Duo has a strong technical partnership with Microsoft and we work closely to provide security solutions to solve challenges that our customers may be facing. As you may be aware, there was recently a critical vulnerability disclosed by Microsoft which affects cryptographic functions. 

Zero-Trust for Zero-Days

Zero-day vulnerabilities have long unnerved defenders. After all, we suddenly have a hole in our security, a gap in our defenses, and a new path attackers may already be taking. Exploitable software without a patch can be a challenge to quickly mitigate, even after security patches are finally released. Much like “assume breach” has influenced incident response strategies, assuming zero-days exist in the environment should be the starting point for defense strategies. Wait for patches, but in the meantime, rely upon compensating controls, and a bit of luck.

Zero-trust approach to compartmentalizing access offers an advantage in dealing with unexpected security holes. By defining the perimeter as any place we make an access decision, we can stack controls to allow or block access based on the trustworthiness of the user, application, or device. Something goes wrong, we can contain the potential attacker from going any further. And when remediation comes available, we can keep unpatched devices off applications and prompt for updates. 

Duo’s approach to providing zero-trust for the workforce illustrates this approach in action.

Microsoft Vulnerability

Now Microsoft has released a patch for CVE-2020-0601 and so it is not a zero-day vulnerability.  The critical vulnerability affects cryptographic functions in Windows, including code signing and HTTPS. Certificates are one of the fundamental ways we assert trust, so the spoofing which this vulnerability enables is especially concerning. One potential use is phishing users into providing credentials. Street smarts would tell you to use HTTPS and check the TLS certificate before authenticating. But with CVE-2020-0601, an attacker can spoof the certificate to appear the browser is actually on MyBank.com over a secure connection. Or consider environments where applications are whitelisted by source. An attacker can use CVE-2020-0601 to make malicious executables appear legitimate by spoofing the code signing. Given the importance of cryptography for so many security decisions, it is imperative that the vulnerability be patched.

Microsoft’s released this week fixes the code in Windows 10, Windows Server 2016, Windows Server 2019. The as-of-now unsupported Windows 7 is not affected. In addition to preventing the cryptographic spoofing, the patch went a step further in improving detection. Attempt to use forged certificates on a patched system and Windows will log it to the event logs. So patch, and consider adding a SIEM rule to trigger investigations should this pop up in event logs.

How Duo Helps

Duo as multi-factor authentication offers a strong protection should website spoofing, email spoofing, or code signing should trick someone into handing over their username and password. MFA devalues credentials by ensuring the stolen credentials cannot be reused alone. This protection provides user trust after the fact, after the vulnerability has been exploited.

Another method is to restrict vulnerable devices from accessing the organization’s resources. Maintaining trust in the devices used to access your applications is equally important as verifying your users. You can check out some of the additional tools we provide with our Device Health, Trusted Endpoints, Endpoint Remediation, and Unified Endpoint Visibility. Duo provides a solution in which, you can you quickly can apply both global and application-specific access policies that prompt users update their machines before they can access protected applications. Duo’s Device Health can provide additional visibility into the patch version of OS so you can become very granular in setting access policies to only block devices which have not yet been patched.

It is a simple policy configuration detailed below. With a few simple clicks this can be applied to corporate-managed machines and any personal systems that access your sensitive resources. 

Step 1: Edit Global Policy 

Step 2: Ensure Users Have Duo’s Device Health Application Enabled 

Step 3: Set Windows Operating System Policy To Block Users If Not On The Latest Version

Step 4: Monitor Windows Devices As They Are Brought Into Compliance With Policy

If you are existing Duo customer you can check out the related docs page here on setting the policy: https://duo.com/docs/device-health#operating-system-granular-policy.

And to learn more about getting visibility to the endpoints in the endpoints view you can access information here: https://duo.com/docs/device-health#endpoints-list-and-details.

If you are new to Duo you can start a trial today to level-up your security giving you peace of mind. 

Learn more about protecting your MIcrosoft applications with our new ebook, An Essential Guide to Zero Trust for Microsoft Applications.

The public’s use and awareness of two-factor authentication (2FA) is on the upswing, according to the latest State of the Auth report released by Duo Labs.

The survey revealed that 53% of respondents have used 2FA, representing a 25% jump in just two years. Meanwhile, 77% of survey respondents said they’ve heard of 2FA, which is up from 44% in 2017’s survey, a 33% swing.

Click the image below to see the full infographic for a by-the-numbers look at the State of the Auth report:

Be sure to check out the full State of the Auth 2019 report to learn even more about people’s perceptions of 2FA.

It’s January, and the unwanted chore of removing all the decorations and taking down the tree is lingering, while the thought of joining hundreds of others in the lines to return the unwanted gifts is actually making you excited to return to work!

The clock struck midnight on January 1, and we promised ourselves, "This year I am going to go to the gym and avoid all things unhealthy." We may have something to help that would require not going to the gym or calorie counting! Introducing Duo Device Health, the simple way to secure your online accounts and avoid access from unhealthy devices! 

Duo Device Health 

The Duo Device Health application gives Duo Beyond and Duo Access customers more control over which laptop and desktop devices can access corporate applications based on the security posture, also often referred to as health, of the device.

Device Health = Device Trust = Zero Trust

Device Health is a cornerstone of device trust which is a key tenet to achieving zero-trust security.

Zero-trust security is like guaranteeing the flu never enters the working environment – if it's unhealthy, it doesn't get in! Zero-trust security ensures the health of all of your BYOD devices.

The Duo Device Health application analyzes a device to assess the status of its security posture and reports the results of this scan to Duo. During authentication, Duo applies and enforces access policies using the device security posture information. When access is denied by Duo due to the state of security posture on the device, the Duo Device Health application receives the results of the policy check and presents guidance for the user to remediate the issue and successfully login the next time.

See the video at the blog post.

Lots of Device Trust and Little Work

There are three simple key components:

1. New Duo access policies that enforce application access based on device health.
2. A native client application for Windows 10 or macOS 10.13 or later that checks the security posture of the device when a user authenticates to an application protected by Duo with the device health access policy.
3. Additional endpoint information provided in the Duo Admin Panel.

The first time users log in to an application protected by the web-based Duo Prompt with the Device Health application policy enabled, they are prompted to download and install the Duo Device Health application. Once installed, Duo blocks access if the device is unhealthy based on the Duo policy definition (has it been updated or is it vulnerable to risk?) and informs the user of the reason the authentication was denied.

When a user's device doesn't meet the security requirements of the device health policy, the Duo Device Health application provides the user with steps they can take to remediate their security posture to align with the device health policy on the application.

Make sure your 2020 starts off right, even if it's not actually making it to the gym. Let Duo be one healthy resolution that helps you stay secure. Start a free trial today, and find out for yourself why Duo customers love us.

Something big is happening in February 2020, and Duo has been hard at work getting ready!

We’re not talking about Valentine’s Day, or Presidents’ Day, or even Groundhog Day (though all of those are great, too). No, we’re getting pumped for…

RSA Conference 2020, happening Monday, Feb. 24 through Friday, Feb. 28, along with all the other incredible events occurring in San Francisco that week. 

This year’s RSA Conference theme is something near and dear to Duo’s heart: the Human Element, which focuses on the value of people in the infosec community. Like RSAC, Duo believes that your best security resource is people – not just practitioners and admins, but all the end users in our organizations impacted by our security decisions. 

See Wendy Nather’s Keynote

Wendy Nather, Duo Head of Advisory CISOs, will speak to the Human Element in a keynote focused on democratizing security. Catch her talk on the West Stage at 8:55 a.m. on Tuesday, Feb. 25, where she’ll advocate for radical change; discuss how democratizing security means thinking differently about the people we serve; and explain that users are powerful industry drivers, not “the weakest link.”

