When software needs to leverage cryptography, developers usually use libraries or APIs that abstract the details away from them. However, sometimes the proper way to accomplish a cryptographic task is unclear, and developers may make mistakes.

At this year’s Black Hat Europe conference in London, Duo Labs researchers present Chain of Fools: An Exploration of Certificate Chain Validation Mishaps. 

They will investigate what can go wrong in the implementation of certificate chain validation, the circumstances that lead to these incorrect implementations, the impact of these issues, and the patterns of bad advice on the internet that sustain the problem.

If you’re not able to attend Black Hat Europe 2020, you can read the Chain of Fools whitepaper here.

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo?

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Engineering Manager (SRE), Blake Ellingham to learn about what he does and his experience at Duo.

Blake Ellingham

Employee Name: Blake Ellingham

Title / Department / Office Location

Engineering Manager / SRE (Site Reliability Engineering) / Austin, TX

How long have you been at Duo, and what do you do here?

I have been at Duo for two years on two different teams at Duo. The current team I'm on makes sure the machines that run Duo are healthy and have plenty of capacity to continue serving our customers.

What's your day-to-day like at Duo?

My day-to-day varies quite a lot. Some days I focus more internally to make sure my team has all the necessary context to make good business decisions. In other days, I am very intentionally focused on developing my IC’s careers. Other days are more focused on recruiting or meeting with external stakeholders. I really enjoy the pace and interconnectedness of my role!

What tools do you use to help you do your job?

The most important tools I have at my disposal are the core people management rhythms. Regular 1:1’s, regular career development conversations and plans, and regular feedback form the core of a healthy relationship.

How do you and your team collaborate with other teams within Duo?

Our team has a very interdependent relationship with the other teams at Duo. We can only be successful if all the other teams (be it QA, support, feature engineering teams or the other SRE’s) are walking in lockstep and collaborating. Our tightly aligned missions allow us to be open and share with one another in planning or development.

How did you get your job at Duo?

After winding down a startup, I was looking at a few different options of companies that I would be interested in joining. What set Duo out from the rest were the people. I felt like I could trust the two managers I was interviewing with, and that trust has moved me through my career at Duo.

What is the first thing you do when you come into the office?

The first thing that I do when I get in the office is to organize my day and understand what the most important things to do for the day are, what my time commitments are and how I can schedule the time I have to do focus work.

Any big projects or goals you're currently working on?

Our team is working on making sure that our service can scale internationally. Reaching new customers allows us to go farther on our mission to democratize security.

What’s an important lesson you’ve learned while working at Duo?

I have learned directly the value of diverse teams. Demographics, background, skills and seniority diversity blend to form higher performing teams as long as individuals are empathetic and kind to one another. Diversity allows for healthy conflict and understanding which push teams forward.

How is Duo different than other places you've worked?

Prior to Duo, I was a founder of a startup and was frankly really nervous that my growth would be capped while at Duo. I was most afraid that I would get bored and not like my working arrangement. I’ve found the opposite. While at Duo I have the freedom to pave my own path and push myself hard. At the same time I feel supported and can fall back on my team to lift and sustain me.

How is your role at Duo different than roles you've had with other companies?

Managing at Duo is a super interesting blend of structure and freedom. We have the structure behind us to fall back on and learn from and yet the freedom to structure teams our own way.

What would you tell someone considering a role at Duo?

Duo is a great place to work, but it’s also a great place to have worked. Whether you are here for one year or 10 years, Duo will be an excellent stepping stone for your career.

####

Ready to join our team? We're hiring! Check out our open positions!

Figuring out how to prioritize security projects can be difficult and time-consuming. There are many cybersecurity levers to pull or buttons to push in the quest to reduce the risk surface for an organization. The breadth of the proverbial “attack surface” coupled with myriad paths to “reduce” it can combine to leave security professionals with a sense of dread. While there is no silver bullet or miracle cure for said complication, there are relevant and helpful resources that distill the problem of security overload down into manageable chunks. 

The Essential Eight — While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Furthermore, implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.

One example is the Australian Government’s collaboration with the Australian Cyber Security Centre. Their recently revised and incredibly lengthy Information Security Model probably falls into the “overwhelming” category. However, the Australian Cyber Security Centre has done an excellent job of distilling the eight most important cyber security recommendations into two documents:

• The Essential Eight Explained
• The Essential Eight Maturity Model

The Essential Eight, aside from being a fun catchphrase, is a group of eight “must-do” recommendations from the Australian Cybersecurity Centre. The eight efforts represent the highest impact low-hanging fruit for any IT or security professional. To be concrete, here are the eight broken down by theme:

1. Prevent Malware Delivery and Execution
1. Application Whitelisting: prevent the execution of non-approved applications especially those known to be problematic (ex. executables, scripts, and installers).
2. Patch Applications: Applications that include potentially malicious avenues like Flash and Java should be updated and patched in a timely matter.
3. Configure Microsoft Office Macro Settings: Macros should be blocked from internet access and make sure any macros in use are vetted and reconciled to trusted areas.
4. User Application Hardening: Configure web browsers to block Flash, ads and Java on the internet.

1. Limit Extent of Cybersecurity Incidents
1. Restrict Administrative Privileges: Restrict privileges based on a least privilege model. Administrators should only have access and authorization based on their responsibilities.
2. Multi-Factor Authentication: MFA for VPN, RDP, SSH and any user accessing privileged information is business critical. 
3. Patch Operating Systems: Patch computers with “extreme risk” vulnerabilities within 48 hours. Whenever possible only allow the latest operating system.
2. Mitigation Strategies for Data Loss & Availability:
1. Daily Backups: On a daily basis, do a delta sync of data that is new or changed and back it up. Keep the data for 3 months. Test the backup.

For any IT or security professional, these eight items provide a great jumping-off point when starting in a new role or beginning a new project. It may seem simple, but that’s the point. 

For experienced professionals, the essential eight will probably be second nature - but can still be a nice checklist or assessment on a daily basis. The items force IT administrators to ask themselves questions regarding software and resources being accessed, their current patch and who’s accessing them.

If anyone is reading the Essential Eight and starting to break a little bit of a sweat, never fear - Duo actually helps address four out of the eight. If you look at the current attack surface, you will see an increase in credential-based attacks. Being able to solve for MFA AND achieve these other goals with Essential Eight is highly valuable. A pretty nice ratio for one solution. 

