its students, to recognize and combat phishing. 

If you’d like to learn more about protecting your students with Duo, you can start a free MFA trial and protect applications today, or reach out to learn more.

**Phishing: A Modern Guide to an Age-Old Problem** This guide gives you a look into: -How phishing works, how it has evolved, and the new tactics used to appear legitimate to users.

Download Free Guide

Come forth for the cattle call
Confront the evil river you can't control
Wicked ways and venomous eyes
Just human nature in disguise
— Devil Driver "Clouds over California”

I’ve been a fan of cloud computing since its beginning. I always saw the value in standardization and the “buy by capacity” model. When Marc Andressen, Ben Horowitz, Insik Rhee and Tim Howes left Netscape to found hosting business Loudcloud, I was all in and joined the team. Marc used to talk about the “compute grid” that would work much like power grids work. The vision of the four founders was much like what Amazon Web Services (AWS) delivers today. We were just a little too early — but the vision was sound.

Someday people would put their applications on other people’s computers. By doing so they would benefit from the economy of scale, and the standardization of the platforms that would breed a better, more consistent security model. Loudcloud was an amazing ride with lots of challenges. Ben does a good job summing them up in his book “The Hard Thing About Hard Things.” It wasn’t easy making the transition from a software mindset to a services mindset, but the two were married, as they should have been. It’s all about the applications. It’s always been about the applications.

All of the things that Marc, Ben, Insik and Tim envisioned have come to pass...sorta. While we definitely got the “buy by capacity” consumption model (with all its warts), the security model can still be a challenge.

Don’t get me wrong, Amazon, Microsoft and Google do a great job of racking and stacking and patching. But they aren’t the only “clouds” in town. Everyone is in the cloud and the security models can vary. Variability is the antithesis of security.

Basically what we’ve discovered is that, as the application owner, you cannot abdicate your security responsibilities. You own it. All of it. Now, you might inherit some security goodness from, say, Amazon (I’m sure you will) — but that doesn’t make you any less of an owner for the security of the “entire system” — all the way up through your application to the end user access. Soup to nuts, as we like to say.

The government has taken a little longer to get “on board” with cloud. We’ve had pockets of it here and there, but the security skepticism runs deep. And the security policies have been a little, shall we say, lacking. This is starting to change. Finally. For the better.

The Office of Management and Budget (OMB) Is on a Roll

This week, the Office of Management and Budget (OMB) released its long awaited updated guidance for the Trusted Internet Connection — or TIC as it’s commonly referred to — updating it to version 3.0. I wrote about this when the draft came out HERE — and now we have it in its final and glorious form.

Working with (and against) guidance that is over 10 years old can be problematic. So much change has happened over 10 years and almost all of it, while awesome, has been counter to the way cloud services were made to stand up, be consumed and secured. This new guidance from OMB takes a modern approach that throws in some future flexibility and adds a dash of help with pilots — much like their new identity guidance that came out earlier this year.

This gives federal agencies flexibility to do agile risk-based cloud deployments (cloud is agile by design) and stops requiring federal agencies to drag “outside to outside” traffic back through a DMZ. Outside to outside is a practice commonly referred to as “hair pinning.” This practice made sense in 2007 when it was mostly “outside to inside” traffic, but that has changed and now, thank goodness, the directives and guidance have too.

FedRAMP’s Standardized Approach to Cloud to the Rescue

It also helps to have some forward-thinkers driving cloud service providers (CSP) to adopt stricter government standards. The FedRAMP program is doing a great job with this and is open minded enough to keep improving the process because they know how critical it is for government agencies to be able to make these decisions and deploy their applications quickly and securely.

While there are still some cloud naysayers and skeptics in government, and I get it…. I really, really do. Cloud isn't the answer for every use case, but there are more people looking to move things to the cloud (or birthing new things on the cloud) than ever before in the government and public sector.

This is a truly Cloud Smart approach to a better future.