Other Hot Happenings

Other things we’re particularly excited about during RSAC week include:

• Keynote speaker, Mary T. Barra, Chair and Chief Executive Officer, General Motors Company – with Duo’s roots in Michigan, we’re always excited to see a Michigan native on the San Francisco stage, so we’re looking forward to her West Stage keynote!
• The RSAC Women’s Networking Reception on Tuesday evening (Feb. 25), which celebrates the contributions of women in science and technology
• Brian Roddy, VP of Engineering at Cisco Umbrella’s talk “Brokering Peace Between Security and Networking: How to Secure SD-WAN” on Tuesday, Feb. 25
• Cisco’s Michele Guel, Distinguished Engineer and Security and Privacy Strategist, and Deepika Gupta, Security Architect/Technical Leader, Information Security, are leading the lab session “Privacy Engineering Demystified – You Too Can Be a Privacy Engineer” on Thursday, Feb. 27 at 2:00 p.m.
• Jonathan Fox, Director of Privacy Engineering at Cisco, will host a Threat Modeling Privacy session at 9:20 a.m. Wednesday, Feb. 26 in Moscone West

The Expo

Between sessions, don’t forget to head over to South Expo to find Duo at booth #1835 to chat with friendly Duo team members eager to talk about the security topics we all hold near and dear, including:

• Product leaders who directly establish our roadmap 
• Engineers, researchers, and designers who shape and develop our products 
• Implementation and support folks familiar with varied use cases 
• Cybersecurity experts who are driving the future of security practices 
• Sales and marketing pros who can brainstorm solutions that fit your needs

With our diversity of expertise and knowledge, we’ll walk you through an interactive demo of our security solutions, or show off our easy-to-use admin panel (the friendliest admin panel in security!), which provides admins from newbies to experts with an intuitive configuration of applications, users, MFA devices, and more. We’re also happy to discuss how Duo’s zero trust for the workforce solution factors into the greater Cisco Zero Trust framework. 

But Wait, There’s More...

Additionally, we’ll have some fun new things to show you, like our new Device Health application, which checks the security hygiene of laptops and desktops. You can also get a free mobile security checkup, or pick up one of our great give-aways, like a t-shirt or a signed copy of Andy Greenberg’s new book, Sandworm. 

Cisco Awesomeness Abound

While you're in our neighborhood, make sure to swing by the Cisco Umbrella booth #1027 to say hello and learn more about flexible, integrated security for how your business accesses the internet.

The fun doesn’t stop in South Expo, though! Between South and North Expos, you’ll find the Cisco Threat Wall, where you can play the DevNet game. In this role-playing adventure, you’ll find out how unsecured Internet of Things (IoT) networks can be exploited by hacking into one yourself! 

After you’ve finished your takeover, join a group for a free tour through the RSA Conference Security Operations Center (SOC), where you’ll get a view of real-time traffic on the Moscone Center wireless network. If you’re interested in a tour, please reach out to your sales representative for more information. 

Finally, stop by Cisco’s booth #6045 in North Expo, where you can watch brief presentations throughout the week on various security topics, such as our practical approach to zero trust with Duo for the workforce, Tetration for workloads, and SD-Access for the workplace. There will also be several product demos, including some from our friends at Meraki, on the Meraki Systems Manager, Cisco’s MDM solution. 

The Cisco booth is also the place to pick up your Cisco Party wristband – but you’ll want to be sure to register first (registration link coming soon). This Customer Appreciation Event is on Wednesday, Feb. 26 at August Hall. Join Cisco and Duo for a night of music, food, drinks, and plenty of dancing! If you’re interested in attending, please reach out to your Duo sales rep, or request a formal invite from adr@duo.com!

BSidesSF

Of course, if you’re in town the weekend before RSAC, you won’t want to miss the 10-year anniversary of BSidesSF, held Saturday, Feb. 22 through Monday, Feb. 24. There will be plenty of great talks here, including some interesting presentations on how security teams are handling DevOps and containers, as well as another one of our favorite topics: zero trust. 

CSA Summit at RSA

Cloud Security Alliance is bringing back the CSA Summit for its 11th year on Monday, Feb. 24 to share best practices in cloud privacy and security. This full-day event will be followed by the CSA Member Appreciation Night at Galvanize, sponsored by Duo and Umbrella. Stop by to network, grab a drink, and catch up with your fellow infosec peers. (Register here!)  

Yes, there really are so many things to get excited about in February. And how fitting that the last day of RSAC is Feb. 28, which is National Sleeping Day – after all the networking, learning, and celebrating, a much needed rest.

Until then, we’re ramping up our efforts and energy to make this year’s RSAC a blast. We look forward to seeing you there!

We barely remember who or what came before this precious moment
We are choosing to be here...right now.
- Tool ("Parabola")

Several years ago, I remember sitting in the office of a security director at a large government agency. We were discussing the Washington Redskins. A topic near and dear to my heart, and the cause of much of my anxiety over the last decade (it’s not easy being a Redskins fan). I was already pretty bummed when one member of his staff rushed in, out of breath, to bring him some really bad news: they had purchased a security scan tool and had discovered that there were Xboxes on their network. How and why were these devices being allowed access to the critical network of this government agency? My friend said he had to go “put out this fire,” so he waved me off.

This, at the time, really got me thinking. I wasn’t yet introduced to a zero-trust security approach but I intrinsically understood that the way we compute was under a radical transformation. Xboxes were a little extreme, but to me it didn’t seem that different from having everyone carry a personal computer in their pocket (smartphone) anywhere and everywhere they go. These devices could get on the network, and even if they couldn’t, they could get on someone’s network and do things, such as compute and access data. And no matter how many times you said the word “container” or drew a bubble around some things on a Vizio diagram, it never did change the fact that data was gonna flow. Bits were gonna move. And you had about as much of a chance of controlling the weather as you did in controlling the pipe. I mean true control.

This is hard for human beings to grapple with. There are things that are part of our jobs, that we used to be able to control, that we no longer can. It’s a major source of stress and fatigue. Change is happening, and I’ve never seen change thwarted. You may slow it down, but you’re not gonna stop it. 

I think we tend to have subconscious tendencies to try to control uncontrollable things because we are losing control of things that we used to be able to control. This is certainly the way it feels to me. I’m not saying zero trust is going to help us regain control over everything, but if you look at it as a design philosophy, one in which we are able to focus control on the things that really matter, then yeah, zero trust could save the world... or at least your security sanity while helping to protect what really matters: the data.

If you think about it, this is almost an inevitability. It started when we moved workloads to the cloud. Then users started using mobile devices to get work done. Now we’re on the cusp of 5G and – say what you want about it – it’s going to fundamentally change the way networks are wired. In my view, these are the three legs of the modernization stool.

So we’re left with this conundrum: how do we offer protection for apps we don’t own, on computers we don’t own, over networks we don’t own, from devices we don’t own, requested by, in some cases, users we don’t own (not that we “own” users but more and more of these might be contractors, partners, customers or citizens)? So at the end of the day we have to ask: what DO we own and what can we protect and what should we care about? It’s all about the data, and the applications as a gateway to this data. It’s a lot less (as in, not at all) about the infrastructure.

NIST Weighs In On Zero Trust

This is why it is so refreshing (even if it took some time and, frankly, it’s taken us all a little time to wrap our heads around the “new normal” and concede that there had to be a different approach to data security) that the National Institute of Standards and Technology (NIST) has finally put together some guidance. NIST has delivered some thoughtful structuring about how organizations – enterprises and agencies alike – might achieve zero trust, or at least how to start the journey, and how to think about it.

Recently, NIST put out the draft for comment for SP-800-207. This document really is a great start. They correctly point out that “zero trust” is a design philosophy or a lifestyle, not a product. NIST points out the important tenets of a zero-trust journey and they point out – again right on the money – that certain design considerations that may already be deployed could themselves be a little “zero trusty.” 

What all of this means is: first, let’s start focusing on the things that matter: the users, devices, and the applications. This is what it’s all about. Second, we don’t have to reinvent the wheel. There are things in your environment that will have a role to play in the new world order, and they might even get a new paint job and some new flexibility. Case in point, the document calls out updates to identity guidance from NIST, which has been aligned to new identity policy from OMB. This combination turbocharges things your agency can do to bring a better user experience to Identity, Credential and Access Management (ICAM) now and in the future. Third, this is a journey. It’s not a product, it’s not a bumper sticker slogan -- it really is a lifestyle choice. It’s a new way of thinking about what things you and I, as security practitioners, are going to need to focus on protecting. It’s totally aligned with industry thinking on a zero-trust journey.

Is it perfect? No. Does it need to be? Hardly. It’s a good starting point. It’s a good catalyst to get the creative juices flowing and force us to have these discussions while allowing us to start building out some reference examples that can be iterated on and fleshed out. Every journey begins with a first step. This is a good one.

It’s also worth pointing out the alignment to the new TIC 3.0 draft, Continuous Diagnostics and Mitigation (CDM), and a host of others constructs that we have to adhere to in the public sector. And after the National Cybersecurity Center of Excellence (NCCOE) held its zero-trust workshop last month, I was encouraged that folks from the Office of Management and Budget (OMB) showed up to offer support for this new model and to let people know that they are paying attention. They want agencies to feel like they can move forward and that the policy will come to them, not the other way around (which is the world we’ve mostly been living in until now).