1. Multi-Factor Authentication: Duo provides MFA that is is easy to use for employees and easy to manage for IT professionals. Duo’s solution integrates simply with hundreds of different resources in an IT environment, and the flexibility in choice of authentication method make it as intuitive as possible for employees to verify their identity.
2. Patch Applications: Duo can easily identify when users are looking to access corporate resources from an out-of-date web browser. Policy can be set to remind the user to self-remediate and update their browser, and in critical situations, Duo can block resource access until a user has updated their browser.
3. Patch Operating Systems: Duo can also detect when an end user is accessing resources on a device that is running an out-of-date operating system. Whether a laptop or mobile device, corporately-owned or BYOD, Duo can prompt the employee to update their operating system. In the case of access to business critical resources, Duo can block employees if they have not yet updated to the current version of an operating system.
4. User Application Hardening: Duo can also set application policy based on the presence of Java or Flash. Duo can block access when it detects all versions of Java or Flash, which is recommended, but it can also limit access to the recent or most updated versions. If employees attempt to access resources and older versions of Flash or Java are detected - Duo can prompt users to update the plugin before they are granted access.

In conclusion, the Essential Eight provides a great framework for addressing security basics in any corporate environment. Whether beginning a new project or adopting a daily assessment routine, the eight concepts provide a useful checklist when thinking about security. 

If this post sparked interest in how Duo might be able to help you place some checkmarks on that checklist - you can learn more about our product here or start a free trial of Duo here. 

When we think of security, we think of needing to protect our systems from people ‘breaking in’ to our accounts and systems. The unfortunate truth these days is that hackers no longer need to ‘break in,’ they can simply log in using stolen credentials.

Passwords Alone Aren't Secure

Traditional password security is becoming less and less effective as hackers use attack vectors such as phishing, brute force attacks, spraying attacks, and various other means of password compromise to gain access to a user’s systems and accounts.

Tougher password security can combat weaknesses in access points, and also offer small business a competitive edge by showing that they take their security (and, therefore, their customers' security) seriously. It also facilitates interaction with enterprise companies as part of a supply chain.

The U.K. Government Recommends Multi-Factor Authentication (MFA)

The National Cyber Security Centre (NCSC) notes that “it doesn't matter how ‘good’ your password is, it’s not enough to secure access to valuable online services on its own.” As such, the centre published guidelines in June 2018 urging organisations to utilise multi-factor authentication (MFA), an authentication process that requires users to present at least two pieces of identifiable information to gain access to an account.

For example, MFA can prompt users to present both a password and a PIN. Users can also be asked to offer a thumb print along with a PIN and/or password as a means of MFA.

Why Use MFA?

The security MFA (also known as 2FA) offers can be a significant advantage to small business, as it allows an extra layer of protection without requiring processes that employees may find cumbersome. Much more importantly, it puts hackers at a distinct disadvantage as it hinders attacks such as phishing attacks and brute force attacks considerably by preventing hackers from gaining passwords for a single point of entry.

And as the NCSC points out, stealing a password is relatively easy these days. Even stealing a second identifiable factor may be simple to do the NCSC notes, but stealing a matching pair is not so simple, which is why MFA is so effective.

How Small Businesses Can Upgrade to MFA

Switching from traditional login security to MFA may seem like a daunting task for small businesses, but it’s a simple process that can be managed easily with a cloud-based service, such as the one offered by Duo MFA, for example, has a variety of MFA processes that small business can take advantage of.

For example, Duo Push allows users to authenticate themselves using push notification sent via the Duo Mobile app. It also supports Universal 2nd factor (U2F) security tokens, hardware tokens, mobile passcodes, SMS, callback, and biometric authentication.

For small businesses, a service like Duo MFA can be the solution. It requires zero IT resources to run and can offer cost cuts in areas like internal help desks by offering fast deployment at scale.  Duo can be the answer to password security concerns.

Sign up your small business up for Duo Free MFA now.

**Learn more about securing your small business with two-factor authentification.** This guide walks through some of the key areas of differentiation between two-factor authentication solutions and provides some concrete criteria for evaluating technologies and vendors.

Download the Free Guide

When companies make investments into multiple security solutions and still get breached, it begs the question: How much should be spent on security? How many products does an organization need? How much security is enough? CIsco's new report answers these questions through a double-blind survey of approximately 80 security professionals, along with expert commentary from Duo's CISO advisor Wendy Nather in the recently released report, "The Security Bottom Line."

The Top 4 Security Problem Areas For Business

In the report Duo’s Head of Advisory CISOs, Wendy Nather, calls out the following four factors that can affect security success:

• Budget
• Expertise
• Capability
• Influence

Budgets Sizes: Among mid-market organizations (250-999 employees), 46% spend under $250,000 on security each year and 43% spend $250,000 to $999,999. Among enterprise organizations (1,000-9,999 employees), 57% spend between $250,000 and $999,999, 23% spend less than $250,000, and 20% spend at least $1 million. Half of large enterprises (more than 10,000 employees) spend $1 million or more on security each year and 43% spend between $250,000 and $999,999.

Shortage of Expertise: Money isn't the only issue. When 80% of companies identify which systems and data need the most security and protection, it is expertise, capability and influence that can be blockers in spite of budgets and spending power. 

Mid-Size Businesses Are Struggling With Security: The report shows organizations with 1,000-9,999 employees, only 23% rely most heavily on internal staff for security expertise, compared with 37% of respondents overall. This could lead to more risk. 

Influence and Outside Vendors: Major concern for CISOs today. With services, hardware, and software coming from dozens or hundreds of different sources, organizations don’t stand a chance when it comes to exerting complete control over their security.

To learn more, download the free report below. 

**Get The Security Bottom Line Report** How much security is enough? Find out in our latest report.

Download Free Report

We are excited to announce a brand new integration between Duo and Cisco’s Advanced Malware Protection (AMP) for Endpoints now in Public Beta

Why is this Exciting?

With an estimated 70% of breaches starting on endpoints - laptops, workstations, servers, and mobile devices - organizations need visibility into these devices connecting to applications both on the network and in the cloud

With Duo and AMP, organizations have the tools in place to effectively establish trust in users’ endpoints connecting to protected applications. The ability to prevent, detect and respond are key elements when considering device trust in a zero-trust security approach for the workforce.

This integration leverages AMP’s ever-evolving knowledge of threats and compromises to enable Duo to automatically block access to any Duo protected application from an endpoint that has an active compromise.

How Duo Helps Establish Trust in Endpoints

To establish trust in the endpoints being used to connect to applications Duo helps organizations implement policies that will do the following:

• Provide visibility into all workstations, mobile devices, and laptops being used to access protected applications - including OS versions, browser version and more
• Check devices have the most up to date software and patches in place and offer remediation - this is particularly crucial for devices not under corporate management
• Assess the management status of the device and block access from devices that aren’t trusted endpoints
• Determine if the endpoint meets security controls - for example, the device isn’t jailbroken and has encryption in place

All the device state and management status checks Duo performs on devices have been designed with the end-user in mind, and to alleviate some of the burden on helpdesk and IT administrators. Duo policies check for things that should either already be set up for the device (such as management status) or could be remediated by the end-user themselves (update an older OS version for instance). With policies in place, checks are performed automatically during the login process to ensure that there is a balance between security and usability without an impact to productivity.

AMPing up Device Trust for the Workforce- Prevent, Detect and Respond

In order to gain access to sensitive data or applications bad actors with malicious intent are always trying to come up with new compromises that manifest as malware, viruses, ransomware, etc.. Cisco AMP, however, is never static and is always receiving a constant stream of up to date malware intelligence from the Cisco Talos team, a group of experts who analyze millions of malware samples and terabytes of data per day. AMP then correlates files, telemetry data, and file behavior against this context-rich knowledge base to proactively defend against known and emerging threats.

Now thanks to this integration, we are able to bring all of that real time intelligence from Cisco Talos and AMP to every access decision that Duo is making.

How Does It Work?

• The connection to the AMP for Endpoints tenant is set up in the ‘Trusted Endpoints Configuration’ section of the Duo Admin Panel.
• Duo’s web service is integrated via custom APIs with the AMP for Endpoints cloud service
• Duo will act as an enforcement point: When AMP knows a device is compromised, Duo will prevent that endpoint from being used to access any application it protects

All it takes is a few minutes to get the integration setup and running so organizations can quickly and easily:

Interested? Here’s what to do next..

This integration requires Duo Beyond and AMP for Endpoints and is scoped initially to desktop devices running Windows and macOS.

We are eager to have interested customers try it out and provide us with feedback on how it is helping them further improve their security processes and controls.

If you are interested in this integration please contact your Duo and/or Cisco representative.

I’ll say it now, and I’ll say it again: achieving FedRAMP Authorization as a Cloud Service Provider (CSP) requires nothing short of an organizational transformation.

At Duo, we’re proud to state we’ve done just that — achieving a FedRAMP Moderate Authorization to Operate (ATO) sponsored by the Department of Energy (DOE). 

With Duo’s FedRAMP Authorization now formalized, we’re proud to officially launch two NEW editions to Duo’s product line, tailored specifically to the security needs and requirements of federal customers.

Duo Federal MFA and Duo Federal Access

Today we introduce Duo’s Federal MFA and Federal Access Editions. Duo’s new Federal Editions are built to make authentication and access controls an “easy button” for federal agencies, federal contractors and other CSPs. The two new editions align with FedRAMP/FISMA security controls, NIST’s Digital Identity Guidelines (NIST SP 800-63-3), and are FIPS 140-2 compliant from end-to-end.

Getting Behind NIST, FedRAMP, and OMB Direction for Federal ICAM

In 2017, Duo was excited to see the hard work that the NIST team accomplished with NIST’s Digital Identity Guidelines (NIST SP 800-63-3). This simplified identity, authentication and federation requirements and made them more flexible for federal government use. And it didn’t stop there. In February 2018, we saw the FedRAMP PMO get behind this NIST guidance with formal guidance of their own. And in May 2019, the Office of Management and Budget launched its Identity and Credential Access Management (ICAM) policy, further supporting NIST’s guidance into the federal community.

At Duo, we enthusiastically applaud NIST, OMB and the FedRAMP PMO for their hard work to “level-up” our US federal government ICAM direction. With Duo’s FedRAMP Authorized Federal Editions, we hope to be a part of the solution the OMB ICAM policy set forth, and make authentication and access control easy-to-use while federally compliant for end users and administrators alike.

Try Duo’s Federal Editions

If you want to get started with a free trial of Duo’s Federal MFA and Federal Access editions, signup through our federal editions page and we’ll reach out to get you started!

**Relieving the Pain Points of Federal IT Modernization** In this ebook, Relieving the Pain Points of Federal IT Modernization, we discuss four key pain points federal agencies encounter part of their IT modernization initiatives and how they can find relief from them.

Get the Free Guide

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Senior Customer Success Manager, Lisa Rinek to learn about what she does and her experience at Duo. 

Lisa Rinek

Employee Name: Lisa Rinek

Title / Department / Office Location: 

Senior Customer Success Manager / Customer Success / Austin, TX

 How long have you been at Duo, and what do you do here?

I've been at Duo for two years. I work closely with our enterprise customers to ensure they have successful Duo deployments and find value in our partnership regardless of their tenure.

What's your day-to-day like at Duo?

I always say I have a typical week, not a typical day. My work weeks are consumed by customer interactions (emails, working sessions, status calls and onsite business reviews), internal knowledge-sharing meetings and laughing with coworkers. However, each day is different and is shaped by customer needs.   

What tools do you use to help you do your job? 

We have numerous tools that help us do our job efficiently and effectively, and our documentation is amazing!  Our customers rave about our externally-facing resources, including our Knowledge Base, configuration docs and end user guides.  I find myself referencing them on a daily basis. Another popular tool is Slack. Being a global company, Slack makes it easy for us to share success stories, ask questions and collaborate with other teams at Duo.  

How do you and your team collaborate with other teams within Duo?

Cross-functional collaboration is critical in Customer Success. At Duo, Customer Success Managers work in tandem with Customer Solution Engineers, so each customer engagement is a team effort. We build strong relationships with Sales, Product, Engineering, Support and Ops so we can deliver the best service possible to our customers. We regularly communicate with those teams via email, Slack, Webex and in-person meetings - we’re all in this together!

How did you get your job at Duo?

I came across the job posting on LinkedIn and was instantly intrigued. Through some research, I learned a former coworker was at Duo so I reached out to him to learn more. He raved about the product and company culture and quickly convinced me it’s where I wanted to be. After a few rounds of interviews, I was lucky enough to be chosen to join the team!

What is the first thing you do when you come into the office?

After grabbing a cup of coffee (obviously), I spend the first few minutes of my day reviewing my inbox and to-do list. I prioritize my work by identifying the critical items that need immediate attention, items that require help from other team members and items that can be addressed later in the day. I rely on this routine to stay organized and focused. 

Any big projects or goals you're currently working on?