I would be remiss if I didn’t point you to Duo’s Product Marketing Manager Thu Pham’s pragmatic synopsis on the draft and what it means to the greater security community. When Thu speaks, I tend to listen, and you should too. Her assessment is very thorough and thoughtful (I expect nothing less).

Game on friends.

Learn more about how zero-trust security can help federal agencies with their IT modernization initiatives in our ebook Achieving Zero-Trust Security in Federal Agencies.

This blog post is the third in a three-part series on how "Duo Integrates with Cisco Technology." Catch up on part two on Duo + Cisco's Firepower Threat Defense, and part one on Duo + Cisco's VPN and Cloud Applications.

Many organizations begin the journey to improve their security by protecting remote access to their environment with multi-factor authentication (MFA). By leveraging the integration between Duo and AnyConnect, organizations are able to verify the identity of their users and reduce their risk surface. As cyber threats evolve, approaches to security evolve as well. While establishing trust in users is critical, it is imperative to establish a level of trust in the devices connecting to applications.

There is a shift in security practices to adopt a zero-trust security model to protect access to all applications, whether on-premises or in the cloud. A critical step in realizing the zero-trust vision is adding device trust into the access equation.

When customers think about sensitive applications, the application that typically gets the most attention is the VPN. This is because an attacker who has access into the corporate network using the VPN can try to gain higher privileges and move to other systems, applications and servers. In more advanced cases, an attacker might install malware on internal systems to gain persistent backdoor access into the network.

We are excited to announce that customers using AnyConnect and Duo can now use Duo's Trusted Endpoints feature to layer on the added protection of checking for device trust to all VPN access requests. Combined with access policies, organizations can ensure only healthy, managed user devices are able to gain access to sensitive applications. By leveraging this integration, it is possible to ensure that every VPN access request is originating from an endpoint that is managed by corporate IT, with or without an MDM/EMM solution in place, and hence can be deemed trusted to gain access. This adds to the existing guarantees from the Duo MFA prompt to ensure that the request is also coming from a trusted and authorized user.

Learn more about the benefits of protecting your Cisco AnyConnect with Duo’s MFA, and sign up for a 30 day free trial.

2020 Predictions

The present caught up to the future in November 2019. The film "Blade Runner" takes place in 2019 Los Angeles, and watching the film says a lot about people predicting the future. Sure, they get some things right. AI assistants and smart homes? Hello, Alexa and Google. Video conference calls? WebEx all day long. But where’s our flying cars and human-like robots? (Do autonomous vehicles count?) And why wasn't Atari neon everywhere in 2019? Turns out, people aren’t all that good at predictions.

Let’s look back to look forward.

Breached-by-Mistake Happens

In this article, we’ll consider trends seen in 2019 and forecast where these may take corporate security in 2020. Some are very predictable. For example, VeraCode’s State of Security report’s retrospective on the past decade shows that we are surprisingly predictable in introducing vulnerabilities into software. Similarly, breached-by-mistake has been a common theme the last few years. Some trends are not as predictable. For example, with DevOps, we can now consistently make those mistakes faster. And with the growing IoT (Internet of Things) market, we can now make those same mistakes in new places on new smart devices. We can count on IT to continue to be vulnerable.

Money Still Top Motivating Factor for Cyber Crime

The primary adversary for corporate cybersecurity continues to be crime. And no wonder. It’s a lucrative market. Take business email compromises (BEC), which some studies show nets on average $130,000. Compare that to the poor bank robbers who only bring in around $3,000 per heist, and we can see why criminals are turning to technology attacks. The size of the problem is anyone’s guess, due to underreporting, international differences and more. The most recent information put out by the FBI reported $2.7 billion in annual losses as one data point we can look to. With those kind of stakes, we can count on criminals to continue exploiting vulnerable IT.

With those two trends as our guiding lights, let’s peer ahead into 2020.

Future Cyber Crime in 2020

Blending of Techniques

The past was about single tactic crimes. Attackers phished for passwords. Disgruntled insider threats damaged equipment. Support scammers called for credit card information. But people began to get street smart. For example, the 2019 Trusted Access Report found that fewer people are opening phishing emails, and fewer still are providing credentials. Microsoft has reported seeing a similar drop in the success of tech support scams. Which means criminals have to get better.

Expect to see more crimes that blend techniques. For example, criminals obtaining legitimate support information from companies using insider threats, then crafting more accurate pretexts, and leveraging a combination of email and telephone communication. The current level of security awareness is sufficient to thwart a basic support scam. But if the scammers call with your actual support contract number and support dates, would you be able to distinguish them from a legitimate support request? Likely not. And inside employees have been known to resell this information to the scammers. Thus greater security awareness will drive criminals to greater sophistication in 2020.

Blending of Technologies

The past was about single purpose malware. Take Magecart, which is inserted into shopping websites as a JavaScript. The malware has been around since 2010 but it saw a significant rise in use this past year. Why? Because as point-of-sale systems are hardened, it’s become more difficult for criminals to get in and stay in. Meanwhile, the websites are outside of these hardened and monitored environments. So attackers deploy to the weaker areas where they can stay in for weeks.

Another example is Emotet. It first appeared in 2014 as a banking trojan. This year saw Emotet developed into a modular platform which other criminals can build upon. So attackers repurpose and specialize in order to maximize their existing technology. Similar to the principles of open source software. Expect malware to follow a similar trajectory that software has, towards microservices and software-as-a-service.

Shifting Targets

Criminals began with larger organizations for the obvious reason: the larger score. In recent years, with ransomware and targets of opportunity, small organizations became prime targets. But, both the very small and the very large have been shoring up defenses the past couple years. The Security Bottom Line report found that “organizations in the middle with 1,000 to 9,999 employees are struggling the most to adequately secure their environments.”

While the Verizon DBIR 2019 data does not indicate medium-sized organizations are breached more than others, there are clear differences in tactics. These medium-sized organizations see higher rates of hacking than other sized organizations (73% versus 49%) and phishing (58% versus 17%) suggesting lower IT security and overall security awareness. Expect more criminal activity as the attackers route around the stronger defended organizations.

Future Defenses in 2020

The digital transformation of most organizations is well underway. Recent surveys show over 90% of organizations using public cloud infrastructure, over 50% using containerization technology. And while previous years allowed security leadership to avoid placing DevOps and cloud teams in scope, this will all but come to an end in 2020 as sensitive workloads move to these platforms. Expect increased use of the configuration automation found in DevOps such as Ansible for prevention. For detection and response, expect more organizations to implement SOAR (security orchestration automation and response) to improve reaction times with limited staff.

Another aspect of cloud computing has been the adoption of cloud apps and software-as-a-service. The primary control security teams have over these apps is identity and access control. Duo’s 2019 Trusted Access Report found that, “cloud integrations are up 56 percent year over year based on the number of customers authenticating to cloud apps, and up a whopping 189 percent year over year in terms of the number of customers using each cloud app.” Expect this trend to continue as organizations turn to IAM (identity and access management) as a front-line defense for the cloud apps they rely upon.

Changing Technologies

There are two technologies which will have a significant impact on defense in 2020: passwordless authentication and UEBA.

Passwordless authentication. This year saw the standardization of WebAuthn protocol and the tipping point for adoption of operating systems supporting passwordless; from desktop computer to phone to tablet. Considering the threat posed by stolen credentials, and the win-win of increased security with increased ease-of-use, passwordless will be a big theme in many organization’s security roadmap in 2020.

UEBA (user and entity behavior analytics). The UEBA product market has existed for some time. But challenges remain in trying to apply analytical models to an unpredictable workforce. 2020 will see UEBA shift from being a dedicated product to being a product feature. This move enables the analytics to be placed around specific activities rather than the generalized approach taken today. For example, placing UEBA on application workloads or on authentication workflows. With such a tight scope, there will be fewer false positives. Expect purpose-built UEBA to be more common and become a cornerstone of a zero-trust architecture.

Bonus

Hacktivism has been on the decline since its peak in 2015. There are a number of factors behind this decline, including the hacktivist tactics like DDoS (distributed denial-of-service) becoming less effective, hacktivist groups like Anonymous becoming less cohesive, and increases in law enforcement against hacktivists. 2019 saw the lowest number of hacktivist activities in the past five years.

Yet in 2019, the world witnessed a number of protests across the globe. Many are ongoing at the time of this article. We are in a period of worldwide unrest that is likely to continue for the first half of 2020. This creates fertile soil for a variety of new tactics, both on the ground and over the internet. We can expect hacktivism to return with a new set of tools and targets reflective of these groups.