We recently closed United Airlines, Duo’s second largest deal ever. Myself and the rest of United's dedicated Duo Care team have been working with them on deployment planning, technical configurations, and enrollment and communication strategies. We’re confident they’re going to have a successful Duo deployment!

What’s an important lesson you’ve learned while working at Duo?

Embrace the unknown! The security industry is not only expanding, but it’s evolving at a rapid pace. I enjoy being part of an agile company that doesn’t shy away from necessary change.

How is Duo different than other places you've worked?

The culture at Duo is hard to beat. It’s a supportive environment that fosters innovation, collaboration and personal growth. It’s refreshing being surrounded by people that offer guidance and support when you ask for help and go out of their way to make sure you’re set up for success. Additionally, I have full trust in our management team to make the best decisions for the business and our people.

How is your role at Duo different than roles you've had with other companies?

While I am given clear goals and the necessary tools to do my job, I have the freedom and trust to execute in my own way. I have the ability to stay nimble with customers and customize my approach based on their needs. A huge benefit of this is learning different strategies and approaches from my peers.  

What would you tell someone considering a role at Duo?

Go for it - you won’t regret it!

####

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

The interactions between Amazon Web Services (AWS) users, services and resources are governed by policies implemented in AWS Identity and Access Management (IAM). These policies are free-form segments of text that provide enormous flexibility for administrators. Accordingly, they must take care to ensure that this text does not include errors that could cause their policies not to function as intended. This has traditionally been a manual process, as there haven’t been any tools available to provide automatic error.

Duo Labs is releasing a first-of-its-kind open-source tool which automates the evaluation of IAM policies: Parliament. 

Parliament is designed to work with other tools and can be used to validate policies as small as a single S3 bucket policy or as complex as the 500+ AWS-managed policies that are available to all users. We are happy to share that if you use AWS managed policies, then you are already benefiting from the insights that Parliament provides! During development, we discovered a number of errors in those published policies, and we communicated with the AWS security team to share our findings.

What Makes Policy-Writing Challenging?

To start with an example, one class of simple mistake is conflating the name of an IAM action with the name of the API operation that is controlled via that IAM action. While the two components do often share a name, they also frequently do not.

AWS goes into further detail in the IAM policy reference documentation. The mapping of S3 actions to API operations is one such “mismatch.” The name of the IAM action to list S3 buckets in an account is s3:ListAllMyBuckets, but the API operation to use this privilege is called s3:ListBuckets. This can result in authors writing IAM policies referencing the operation name s3:ListBuckets, but policies can only refer to IAM actions, so this is simply not a valid permission to assign. If an IAM principal (a person or application that can make an AWS request) is granted permission via such a policy, it would be unable to list the S3 buckets as intended. Indeed, it would have no effect at all.

IAM Policy Language Features

“Globbing” is the term used to describe the ability to use a wildcard character (often *, as is the case with IAM policies) to act as a substitute for one or more characters. IAM policies support globbing, for example, Describe* lets an author write a policy where they want to allow describing all the things without having to reference each and every action that starts with Describe. So, if the service they are referencing is Cloudfront, cloudfront:Describe* would be the action string.

There’s one problem with that, though: there aren’t any CloudFront actions that begin with Describe. There are actions that begin with List and Get, but not Describe. As such, this attempt to allow “describing” would actually have no effect, and would provide no feedback to the author as to why their policy isn’t doing what they intended.

Some privileges allow the author to provide additional information, such as the name of a resource to apply it to or a conditional statement to be used by the action. Not all actions are as flexible and either require the presence of additional components or disallow them entirely. For example, some EC2 actions work with tags in their conditions—but not all. 

A policy that contained the action ec2:ModifyInstanceAttributeand used the condition ec2:ResourceTagwould be invalid, since that action’s definition doesn’t allow for the use of tags to select EC2 instances.

Policies have to be expressed in JSON format. Within that format, there is a high degree of flexibility, which has the benefit of allowing for arbitrary names and logical expressions, as well as being easily able to support the addition of new AWS services, resources and actions. The freedom provided by the IAM policy language also introduces the opportunity for errors to occur. 

Writing complex IAM policies today is similar to composing an essay with only Notepad. Errors that occur such as simple typos or mixing up the privilege name with the API action, as seen above, are analogous to the errors a word processor’s spell-check would catch. Other errors might violate more complex rules, similar to what grammar-check can understand.

Can This Help With Security?

Parliament doesn’t stop at helping authors ensure they’re writing functional policies. We have identified certain types of security issues that can be detected through this same approach of static analysis of the text of the policy, in conjunction with knowledge about the IAM policy rules and the available IAM actions.

One such class of security problem is resource policy privilege escalation. Imagine an IAM user is granted privileges to do anything with a specific S3 bucket except delete objects from it. A security risk is introduced if one of the actions the user is granted on that bucket is S3:PutBucketPolicy. Using that action, they can put a resource policy on the S3 bucket that grants everyone, including anonymous users and themselves, the ability to delete objects from the S3 bucket. Therefore, this allows them to perform the action (deleting objects) that their policy is not intended to grant, and should be considered a form of privilege escalation.

How Does Parliament Work?

To create Parliament, we first needed a source for definitions of which IAM actions actually exist and all of their constraints. Prior tools have gathered this information either by extracting out the data from the JavaScript files in the AWS Policy Generator or the AWS console itself.   

Unfortunately, neither of those sources gets as detailed as we need to implement the linter capabilities we want. For example, those resources might specify conditions that a service can use, but do not describe what specific actions within that service are allowed with a condition. 

The only complete source for these definitions are the online docs. Consequently, we built a web scraper to extract the knowledge of the policies from AWS’s HTML and to export it into JSON data that Parliament can use.

Upon loading a new policy to process, the linter iterates through all of the Statements, unglobbing the Action and NotAction elements. For example, it will convert s3:Get*into every possible action that matches that globbing string. It ensures that the Resources and Conditions are valid for each of the actions under consideration and that the Condition values are the correct types. Another example is that a Bool should only match against the values "true" or "false". Many other similar checks are performed along the way.

One challenge introduced by globbing is matching the required resource type from the documentation against the value given in a policy. For example, s3:GetObject must have a resource that matches arn:*:s3:::*/*,and an IAM policy might use the string arn:aws:s3:::mybucket*. We thus have to ask the question, “can both of these match on one or more S3 ARNs?” 

Humans can readily look at the two expressions, hypothesize an answer of “yes”, and intuitively construct a proof by example such as arn:aws:s3:::mybucket/foo. Of course, computers need a little more explicit instructions than “just look at them and find an example.” This problem is more generally described as “finding the intersection of regular expressions,” and it is computationally expensive in many scenarios. Fortunately, since IAM only offers string globbing and not the full set of regular expression features, the problem becomes dramatically simpler.

Is It Worth Using?

We used the entirety of AWS’s managed IAM policies during development of Parliament as a corpus of real-world test cases. As we implemented increasingly advanced capabilities, Parliament actually identified discrepancies such as those described above with about 100 of those managed policies, with an average of three errors per affected policy. The typical impact of any one of these items would have been that the policy didn’t quite do what the user expected in some circumstances. We’re glad to report that the AWS Security, IAM and engineering teams engaged with these reports to triage and organize resolutions to each.

These results during our testing show that Parliament fills a real need in our community. This library could (and should!) be used by any project that ships IAM policies, either as a manual check or via integration into a CI/CD pipeline. 

The first such integration has already been deployed, in the CI/CD pipeline of CloudMapper, one of our other projects. Going forward, we plan to expand both the detections Parliament has and its ability to interact with IAM policies programmatically. This library helps policy authors work with stronger confidence that their IAM policies will work as intended and are free from those suspicious constructs that we can identify currently.

Try out Parliament for yourself. Parliament is available on Github.

See the video at the blog post.

We are happy to announce the availability of the new Duo Device Health application. It gives organizations more control over which laptop and desktop computers can access corporate applications based on device security, enforcing compliance each time a user attempts to authenticate. It provides a seamless end user experience when the device is healthy, and guides end users to take specific steps to remediate their device if it isn’t.

Duo’s existing device access policies provide access control and insight of laptop and desktop devices based on OS and browser version as well as plugin. 

Duo Device Health application gives you the option to extend endpoint control and visibility beyond what is possible today. 

For more product details, see previous blog post here. 

Why it is Different

There are several approaches for checking device health, so let’s take a closer look at why the Device Health application is different from other capabilities currently available in the market. 

It works at the application layer. Duo Device Health application is integrated into the Duo authentication path and protects applications that end users access via the Duo web prompt for two-factor authentication. It works for both cloud/SaaS and on-premise applications. 

It does this by:

• Checking device health every time the user authenticates to an application
• Providing granular, application-level access control
• Enforcing compliance at the time of authentication 
• Working with corporate cloud/SaaS and on-premise applications

It respects end user privacy. Many of our customers told us they had challenges getting end users to enroll their BYO (bring your own) devices in traditional device management systems because they did not want to give the organization administrative control. They didn’t want to enroll their device in a system that could change the configuration of their device without their consent. 

As a result, we designed the Device Health application to provide end users with autonomy and sense of ownership of their devices (especially non-employees, temporary workers, contractors and other users with BYOD) by:

• Ensuring that there would be no forced configuration changes or data destruction on the device
• Collecting a limited amount of data from the device client application 
• Allowing the end user to easily uninstall the client application
• Providing clearly stated information within the client application describing what the application can and cannot do

It isn’t limited to specific device and identity management solutions. We recognize that you have many choices for managing devices and user identities. So Device Health application works for any mix of BYO and corporate-owned devices by:

• Not requiring enrollment in a specific device management solution
• Providing insight to both BYO and corporate-owned devices
• Enabling broad application coverage regardless of identity provider

Our customers were closely involved throughout the product development journey.  From the earliest discovery conversations and user research sessions, our customers played a critical role in bringing this product to market. Our customers partnering with us early in the process to help us build a deep understanding of the problems they faced and provide essential feedback on potential solutions long before we started developing software. 

We’ve had very strong interest from customers during the beta period leading up to the release with over 40 customers participating. We recently hosted a heavily-attended customer webinar recorded here where we provided a more in-depth overview of the product. 

We’re very grateful to those of you who joined us on this product discovery journey so I want to thank you.

How to Get Access 

Now for even better news. We are including the new product in Duo Access and Duo Beyond editions for no additional cost.  

Duo Access Edition now includes the base set of native operating system (OS) level health checks in the Duo Access Edition including native Windows/macOS disk encryption, firewall, password enabled and patch-level enforcement. Additional 3rd party health checks, such as endpoint agent verification are included in Duo Beyond Edition.

If you are an Access or Beyond Edition customer, you can now access the product. Simply log into the Duo Admin UI, scroll to the Policies section, and select and enable the new Duo Health application policy.

For more details please see our admin guide here. 

What’s Next

The product is available and that’s a huge milestone, but we’re just getting started and excited about what’s coming next. For starters, we will soon be adding support for endpoint security agent verification, which  requires a device to have an anti-malware/antivirus product installed prior to gaining access. To learn more please contact your account representative.  

State and local government agencies are targets for cyber criminals recently. To aid state and local governments, the federal government has introduced a new bill in June: State and Local Cybersecurity Act of 2019. The bill aims to improve coordination between the Department of Homeland Security (DHS) and state and local governments by creating channels for sharing threat intelligence and providing resources for threat prevention and recovery.

State and local government agencies collect and store valuable citizen data such as social security numbers, birth certificates, driver’s licenses, voter registration, immunization history, medical records, bank account and credit card numbers of millions of people and businesses. However, these agencies often lack the resources to protect this data. 

Further, threats have evolved and are more sophisticated. Recent attacks such as ransomware and targeted phishing attacks aimed at compromising credentials bypass outdated traditional security solutions. Many agencies, wish to avoid big headlines for the wrong reasons and want to reduce the risk of a breach by taking a layered approach to cybersecurity. 

State and Local Government IT Security Challenges

In addition to dealing with sophisticated threats, the state and local government agencies have their own unique challenges that further add complexity for IT security teams.

1. Slow pace of change:

The IT environment is burdened with legacy applications and infrastructure. While the IT department is taking up modernization and cloud migration projects, the pace at which teams can operate is bogged down by interoperability with existing infrastructure. Finding a solution that is agnostic and works with existing systems is an important factor that determines the success of these projects. 

2. Siloed solutions:

As applications and data move to the cloud, IT teams deploy new dedicated cloud-based solutions that operate in silos. These solutions provide similar features as their on-prem counterparts, but may not offer sufficient integrations or satisfy the unique use cases for traditional applications. There is a need to consolidate solutions to deliver a  better user experience and lower the total cost of operation (TCO).

3. Cost and overhead:

Lack of budget and resources severely limit the capability of the IT security teams to safeguard data. Understaffed teams and competing IT projects make it difficult for security managers to build a business case for security. The best option is a security solution that is simple to deploy and manage and easy for users because it helps security professionals build a business justification and get the buy-in from their business decision makers. 