Conclusion

My two favorite things in Blade Runner are the payphone and the Polaroid camera. Here we have futuristic video conferencing. But the hero places the call from a payphone. These are so rare these days that people photograph them and share telephone booths on social media. This gets me to the photos, a key plot-point in Blade Runner, which are physical media from what appears to be a high-tech Polaroid camera. They have space travel but no Instagram. It’s fantastic. And it is a reminder that predictions are a tricky business.

In this article, we’ve reviewed trend lines and forecasted where security challenges may take us. 2020 will sift the video conferences from the payphones.

It's safe to say when we look back at our university days, the last thing we were thinking about was protecting our campus credentials. Am I right?

There are currently 32,113 schools and 142 universities in the U.K., and according the BESA (The British Education Supplier Association) we have 10,320,811 full and part-time pupils at school. Not to  mention in 2017–18, there were 2.34 million students studying at U.K. higher education institutions. That is a lot of student credentials to give access to. 

In July, Lancaster University reported a phishing attack that affected 12,500 potential students who had applied to the National Crime Agency (NCA) and the Information Commissioner’s Office (ICO). Some undergraduate students received fake tuition invoices. 

Furthermore ComputerWeekly carried out an article that stated, “UK universities are continually under cyber attack, with a quarter reporting daily attacks." 

"Poorly defended U.K. university research that is mainly commissioned by government is a top target for hackers, putting national security at risk, a study reveals, underlining the need for better cyber security" — ComputerWeekly.com

How Can Duo Security Help?

Think of us like the Dumbledore of education security. No we don't have a magical wand or a book of zero trust spells, but we do have the tools to implement a simple, yet effective data security solution that will protect both you and your students:

• Verify Identity at Every Login - Duo verifies user identities with two-factor authentication (2FA) and checks the security health of their devices before granting access to Institution’s applications and intranet. This ensures only users and devices that are trusted can access protected data
  
• Easy To Use Authentication Options - Give students and staff frictionless secure access with various options for two-factor authentication (2FA) methods based on their preference – from push notifications to phone callbacks. This ensures all logins are seamless and intuitive.
• Reduce the BYOD Risk - Get insight into risky devices accessing your network. Duo checks every device, including user-owned, as it logs in to ensure it’s running the latest software and security features are enabled. Block risky devices or notify users to update.
• Protect Every App - Duo’s trusted access solution supports all popular cloud and on-premises applications, including Oracle PeopleSoft, which institutions use in portals. Duo’s single sign-on (SSO) gives users access to all apps from a single web interface for easy access.
• Curtail Compromised Accounts - Institutions showed a 96% reduction in compromised accounts after deploying Duo across their student populations. And Duo offers phishing campaigns to raise awareness and ensure students, faculty and staff don’t fall victim to phishing attacks.
• Cost-Efficient Security - Along with reducing the risk of data loss and protecting applications and data, Duo also helps educational institutions realize cost savings by reducing help desk call volume and support hours.

Compliance Is Our Friend 

With a track record of educational success with the University of Sunderland and York University to name a few, compliance is a top use-case for our customers.  Duo helps meet compliance and security policy frameworks. 

GDPR

The GDPR places emphasis on the access of data and resources, ensuring the right people have access to the right data.  Organisations are required to process personal data securely by means of appropriate technical and organisational measures.  

PCI-DSS

The PCI-DSS standard has always required MFA for remote access, including providing MFA for administrative personnel with access to computers and systems handling cardholder data.

The Information Commissioner’s Office (ICO)

The ICO provides guidance on choosing the right authentication scheme for your organisations

National Cyber Security Centre (NCSC)

The NCSC has published advice for organisations on implementing multi-factor authentication (or two-factor authentication) to protect against password guessing and theft on online services.

Customers Come First

We are proud to serve the UK education system and have already had successfully deployments with many Universities. 

But don’t just take our word for it, take the free trial today and find out why Duo is the most loved company in security - https://signup.duo.com/trial

**Phishing: A Modern Guide to an Age-Old Problem** This guide gives you a look into: How phishing works, how it has evolved, and the new tactics used to appear legitimate to users.

Download Free Guide

I slumped back into my favorite chair and stared at the carry-on suitcase over by the door. Thankful that it is now empty and will remain that way until 2020. This gives me time to reflect on the past year and decade as I linger over a cup of coffee. This year I managed to travel to many destinations to meet and speak with people about zero trust and what it means for organizations. 

The concept is a simple one. The idea being to reduce risk overall and improve organizational security posture through layers of granted access and verification via multi-factor authentication (MFA) that is so easy to use and protects so well that it has leveled the playing field and helped to democratize security.

So, what does that even mean? Well, any security tool that is meant to be adopted by a wider audience will prove its worth by demonstrating that my elderly parents could use it. My mother is in her 70s and somewhat tech savvy and she took to Duo MFA like a duck to water. I tried other security products which will remain nameless and they were met with far less fanfare. 

How have we progressed? Well, if we look at the State of the Auth report that was just published we see that between 2017 and 2019 the adoption of two-factor authentication (2FA) has taken off! Just two years ago the number of survey respondents who said they've used 2FA clocked in at 28%, whereas in 2019 that number swelled to 53%. A healthy 25% bounce. 

Another statistic that resonated with me was the change in the percentage of respondents who have heard of 2FA, which grew from 44% in 2017 to 77% in 2019. This really hit home for me when I was at a conference in Asia speaking about zero trust. After my talk I had several attendees approach me to learn more. I was surprised that they had not heard of zero trust before that point. I took this as the opportunity that it was: to help better explain the concept. Just because something may be top of mind in one part of the world is no guarantee that it will be global in nature.

When the Edward Snowden related stories were splashed across the headlines I found myself speaking at conferences in other parts of the world. No one seemed to know or care about the Snowden case. There was the occasional head nod, but by and large little interest. Their concerns were focused on how to better secure their own environments. This is why the zero trust conversations really took root, as it helps to provide a clear path forward to help organizations improve security.

What about saving users time? Well, we have all read studies about the cost involved in resetting passwords. When we look at the cavalcade of data breach stories that seem to grace the news cycles on an almost daily basis one can only imagine the cost of resetting all those passwords, let alone recovery costs in general. From the State of the Auth report we saw that the use of Push saves users on average 13 minutes per year. Users that utilized U2F had average time savings of 18.2 minutes per year. That might not sound like much until you add up all the employees for a 100,000-plus staff organization. 

Over the last year I’ve had countless moments where random people would show me the Duo app on their phones in places such as Hong Kong, India, Thailand, Greece, UK, USA and Canada. It’s a point of pride to see someone calling out to me in an airport when they see my Duo t-shirt so they can tell me how much they love our product.

This past year has been an adventure and I’m pleased to see the rise in the numbers of people that not only have heard of 2FA and zero trust, but a rise in the number of users. Data breaches continue to abound and anything that we can do to reduce that number is a positive step forward into the next decade. 

Free download of the 

2019 State of the Auth Report 

Once upon a time, you went to work and you used information technology. You entered the office, you used the computing device (endpoint) on your desk that was assigned to you by your employer, and you used the software they provided to conduct the company’s business. 

Today, of course, that’s all different. You might use a device provided by your employer, but you might also use your own personal device that you purchased. And you might get annoyed when you have to switch back and forth between one and the other as you try to keep them separate. Not only that, but you’re increasingly using the same software for personal reasons that you use for work — email, file sharing, social media, and more. The only difference is what you’re doing with it and why: the context.

These blurred lines between personal IT and business IT have a couple of implications. One is that sometimes the only difference between work and home is the login name you use for that SaaS application. In some ways, this means that the new security perimeter for an enterprise is the identity, which is part of what we talk about with zero trust. The other implication is that when you’re using the same software as a consumer and as a worker, you get used to the ease of consumer-grade experiences and you don’t want to give them up.

The new reality is that we are all consumers — all day, every day. It doesn’t stop when we get to the office. We switch back and forth constantly between a business context and a personal one. What we see on the screen in front of us, and what we pull out of our pockets or purses, are increasingly the same. 

For creators of security software, it’s time to stop treating these two contexts as if they belonged to different people. “Engineering-grade” user interfaces have to evolve to meet the same design standards as highly competitive consumer applications. It’s not that we have to “dumb them down” — that’s an outmoded attitude of them versus us, insiders versus outsiders — but rather that we have to acknowledge consumerization as a trend that affects us all. 

If you logged into an online shopping site and it looked like an ERP application, wouldn’t you run away and look for something better?

We still need design personas, such as administrators, developers, operators and end users; but we can’t assume that they are different people from an experience perspective. At smaller organizations, staff often take on multiple roles anyway, and with user-facing applications (such as MFA), everyone is an end user. 