How Duo Helps State and Local Governments :

• Duo’s strong multi-factor authentication (MFA) (also referred to as 2FA) minimizes the attack surface by preventing unauthorized users or bad actors using compromised credentials from accessing sensitive data stored by government agencies. Blocking unauthorized access helps reduce the risk of data breaches and credential phishing attacks. 

• Duo empowers the IT team to take on digital transformation / IT modernization projects such as moving to the cloud in a secure and compliant manner by: 
• Providing same authentication workflows and intuitive user experience across all applications for users from all departments, even when applications and technologies change

• Delivering a consistent user experience that makes it easier for network administrators to onboard new tools and applications securely without creating any roadblocks or bottlenecks

• Adhering to the NIST cybersecurity framework and providing the necessary requirements for the NIST SP 800-63 Digital Identity Guidelines

• Enabling different departments at the state and local level to easily comply with multiple cybersecurity regulations such as:
• CJIS for public safety and justice departments working with criminal information
• HIPAA and EPCS for departments dealing with patient health information (PHI)
• PCI-DSS for departments that store and process any payment related information

• Duo reduces TCO by lowering IT overhead and consolidating multiple point solutions to a single, access security solution that works with legacy solutions and all the applications and systems that SLG uses. With Duo, government agencies benefit with:
• A single vendor approach for all your secure access needs - MFA, Single Sign-On (SSO), remote network access, device inventory and device management -  reducing security spend and efforts involved in administration and management
• Protect access to any application from popular SaaS (Office 365, Workday) to custom cloud apps (AWS, MS Azure) or on-prem (Unix, MS Exchange) and remote access (RDP, VPN). Duo can secure access to anything that requires a login.  
• Easy deployment with self-service for enrollment and device management allows IT departments to roll-out Duo either in a phased approach or across the organization
• Ease of use for end users helps improve productivity and reduce costs associated with training and support calls.

Sign-up for a Free Trial to experience the product and see how Duo helps State and Local Governments reduce security risks.

Learn More

Attend the GovTech + Duo sponsored live webinar to learn how a modern security approach can simplify access to all applications across entire government agencies.

WEBINAR: Protecting Critical Data is Never a Bad Investment”

WHEN: December 5 at 11am PST/2pm EST

**Download Duo’s MFA/2FA Evaluation Guide to understand some of the key areas of differentiation between two-factor authentication solutions and provides some concrete criteria for evaluating technologies and vendors.**

Free Guide

Dear Governors, Mayors, Legislators and County Officials,

Each day there are more and more stories about ransomware and threats to forthcoming elections. I'm sure it's already on your mind.. Congress frequently bemoans the inaction at the state and local level and warns about the dire consequences of further inaction. Yet, it’s not that simple. Yours is not a single enterprise of which any one entity has dominion over. To the contrary, it’s a loose federation of state and local agencies with divergent requirements, needs.  

From the needs of a legislator, to a citizen, to a government employee accessing retirement information or a even first responder, there are various levels of access that need to happen quickly and securely without disrupting the business at hand. Multi-factor authentication (MFA) is a recommended solution by the federal government because it does exactly that. 

Make no mistake about it, I am not suggesting that there is a single solution that can thwart all attempts. However, studies suggest that many of these attacks begin when user credentials are compromised.  This is referenced in NASCIO’s recent report. One can make the simple comparison between cybersecurity and home security. Hackers are like burglars, they case the joint, they look for the open and easy paths first. 

The first and most common things bad actors do is they go around the house wiggling doors and windows hoping they’ve been left ajar. That’s what phishing is. Consequently, start by locking the doors and windows. In cyber security, usernames and passwords are like windows and doors with insufficient locks — and the phish is the preferred lever of the attacker. Multi-Factor Authentication (MFA) provides a stronger lock. That's what we, here at Duo do.

A strong form of multi-factor authentication is as fundamental to "election security" and "enterprise security" as home locks are to your front door and windows. The stories of compromise from the last election and ransomware all started from the same open window — username and passwords were compromised and phished.  

Our tagline at Duo is "democratizing security" because Duo MFA is easy to use, and easy to deploy.  Through greater ease of deployment and simplicity, you get greater use  and you reduce risk by locking down all the easy points of entry — like locking ALL your windows and ALL your doors at night. 

Remember, much of the trouble during the last election was the distrust it created in our democratic institutions. Much of that distrust started because individual credentials were compromised. Consequently, it’s not so much inaction, but the inability to take holistic action. All the bad guy needs is one opening. 

We can help. 

Sincerely,

Duo

Imagine that you’re sitting around a campfire with your security team. It’s pitch dark, and you can swear that little eyes are glowing at you just past the edge of the firelight. All the marshmallows have been consumed (either by the people or by the flames), the chocolate is gone, and there are spare graham crackers left over (because there always are). 

What scary stories would you tell? And are any of them true? Or do we just tell them to one another to get a chill going? What’s the punchline that would make everyone jump and scream?

“The call was coming from INSIDE the SCIF!” is a common joke we’re hearing right now, but there are plenty of people who take it very seriously. Most of the true stories of espionage at that level are ones we’ll never hear, so we have to rely on stories of what could potentially happen. Some of the spooky stories I’ve heard have to do with fitness bands leaking location data near secured areas, or researchers who are able to track cleared employees based on the mobile apps they use in the parking lot during their breaks. Do these result in actual compromises? They make good tales, but those of us in the civilian world won’t know more than that.

Scary True Stories

I have a true story I tell from one of my jobs from many, many years ago. Once upon a time, one of my colleagues took it upon himself to read the instruction manual for the degausser that we used to erase old backup tapes (I told you this was a long time ago). After reading it, he came into my office and said, “I have bad news. The model of degausser that we have doesn’t actually work on tapes.”

Cue violins and screaming. How many tapes had we happily thrown away, sure that the data on them was gone? For how many years? Did that constitute a breach? Did it matter? We had no way of knowing. It’s the unknown that frightens the most.

Just about every CISO you meet has a scary tale to tell, just as everyone you meet probably has a tale to tell about a horrible accident that happened to them or someone they know. The security ghost stories are fun to tell at conferences. But telling them constantly, at length, doesn’t help us have a reasoned conversation with the business around risk. Yes, we see stories in the headlines all the time about the rising impact of security breaches, but they’re still so rare as to be newsworthy. And your management may agree that theoretically, if something like that happened, the impact would be significant — but they won’t agree on the likelihood of that worst-case scenario happening. The biggest disconnect I see between security professionals and their management is their different estimates of probability. 

As security professionals, we must always be aware of the dangers of availability bias. If you read about breaches all day, you’ll be convinced that they are more likely to happen than they probably are; if you’re a firefighter running around putting out fires all the time, you’ll think the whole world is on fire. So just because we have more than our fair share of security ghost stories, it doesn’t mean that we should be telling them all at the boardroom table.

Check the Facts

If you have to relay these tales, make sure you’re including facts and analysis, such as:

• Do we think this is likely to happen to us? 
• If so, how would it happen and what form would it take?
• Are we capable of detecting (or better yet, preventing) this scenario?
• What can we do to reduce the likelihood, or at least the impact? (And what will it cost?)

And if your story sounds too much like, “... Then they saw the TOTP hardware token hanging from the car’s door handle!” then rethink what you’re trying to communicate, and why.

Halloween’s over. Let’s use our stories to inform, not to frighten. 

Variety is the spice of life, or so I’m told. We see this in the world we live in now. There are thousands upon thousands of websites and services that provide us access to basically anything we can think of at the click of a button. From restaurant buffets with everything you can think of to; being able to order a Microsoft Surface and have it delivered to your house the next day, we have it all. 

As I look back over the course of my career I can’t help but wish I could speak to myself 25 years ago. Back then, when I wanted to spin up a project in a production environment there was a storm of paperwork. Then there were ordering cycles that, in one case, took 364 days for a product to be delivered to the company I was working for at the time. 

Today we suffer from a much different affliction. We have a veritable bounty of riches when it comes to building bridges and the ability to get work done. Microsoft Azure is an excellent example of these riches. If the me from a quarter century ago could know that now I could set up an entire infrastructure in hours rather than months — I’m sure I would have passed out. 

Even within Azure there is a plethora of options that are available to customers. Azure provides customers with options to have Infrastructure as a service (IaaS), Software as a Service (SaaS) and Platform as a service (PaaS). Everything from storage to server hosting, and all points in between, so that you can move to the cloud or simply to augment your on premise systems. 

Another great value add is that Microsoft partners with companies like Cisco Systems to provide their customers with a greater flexibility with their zero trust security initiatives.

Duo's Native MFA For Microsoft Azure

Cisco's Duo Security portfolio is available to Azure customers to help build out their solutions for teams to bring their projects into executive alignment to satisfy strategic security goals. Duo has native multi-factor authentication (MFA) for Azure’s Exchange environment as one example.

Having this ability allows Azure customer to leverage Duo + MSFT together helps promote a multi-cloud, multi-application environment. This sort of flexibility allows companies to integrate with other platforms such as Salesforce, AWS, and solve for use cases for both on-prem applications and in the cloud.

Let’s face it, no one uses only one platform and it is great to have options available to address that. We all have third-party applications that we use and having the ability to leverage Azure AD with Duo allows for a much wider coverage area than might have been thought possible before. 

We like to have choices. Cisco’s Duo Security provides the ability to have exactly that. Coverage across the board, and not simply just MFA. 

Be better and grow bigger with Microsoft + Cisco + You = Better Together.

At Duo, we believe security doesn’t have to be complicated to work. This philosophy is at the core of what Duo does best: make security accessible to all by making it easy to use, affordable and effective. We choose to avoid FUD (fear, uncertainty and doubt) messaging, because we believe that it is unnecessary.

Gaps in security visibility and technology due to outside vendors, solutions that may or may not be compatible and manageable, conflicting priorities, limited budgets or a limited security team can lead to real vulnerabilities when security is also complex.

Duo and Cisco have joined forces to eliminate security complexity. We aim to execute and deliver transparent solutions that play nice with others while offering visibility into systems that offer world-class protection without more work. 

The New Zero Trust Defined

What is “zero trust” and why should you care? In the past, the security walls or the “perimeter” lived in and around the network. Mobility and globalization have changed that. Users are connecting to the network and applications in a variety of new ways  — which has expanded the perimeter to anywhere access happens.  

Zero trust uses a variety of factors for verification and authentication before granting access to work resources. In a nutshell, zero trust enforces that no trust or access is granted until users and devices are identified and verified. 

It's not about getting rid of the perimeter - but rather tightening security on the inside.The new perimeter is less about the edge of the network, and now more about any place you make an access control decision.

—Wendy Nather, Head of Advisory CISOs, Summarized from Zero Trust: Going Beyond the Perimeter

The Ways of Access of the Past

• The corporate network relied on a firewall as the main barrier to entry for users, devices and applications
• The enterprise managed all endpoints accessing resources
• Systems managed by enterprises could trust one another, and trust was often based on network location

The New Way of Zero-Trust Access

• Visibility is clear and definable by setting policies and enabling BYOD (bring your own device) or IoT (Internet of Things) devices for business agility
• User, device and application trust is continually reestablished
• Monitoring and threat containment is continuous

To learn more about Zero Trust watch this video:

See the video at the blog post.

Three Key Areas of Business Protection: Workforce, Workloads & Workplace

Security for the enterprise should cover IT ecosystems, with many different vendors, software and infrastructure spread across the multi-cloud, hybrid cloud and on-premises.

The enterprise has to grant access for different types of users — employees, contractors, customers — often with BYOD devices and on a global scale. Enterprise applications talk to each other via APIs, microservices and containers, as well as IoT devices that regularly access the network. 

Each area of your enterprise IT is equally important to protect using a zero-trust security approach.

1. Zero Trust for the Workforce - Securely grant access to employees, contractors, partners, etc. and their secure devices (BYOD). Allow secure application access (regardless of location).

1. Zero Trust for Workloads - Secure all connections within your applications (when an API, micro-service or container is accessing an application's database), across the multi-cloud (cloud, data centers and other virtualized environments).

1. Zero Trust for the Workplace - Secure all user and device connections across your enterprise network, including IoT (types of devices may include: servers, printers, cameras, HVAC systems, infusion pumps, industrial control systems, etc.).

For comprehensive zero-trust coverage, you need to secure access across all three areas in a consistent and automated way.

Cisco Zero Trust

Cisco’s three-step methodology implements zero trust across the workforce, workloads and workplace by:

1. Establishing trust of a user, device, application, etc. - before granting access or allowing connections or communications.
2. Continuously verifying trust by monitoring for risky devices, policy noncompliance, behavior deviations and software vulnerabilities
3. Enforcing trust-based policies with granular controls based on changing context - such as the security posture of devices and the behavior of applications

For the workforce, Duo Security protects against phishing, compromised credentials or other identity-based attacks with multi-factor authentication (MFA) to verify user identities and establish device trust before granting access to applications.