We can no longer afford to assume that even a technical user of our products will tolerate a complex, clunky, strictly utilitarian interface on a software application these days. Company staff can’t be expected to put up with bad design just because their employer tells them to. They’re starting to revolt, starting with the department heads who launch shadow IT projects and the executives who insist on doing company work on their own devices. 

In other words, users are no longer “captive” to what their enterprise organizations choose in security software. They have options and opinions, and those opinions are getting louder. Let’s treat security products as if they were being launched in the worldwide marketplace, on a stage under bright lights, by a CEO in a black turtleneck. 

Security software doesn’t have to be painful and can be user-friendly and easy. In order to secure our workplace, we have to compete every day with the design of beautiful and simple software that is on our phones and in our pockets. 

Find out how easy security can be for your organization or business, start a free trial of Duo here

Sometimes the lights all shining on me
Other times I can barely see
Lately it occurs to me
What a long strange trip it's been

— Grateful Dead ("Truckin")

We are proud to announce the Duo has achieved FedRAMP Authorization – another milestone in our endeavor to help secure our democracy. What an amazing journey to get to this point! 

Cue the parade! It is official, Duo Security achieved FedRAMP Authorization with sponsorship from the U.S. Department of Energy (DOE). Our cloud-based Duo Access 2FA solution, which enables federal agencies to replace or augment traditional security card authentication methods with Duo’s push-based two-factor authentication (2FA) technology is available at the FedRAMP Marketplace.

Getting here, as you know, is no easy feat. As I had discussed previously HERE, FedRAMP is not a destination but a lifestyle choice. It’s something that you build into your daily operating environment and into your security DNA. It has a long storied life from its humble beginnings of SP-800-53, through directly applied FISMA metrics to cloud and now, in its current form, an enabler for cloud service providers (CSP) to deliver commercial off the shelf (COTS) cloud services to government agencies. We will live in this – it will become part of our DNA here at Duo and the greater Cisco.

How Duo’s MFA Helps Federal and Government Agencies

Duo’s Access and MFA product editions are perfectly suited to help government agencies protect their most precious assets — their users. We help those users by protecting their most utilized resources — their devices and their access to critical agency applications. 

Duo was born on the cloud, which gives us a unique perspective in our belief that the way to deliver cloud security is through cloud-based security. This is what the government’s IT modernization and “Cloud Smart” initiatives are all about – using cloud computing to deliver better, more secure services to all of our various constituencies. 

Duo has also endeavored to align it’s FedRAMP offering with the latest and most “cloud friendly” and “Zero Trust Ready” standards. Standards such as NIST’s SP-800-63-3 where certain authenticators such as SMS based 2FA and “call back” based 2FA, have been deprecated due to their susceptibility to compromise. We’ve also built in FIPS validated crypto all the way through the stack. This is harder than it sounds but we believe that providing the strongest level of encryption available was important. This is not always done and your mileage may vary with some providers. Pays to ask.

I firmly believe that Duo’s vision of a user-focused security model aligned to zero trust is the best security hope for this IT modernization journey. This journey is bound to include all of a government or military agencies’ computer systems, whether they are in the  cloud or a datacenter. Our goal is to consistently provide the same security “connective tissue” regardless of where your applications live and breathe or from where your users access these things. 

It’s also worth mentioning that being part of Cisco, the world’s largest cybersecurity company, helps Duo accelerate this mission of securing democracy. The public sector is one of Cisco’s biggest and most important markets. Cisco has proven that it gets IT modernization. It gets federal and government agencies where they want to go, and it secures them along that journey.

Duo is proud to be part of Cisco and proud to be helping federal and government agencies of all shapes and sizes realize their IT modernization goals while building in the security that is required to protect the things we hold dear.

Check out this article on CyberScoop that reports both the Republican National Committee (RNC) and the Democratic National Committee (DNC) are using Duo's 2FA solution ahead of elections to thwart potential threats. 

Duo is now FedRAMP Authorized! Achievement unlocked! FIPS baked in! Now, let’s get to work and secure some stuff (like our democracy)!

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Director of Sales (West), Anthony Igwe to learn about what he does and his experience at Duo. 

Anthony Igwe

Employee Name: Anthony Igwe

Title / Department / Office Location

Director of Sales, West/ Sales/ San Francisco, CA

 How long have you been at Duo, and what do you do here?

I’ve been at Duo for two years and I manage a group of West Coast Regional Sellers. 

 What's your day-to-day like at Duo?

My day is centered around supporting my team. Whether I am sitting in on a customer call, doing deal, strategy reviews in 1:1s, or unlocking new cross-functional relationships that will help better empower my team  — there is never a dull moment. Which is what I love about my role here at Duo. I manage a team largely made up of early career sales professionals, so I find a lot of joy in being a player coach. Coaching, training, and helping my team develop critical skills to enable them to move up to the next level of sales.

What tools do you use to help you do your job? 

No sales team would be complete without the use of a customer relation management (CRM) tool to manage all of our customers interactions. We leverage Salesforce to help our reps organize their books of business, to provide front-line leadership with visibility into things like forecasts and pipeline, and senior leadership with a view into important top-level metrics. 

Outside of the general day-to-day duties I use a combination of CRM, spreadsheets, and decks to help me be more effective for my team. I use the CRM to find key reports that will help my team surface new opportunities and spreadsheets to create more real time interactions with my team whether that be creating a Big Deal Board that we are all looking at quarter over quarter or to keep specific 1:1 cadences with members of my team. I use decks for things like team meetings and strategic customer engagements. 

How do you and your team collaborate with other teams within Duo?

Duo’s secret sauce is our ability to be there for one another and take others with us. This isn’t a place where “ego” exists so it makes it easy for every member of my team to create cross-functional relationships. It’s because of this that I encourage my team to reach out to their other regional counterparts to collaborate on sales plays, visit each of the other offices and just sit with other teams. I also encourage them to join Slack channels like Coffee Roulette where every Monday the bot matches you with a random person at Duo with the objective to schedule time and just learn about what that person does at Duo. To this day I’m still a member of the this channel and get a TON out of my interactions.  

One unique thing I do as a manager is when every new hire joins our team they receive an on boarding checklist from me (outside the more formal onboarding and training process) that consists of a list of 20-30 names. From peers, to leaders, to important cross-functional team members. I ask them to reach out and schedule 30 mins and take notes. We usually review in our next 1:1 and I always ask what one thing did you learn from your interaction? Those takeaways tend stick with each person and help them hit the ground running faster than expected. 

How did you get your job at Duo?

I knew about Duo for some time but was always more interested in the earlier stage start up because I felt those companies offered more of an ability to impact the business, wear many hats, and be a part of a fast growing machine. Had it not been for an amazing Duo recruiter reaching out to me on LinkedIn I would have never known that I could get everything I loved about startups at Duo. One thing that meant everything to me during the process was how well everyone listened and cared about what I was looking for, not just what they needed. From the recruiter to hiring manager, to senior leaders, everyone was on the same page during my process and that made me feel very confident that Duo was a company that I wanted to be a part of. 

What is the first thing you do when you come into the office?

I make it a point to talk to each member of my team with a simple goal of just seeing how they are doing. Did they have a great weekend? Are they having a bad day? Are they stressed/exhausted/locked in? It’s important as a leader that you understand the pulse of your team, to understand this they need to trust you. My goal is to always have my team look at me as a person they can confide in, a person that they can talk to. So I try to bring a positive force to the office each and every day to make their experience a good one.

Any big projects or goals you're currently working on?

A personal goal of mine is to have every member of my team promoted during their regular promotion cycle. One project I am working on is with our Marketing Operations group to aid in the process of completely revamping our nurture cadences for dormant leads that are lacking more targeted messaging. 

What’s an important lesson you’ve learned while working at Duo?

You will get a lot more accomplished when everyone is working towards the greater good of the company. Putting the company first. Egos kill progress, they stifle innovation. By eliminating them from the equation you open the door for more possibilities and help people and companies realize their potential. In the land of sales, consistency pipeline creation is king. Setting rep and manager-level pipeline targets and measuring our success not only on revenue but how much pipeline we have generated quarter over quarter makes all the difference.

How is Duo different than other places you've worked?

The culture is phenomenal. In sales, we have created a culture of winning where no one person is greater than themselves and where every person is working hard for something bigger than themselves.  So much has gone into developing an amazing culture, product and airtight sales process with the right message to our customers. I have never worked for a place where the NPS score is north of 70. Just outstanding. 

How is your role at Duo different than roles you've had with other companies?

I feel empowered to run my business the way I want to. I feel trusted to make critical decisions without the fear of getting my hand slapped. I feel like my opinion matters. And most importantly, I love the people that I work for and that work for me. Though we have multiple levels of leadership, we very much run a flat organization where any employee at any level can feel comfortable talking to anyone. This starts with Duo’s co-founder and general manager, Dug Song. 

Dug makes it a point to travel to all the various Duo locations and talk to people. If there is a new hire he hasn’t met before, he will stop by and say hi. He has this innate ability to make you feel so comfortable in a conversation even though he is the co-founder and I think the rest of our leaders take a similar “servant leadership” approach that makes our culture one where our employees can be themselves and focus on bringing the best “them” to the table every day without fear. 

What would you tell someone considering a role at Duo?

If you are looking for a place where you can truly express who you are, focus on bringing the best you to the table every day without worrying about looking over your shoulder, this is the place for you. Come join our highly collaborative sales team and our fun sales culture. Come join the most loved company in security! 

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want you! Learn more at duo.com/careers

Duo Labs just released its second State of the Auth report to take the pulse of people’s understanding of security and 2FA in America and the U.K.

Stealing user credentials remains one of the easiest and most vulnerable areas for hackers to gain access into secure systems. Luckily, two-factor authentication or 2FA (also known as MFA or multi-factor authentication) is one of the easiest security methods available to protect user credentials from being stolen. Instead of a single login gaining automatic trust into a network, 2FA requires multiple methods of verification prior to granting access. Methods can include push notifications from an app like Duo Mobile, SMS texts, email and biometrics. In addition, admins can set policies that control access and establish device trust. But has 2FA hit the mainstream yet?

What A Difference Two Years Makes

The Study Results Show That 2FA Is Catching On

Awareness in 2FA shot up from 44% of respondents in 2017 to 77% in 2019. That’s a 33% gain over a two year period.

More Users Are Adopting 2FA Security for Protection

In 2017, a mere 28% of respondents were using 2FA compared to 53% in 2019. That is a solid 25% gain in user security.

SMS Text Message Is the Most Used Authentication Method

In both 2017 and 2019 SMS authentication for 2FA dominated, likely because it is the most offered option or adoption is required by organizations (although it is not the most secure).

The Fastest and Most Secure 2FA Authentication Method Is U2F

A 2FA user that uses SMS as their second factor could save time by switching to other, more secure, auth methods.

• Push saves a user 13 minutes annually over SMS
• U2F saves a user 18.2 minutes annually over SMS

Of All Accounts, Securing Banking Accounts Is The Most Important

The participants have their money on their mind, and consider financial accounts the most important to secure by 85%.

How Concerned Are Users of Account Security?

We asked respondents whether they agree with the statement: “I worry about malicious actors gaining access to my accounts.”

• 39% of US respondents strongly agree
• 25% of UK respondents strongly agree

We also asked respondents whether they agree with the statement “I believe that my accounts are generally secure.”

• 74% of US respondents somewhat agree, agree or strongly agree
• 78% of UK respondents somewhat agree, agree or strongly agree

Key Takeaways

Adoption of 2FA security is on the rise, which is very good news. This is largely driven by organizations deploying 2FA technology within their networks, but it's also due to 2FA being seen “in the wild” in folks’ personal lives through apps such as email, social media, shopping and financial services accounts, like banks and brokerage firms.

This also means that since most folks now know what 2FA is, we’ve also seen a marked gain in the actual adoption of 2FA. Usage for 2FA swelled from 28% in 2017 to 53% in 2019. There are a few big reasons for this. Along with 2FA showing up more in our personal applications, organizations are putting 2FA into their user workflows for access to corporate data. Corporations are constantly improving the user interaction and design for security with “end user experience” in mind to make these barriers to access easier. The user interface bar has been raised by Apple, Google and others incorporating 2FA technology into their platforms, which incentivizes other enterprises to keep up the security pace. User’s have high expectations of simplicity when security creates a new barrier to access and this will continue to be “more” and not “less.”

It’s Also Not Surprising That 2FA Usage Tends to Skew to Younger Folks.

2FA Users Skew Younger

According to our survey results, the younger the respondent, the more likely they are to use 2FA, with the 18 to 24 age group leading the charge.

2FA Use by Age

Younger users are tech savvy and more in tune with the knowledge that “credential exposure” or “credential hijacking” is a real threat. They’ve been exposed to hacks and have been warned of credential stealing since university. By contrast, older users have likely been using the username/password combo with a false sense of security for years – using just a username and password has been proven to be insecure.

Turns Out Email Is the Most Important Account to Protect

There is a lot to love about these usage and awareness stats, but there is one misconception here that I would like to highlight. Most users believe that they only need to protect “important” applications or accounts like bank accounts, brokerage accounts — basically financial accounts. Now, this makes sense on the surface to most of us since hey, that’s our money and we’re led to believe that that’s what attackers are after in most cases. But this belies the sophistication of these attackers.

In many cases these bad folk can monetize your data from other accounts — and your data can sometimes be just as valuable as your actual money. Attackers are sneaky, and where there’s a will there’s a way.

Why Email Is the Most Important Account to Protect

A good example, let’s say you have 2FA on your bank account and it’s using, say, an SMS-based authentication, since SMS is the most common method of authentication (SMS is not the most secure. Don’t believe me? Ask NIST. But it is better than nothing). Most of these systems have a mechanism for when/if you lose your 2FA device or just want to enroll a second device, and most of the time that is tied to your email address. So if your email address password is compromised, that could be further reaching. Think of 2FA like a flu shot. It’s only truly effective if everyone (or nearly everyone) gets it. This is why it’s so important to use 2FA on all of your accounts.

It’s also important to use a 2FA solution that’s easy to use, because there is a little 2FA fatigue as well. 2FA requires you to do “one more thing” before you log in and this can turn users off if it is too hard to use.

Frictionless vs. Secure

Users just want to get access to their “stuff” in a frictionless way, and we have to face it, 2FA adds a little friction. SMS-based 2FA seems easy, but requires the user to remember or copy-paste that six-digit code. This forces the user way outside of their access flow. The Duo “green ✓ check, red X” is a familiar paradigm and while it’s still technically in the flow, one push or biometric is way easier than “go to texts > copy-paste > go back to app.”

America vs. United Kingdom, 2FA Awareness is the Same

It’s also worth mentioning that 2FA awareness is universal. We didn’t find a marked difference in awareness and/or implementation between different countries, in our case the US and the UK. This is a very positive statistic as it shows that operating a multinational organization is consistent (think GDPR awareness in Europe as well as the US).

The survey shows folks are embracing 2FA as part of their daily lives with help from their technology partners (Apple, Microsoft, Duo/Cisco) and their favorite partners (folks like Ebay, Facebook and others who have enabled or required 2FA). I certainly see this continuing to get better.

2FA Hasn’t Reached the Tipping Point Just Yet

It’s taken us quite a while to get here and it will continue to be a journey. We’ve been using passwords since the 60’s and using them to protect online accounts since the 90’s — it’s been a slog. Imagine how the world would be if Microsoft had built 2FA into Windows 95, or Windows 98 or heck, even Windows 7. We probably wouldn’t be talking about this. But they didn’t, and I can't really blame them. Few saw this coming back then, so today we’re left working with the tools we have… now.

Is the Future Passwordless?

It’s also worth mentioning that there is a vigorous, focused effort on killing the password for good. I for one cannot wait for this to hit the mainstream. This would be a complete overhaul of the user experience for logins and accessing apps.

To get a by-the-numbers look at the State of the Auth data, check out our infographic. And for the full research paper, download the 2019 State of the Auth report.

Building any product is a journey, but building a cloud-based product that aligns to federal compliance objectives and NIST guidance is like enabling someone to take a long journey on the Oregon Trail: all you have is your trail equipment to get you across the country (and the will to not die from dysentery): 

• Your wooden wagon is your MFA, your primary vehicle to move you across the country.
• Your rifle to ward off predators is your access controls, your source of food and protection.
• Your raft to float your wagon across the Mississippi River is your authentication logs, that are there when you need them. 

But what if your tools don’t solve your problems in an effective way and you’re left stranded with a broken wagon wheel? Taking it a step further, what if your MFA solution locked your end users out from productivity for four to eight hours at a time, with no flexibility to get them back online until they can get in-person to the IT support desk? 

Why We Built Duo’s Federal Editions the Way We Did

At Duo, we talk a lot about simplifying product design and reducing user friction - if this isn’t thoughtfully done, feisty end-users will naturally work towards circumventing security controls or will burn out in frustration getting their critical jobs done. “If nobody is going to help me get my wagon wheel fixed, PUSH THE DANG WAGON!”

I could have fun with that analogy for days, but in Duo, we’ve raised the bar with our federal product by making cloud-based authentication and access control easy while being federally compliant and in alignment with NIST’s Digital Identity Guidelines (NIST SP 800-63-3) / OMB ICAM policy guidance, as a defacto standard. 

Highlighting a few key federal product takeaways from Duo’s federal editions:

• We removed telephony-based (SMS/Voice) authenticators from Duo’s federal editions altogether; getting behind NIST’s SP 800-63-3b guidance, which calls telephony authenticators “RESTRICTED” and requires risk acceptance when used. 
• In March 2019, we aligned Duo Mobile authenticators (Push and Passcode) to be FIPS 140-2 compliant by default and mapped them directly to NIST 800-63-3b Authentication Assurance Level 2 (AAL2) requirements. 
• We’re solving FIPS 140-2 compliant implementations from end-to-end, when you use Duo’s federal editions. Not only have we made Duo authenticators FIPS by default, but we’ve implemented FIPS on the backend of our cloud service for FedRAMP, as well as provided FIPS-mode for Duo’s Authentication Proxy, ensuring your authentication traffic to-and-from Duo is FIPS 140-2 compliant. If you’re a graphical learner like me, please see below on how FIPS is being implemented by Duo’s federal editions: 

Don’t shame me if I influence a Duo developer to make me a Duo Federal Oregon Trail video game, of which I would take great delight in playing…

Try Duo’s Federal Editions

Learn more, read our tech specs Federal Guide. 

Check out this article on CyberScoop that reports both the Republican National Committee (RNC) and the Democratic National Committee (DNC) are using Duo's 2FA solution ahead of elections to thwart potential threats. 

If you want to get started with Duo’s Federal MFA and Federal Access editions, signup for a free trial through our federal editions page and we’ll reach out to get you started!

When software needs to leverage cryptography, developers usually use libraries or APIs that abstract the details away from them. However, sometimes the proper way to accomplish a cryptographic task is unclear, and developers may make mistakes.

At this year’s Black Hat Europe conference in London, Duo Labs researchers present Chain of Fools: An Exploration of Certificate Chain Validation Mishaps. 

They will investigate what can go wrong in the implementation of certificate chain validation, the circumstances that lead to these incorrect implementations, the impact of these issues, and the patterns of bad advice on the internet that sustain the problem.

If you’re not able to attend Black Hat Europe 2020, you can read the Chain of Fools whitepaper here.

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo?

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Engineering Manager (SRE), Blake Ellingham to learn about what he does and his experience at Duo.

Blake Ellingham

Employee Name: Blake Ellingham

Title / Department / Office Location

Engineering Manager / SRE (Site Reliability Engineering) / Austin, TX

How long have you been at Duo, and what do you do here?

I have been at Duo for two years on two different teams at Duo. The current team I'm on makes sure the machines that run Duo are healthy and have plenty of capacity to continue serving our customers.

What's your day-to-day like at Duo?

My day-to-day varies quite a lot. Some days I focus more internally to make sure my team has all the necessary context to make good business decisions. In other days, I am very intentionally focused on developing my IC’s careers. Other days are more focused on recruiting or meeting with external stakeholders. I really enjoy the pace and interconnectedness of my role!

What tools do you use to help you do your job?

The most important tools I have at my disposal are the core people management rhythms. Regular 1:1’s, regular career development conversations and plans, and regular feedback form the core of a healthy relationship.

How do you and your team collaborate with other teams within Duo?

Our team has a very interdependent relationship with the other teams at Duo. We can only be successful if all the other teams (be it QA, support, feature engineering teams or the other SRE’s) are walking in lockstep and collaborating. Our tightly aligned missions allow us to be open and share with one another in planning or development.

How did you get your job at Duo?

After winding down a startup, I was looking at a few different options of companies that I would be interested in joining. What set Duo out from the rest were the people. I felt like I could trust the two managers I was interviewing with, and that trust has moved me through my career at Duo.

What is the first thing you do when you come into the office?

The first thing that I do when I get in the office is to organize my day and understand what the most important things to do for the day are, what my time commitments are and how I can schedule the time I have to do focus work.

Any big projects or goals you're currently working on?

Our team is working on making sure that our service can scale internationally. Reaching new customers allows us to go farther on our mission to democratize security.

What’s an important lesson you’ve learned while working at Duo?

I have learned directly the value of diverse teams. Demographics, background, skills and seniority diversity blend to form higher performing teams as long as individuals are empathetic and kind to one another. Diversity allows for healthy conflict and understanding which push teams forward.

How is Duo different than other places you've worked?

Prior to Duo, I was a founder of a startup and was frankly really nervous that my growth would be capped while at Duo. I was most afraid that I would get bored and not like my working arrangement. I’ve found the opposite. While at Duo I have the freedom to pave my own path and push myself hard. At the same time I feel supported and can fall back on my team to lift and sustain me.

How is your role at Duo different than roles you've had with other companies?

Managing at Duo is a super interesting blend of structure and freedom. We have the structure behind us to fall back on and learn from and yet the freedom to structure teams our own way.

What would you tell someone considering a role at Duo?

Duo is a great place to work, but it’s also a great place to have worked. Whether you are here for one year or 10 years, Duo will be an excellent stepping stone for your career.

####

Ready to join our team? We're hiring! Check out our open positions!

Figuring out how to prioritize security projects can be difficult and time-consuming. There are many cybersecurity levers to pull or buttons to push in the quest to reduce the risk surface for an organization. The breadth of the proverbial “attack surface” coupled with myriad paths to “reduce” it can combine to leave security professionals with a sense of dread. While there is no silver bullet or miracle cure for said complication, there are relevant and helpful resources that distill the problem of security overload down into manageable chunks. 

The Essential Eight — While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Furthermore, implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.

One example is the Australian Government’s collaboration with the Australian Cyber Security Centre. Their recently revised and incredibly lengthy Information Security Model probably falls into the “overwhelming” category. However, the Australian Cyber Security Centre has done an excellent job of distilling the eight most important cyber security recommendations into two documents:

• The Essential Eight Explained
• The Essential Eight Maturity Model

The Essential Eight, aside from being a fun catchphrase, is a group of eight “must-do” recommendations from the Australian Cybersecurity Centre. The eight efforts represent the highest impact low-hanging fruit for any IT or security professional. To be concrete, here are the eight broken down by theme:

1. Prevent Malware Delivery and Execution
1. Application Whitelisting: prevent the execution of non-approved applications especially those known to be problematic (ex. executables, scripts, and installers).
2. Patch Applications: Applications that include potentially malicious avenues like Flash and Java should be updated and patched in a timely matter.
3. Configure Microsoft Office Macro Settings: Macros should be blocked from internet access and make sure any macros in use are vetted and reconciled to trusted areas.
4. User Application Hardening: Configure web browsers to block Flash, ads and Java on the internet.

1. Limit Extent of Cybersecurity Incidents
1. Restrict Administrative Privileges: Restrict privileges based on a least privilege model. Administrators should only have access and authorization based on their responsibilities.
2. Multi-Factor Authentication: MFA for VPN, RDP, SSH and any user accessing privileged information is business critical. 
3. Patch Operating Systems: Patch computers with “extreme risk” vulnerabilities within 48 hours. Whenever possible only allow the latest operating system.
2. Mitigation Strategies for Data Loss & Availability:
1. Daily Backups: On a daily basis, do a delta sync of data that is new or changed and back it up. Keep the data for 3 months. Test the backup.

For any IT or security professional, these eight items provide a great jumping-off point when starting in a new role or beginning a new project. It may seem simple, but that’s the point. 

For experienced professionals, the essential eight will probably be second nature - but can still be a nice checklist or assessment on a daily basis. The items force IT administrators to ask themselves questions regarding software and resources being accessed, their current patch and who’s accessing them.

If anyone is reading the Essential Eight and starting to break a little bit of a sweat, never fear - Duo actually helps address four out of the eight. If you look at the current attack surface, you will see an increase in credential-based attacks. Being able to solve for MFA AND achieve these other goals with Essential Eight is highly valuable. A pretty nice ratio for one solution. 

1. Multi-Factor Authentication: Duo provides MFA that is is easy to use for employees and easy to manage for IT professionals. Duo’s solution integrates simply with hundreds of different resources in an IT environment, and the flexibility in choice of authentication method make it as intuitive as possible for employees to verify their identity.
2. Patch Applications: Duo can easily identify when users are looking to access corporate resources from an out-of-date web browser. Policy can be set to remind the user to self-remediate and update their browser, and in critical situations, Duo can block resource access until a user has updated their browser.
3. Patch Operating Systems: Duo can also detect when an end user is accessing resources on a device that is running an out-of-date operating system. Whether a laptop or mobile device, corporately-owned or BYOD, Duo can prompt the employee to update their operating system. In the case of access to business critical resources, Duo can block employees if they have not yet updated to the current version of an operating system.
4. User Application Hardening: Duo can also set application policy based on the presence of Java or Flash. Duo can block access when it detects all versions of Java or Flash, which is recommended, but it can also limit access to the recent or most updated versions. If employees attempt to access resources and older versions of Flash or Java are detected - Duo can prompt users to update the plugin before they are granted access.

In conclusion, the Essential Eight provides a great framework for addressing security basics in any corporate environment. Whether beginning a new project or adopting a daily assessment routine, the eight concepts provide a useful checklist when thinking about security. 

Check out this article on CyberScoop that reports both the Republican National Committee (RNC) and the Democratic National Committee (DNC) are using Duo's 2FA solution ahead of elections to thwart potential threats. 

If this post sparked interest in how Duo might be able to help you place some checkmarks on that checklist - you can learn more about our product here or start a free trial of Duo here. 

When we think of security, we think of needing to protect our systems from people ‘breaking in’ to our accounts and systems. The unfortunate truth these days is that hackers no longer need to ‘break in,’ they can simply log in using stolen credentials.

Passwords Alone Aren't Secure

Traditional password security is becoming less and less effective as hackers use attack vectors such as phishing, brute force attacks, spraying attacks, and various other means of password compromise to gain access to a user’s systems and accounts.

Tougher password security can combat weaknesses in access points, and also offer small business a competitive edge by showing that they take their security (and, therefore, their customers' security) seriously. It also facilitates interaction with enterprise companies as part of a supply chain.

The U.K. Government Recommends Multi-Factor Authentication (MFA)

The National Cyber Security Centre (NCSC) notes that “it doesn't matter how ‘good’ your password is, it’s not enough to secure access to valuable online services on its own.” As such, the centre published guidelines in June 2018 urging organisations to utilise multi-factor authentication (MFA), an authentication process that requires users to present at least two pieces of identifiable information to gain access to an account.

For example, MFA can prompt users to present both a password and a PIN. Users can also be asked to offer a thumb print along with a PIN and/or password as a means of MFA.

Why Use MFA?

The security MFA (also known as 2FA) offers can be a significant advantage to small business, as it allows an extra layer of protection without requiring processes that employees may find cumbersome. Much more importantly, it puts hackers at a distinct disadvantage as it hinders attacks such as phishing attacks and brute force attacks considerably by preventing hackers from gaining passwords for a single point of entry.

And as the NCSC points out, stealing a password is relatively easy these days. Even stealing a second identifiable factor may be simple to do the NCSC notes, but stealing a matching pair is not so simple, which is why MFA is so effective.

How Small Businesses Can Upgrade to MFA

Switching from traditional login security to MFA may seem like a daunting task for small businesses, but it’s a simple process that can be managed easily with a cloud-based service, such as the one offered by Duo MFA, for example, has a variety of MFA processes that small business can take advantage of.

For example, Duo Push allows users to authenticate themselves using push notification sent via the Duo Mobile app. It also supports Universal 2nd factor (U2F) security tokens, hardware tokens, mobile passcodes, SMS, callback, and biometric authentication.

For small businesses, a service like Duo MFA can be the solution. It requires zero IT resources to run and can offer cost cuts in areas like internal help desks by offering fast deployment at scale.  Duo can be the answer to password security concerns.

Sign up your small business up for Duo Free MFA now.

**Learn more about securing your small business with two-factor authentification.** This guide walks through some of the key areas of differentiation between two-factor authentication solutions and provides some concrete criteria for evaluating technologies and vendors.

Download the Free Guide

When companies make investments into multiple security solutions and still get breached, it begs the question: How much should be spent on security? How many products does an organization need? How much security is enough? Cisco's new report answers these questions through a double-blind survey of approximately 80 security professionals, along with expert commentary from Duo's CISO advisor Wendy Nather in the recently released report, "The Security Bottom Line."

The Top 4 Security Problem Areas For Business

In the report Duo’s Head of Advisory CISOs, Wendy Nather, calls out the following four factors that can affect security success:

• Budget
• Expertise
• Capability
• Influence

Budgets Sizes: Among mid-market organizations (250-999 employees), 46% spend under $250,000 on security each year and 43% spend $250,000 to $999,999. Among enterprise organizations (1,000-9,999 employees), 57% spend between $250,000 and $999,999, 23% spend less than $250,000, and 20% spend at least $1 million. Half of large enterprises (more than 10,000 employees) spend $1 million or more on security each year and 43% spend between $250,000 and $999,999.

Shortage of Expertise: Money isn't the only issue. When 80% of companies identify which systems and data need the most security and protection, it is expertise, capability and influence that can be blockers in spite of budgets and spending power. 

Mid-Size Businesses Are Struggling With Security: The report shows organizations with 1,000-9,999 employees, only 23% rely most heavily on internal staff for security expertise, compared with 37% of respondents overall. This could lead to more risk. 

Influence and Outside Vendors: Major concern for CISOs today. With services, hardware, and software coming from dozens or hundreds of different sources, organizations don’t stand a chance when it comes to exerting complete control over their security.

To learn more, download the free report below. 

**Get The Security Bottom Line Report** How much security is enough? Find out in our latest report.

Download Free Report

We are excited to announce a brand new integration between Duo and Cisco’s Advanced Malware Protection (AMP) for Endpoints now in Public Beta

Why is this Exciting?

With an estimated 70% of breaches starting on endpoints - laptops, workstations, servers, and mobile devices - organizations need visibility into these devices connecting to applications both on the network and in the cloud

With Duo and AMP, organizations have the tools in place to effectively establish trust in users’ endpoints connecting to protected applications. The ability to prevent, detect and respond are key elements when considering device trust in a zero-trust security approach for the workforce.

This integration leverages AMP’s ever-evolving knowledge of threats and compromises to enable Duo to automatically block access to any Duo protected application from an endpoint that has an active compromise.

How Duo Helps Establish Trust in Endpoints

To establish trust in the endpoints being used to connect to applications Duo helps organizations implement policies that will do the following:

• Provide visibility into all workstations, mobile devices, and laptops being used to access protected applications - including OS versions, browser version and more
• Check devices have the most up to date software and patches in place and offer remediation - this is particularly crucial for devices not under corporate management
• Assess the management status of the device and block access from devices that aren’t trusted endpoints
• Determine if the endpoint meets security controls - for example, the device isn’t jailbroken and has encryption in place

All the device state and management status checks Duo performs on devices have been designed with the end-user in mind, and to alleviate some of the burden on helpdesk and IT administrators. Duo policies check for things that should either already be set up for the device (such as management status) or could be remediated by the end-user themselves (update an older OS version for instance). With policies in place, checks are performed automatically during the login process to ensure that there is a balance between security and usability without an impact to productivity.

AMPing up Device Trust for the Workforce- Prevent, Detect and Respond

In order to gain access to sensitive data or applications bad actors with malicious intent are always trying to come up with new compromises that manifest as malware, viruses, ransomware, etc.. Cisco AMP, however, is never static and is always receiving a constant stream of up to date malware intelligence from the Cisco Talos team, a group of experts who analyze millions of malware samples and terabytes of data per day. AMP then correlates files, telemetry data, and file behavior against this context-rich knowledge base to proactively defend against known and emerging threats.

Now thanks to this integration, we are able to bring all of that real time intelligence from Cisco Talos and AMP to every access decision that Duo is making.

How Does It Work?

• The connection to the AMP for Endpoints tenant is set up in the ‘Trusted Endpoints Configuration’ section of the Duo Admin Panel.
• Duo’s web service is integrated via custom APIs with the AMP for Endpoints cloud service
• Duo will act as an enforcement point: When AMP knows a device is compromised, Duo will prevent that endpoint from being used to access any application it protects

All it takes is a few minutes to get the integration setup and running so organizations can quickly and easily:

Interested? Here’s what to do next..

This integration requires Duo Beyond and AMP for Endpoints and is scoped initially to desktop devices running Windows and macOS.

We are eager to have interested customers try it out and provide us with feedback on how it is helping them further improve their security processes and controls.

If you are interested in this integration please contact your Duo and/or Cisco representative.