For workloads, Tetration secures hybrid, multi-cloud workloads and contains lateral movement with application segmentation. Identify vulnerabilities in software versions and block communication to reduce your overall attack surface.

For the workplace, Software-Defined Access (SD-Access) provides insight into users and devices, identify threats and provides control over all connections across the enterprise network, including IoT devices.

Duo’s Simplified Zero Trust for the Workforce

As the first step on your zero-trust journey, Duo provides simplified zero-trust security to protect the workforce by ensuring only trusted users and secure devices can access your applications, regardless of where they’re located.

1. Duo establishes trust - By verifying user identities using multi-factor authentication (MFA). And by inspecting end user devices to ensure they're running the latest software versions, and are not jailbroken or tampered.
2. Duo enforces trust-based access - Before granting access to applications or data, Duo enforces access policies based on contextual data, like user or user group roles, device security health and more.
3. Duo continuously verifies trust - By monitoring for any indicators of compromised or risky end user devices, such as out-of-date software or the lack of security, like passcodes or encryption.

With all of these capabilities, Duo reduces your overall attack surface and mitigates risks related to identity, such as phishing or stolen passwords. Duo also gives you increased visibility into the security of end user devices, so you can identify both managed and unmanaged devices and enforce contextual access policies.

Learn more about Cisco Zero Trust and sign up for a free trial of Duo today to quickly get started on your zero-trust journey.

Join the Cisco Security Virtual Summit

In the first ever Cisco Security Virtual Summit, you’ll have the opportunity to join live as we unveil our latest product innovations and share why integration is at the heart of what we do.

When: Tuesday, November 12, 2019 at 1:00 p.m. ET/10:00 a.m. PT

Where: Click this link

Discover the future of firewall, SD-WAN, and zero trust.

Cisco, which acquired Duo Security last year, was recently named a leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 report.

“Cisco has adopted a zero-trust strategy and is well-positioned as a prominent zero-trust player.”

     - The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 

This is a major achievement and, in our opinion, recognition of a series of strategic moves Cisco has taken toward ensuring secure access to and for everyone - and - everything across the entire IT environment.

Duo is one key part of Cisco’s overall zero-trust platform. Duo ensures secure access by users and their devices, before they access enterprise applications.

Zero Trust, for Everyone and Everything

At its most basic level, zero trust means never trust, but verify. To do that, you need to:

1. Establish trust by verifying user identities, device trust, workloads and more.
2. Enforce trust-based access by using contextual information to make policy decisions.
3. Continuously verify trust by monitoring security status and trust levels.

For every user, device, application, database, server, etc. that requests access to enterprise resources. Cisco applies this three-step methodology to provide zero-trust security for:

• Workforce - Ensuring only the right users and secure devices can access applications - Duo is the primary product. 
• Workload - Securing all connections within your apps, across the multi-cloud (data centers, hybrid, public/private cloud) - Tetration is the primary product. 
• Workplace - Securing all user and device connections across your network, including IoT - SD-Access is the primary solution. 

Zero Trust for the Workforce

In the report, Forrester cites Cisco’s integration of Duo’s strong authentication offering, noting that the simplicity of its UIs and tooling strengthened the Cisco offering considerably.

"[Cisco] spent significant time and expense to realign much of its security portfolio to enable or enhance zero trust for its customers."

     - The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 

Duo plays an important role in Cisco’s goal to simplify how security is consumed and delivered. Duo’s multi-factor authentication (MFA) is intuitive and easy to use, deploy and manage, providing a simple first step for any organization starting their journey toward zero trust. 

User and Device Trust

That first step is providing zero-trust security for the workforce, or ensuring only the right users and secure devices can access applications. Duo does this by:

1. Establishing trust of your end users by verifying their identity with MFA at the time of login. Duo also establishes the trust of end user devices by ensuring they’re up to date and healthy.
2. Enforcing trust-based access to enterprise applications and data by enforcing granular access policies based on user roles, device security health and more.
3. Continuously verifying trust of users and devices by monitoring for indications of risky devices or out-of-date software versions susceptible to vulnerabilities.

Duo protects against unauthorized access to applications caused by phishing or stolen passwords, as well as against risky and potentially malware-infected devices.

Easy Deployment and Use

Forrester notes that deployment and ease of use are strengths across the Cisco Zero Trust portfolio. Duo's integrations with Cisco security and networking technology, third parties, productivity, remote access applications and more provide ease of deployment and broad coverage across the IT ecosystem.

Learn more about how your organization can extend trust for the workforce to provide greater visibility, detection and protection capabilities.

Adopting a Zero-Trust Security Framework With Duo

The University of Louisville Hospital was able to protect against phishing attacks and comply with HIPAA and PCI DSS requirements with the help of Duo. 

“We are adopting a zero-trust security framework, and we know we needed MFA to start with, and multiple clinician leaders recommended Duo. It was an easy choice for us. It was the first ever security solution recommended by the users and by clinicians. This never happens in healthcare.”​

     - John Zuziak, CISO​, University of Louisville Hospital

This gave them a zero-trust approach to workforce security and a single view into their mobile device inventory and risk.

Learn more about how to start your journey with Cisco Zero Trust by signing up for a free Duo trial; demoing Tetration and learning more about SD-Access. 

See how different zero-trust vendor offerings and strategies stack up by downloading The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 report. 

At this year’s Black Hat USA, Fletcher Heisler (Founder, Hunter2) and I had the pleasure of sharing our perspectives on application security education in a talk titled, “Shifting Knowledge Left: Keeping up with Modern Application Security.” In our presentation, we discussed where current software security education approaches were limited in their effectiveness, stifling change from occurring in application security. We highlighted that the industry’s focus on the OWASP Top 10 has led to blind spots in engineer training, especially when compared to current data released by HackerOne that only shows a 40% overlap in real-world bugs classes abused.

The conclusion of our talk broached the idea that to positively change application security outcomes, we will need to change how we engage our software engineers in education & outreach. By putting our engineer’s way-of-working at the forefront of our engagement, we can help teach them software security by allowing them to do what they do best: write code! Today, Duo Security & Hunter2 are excited to release a new service, associated open-source lessons, and two training slide decks to help enable teams to provide a better educational experience.

Rethinking Application Security Education

The Application Security team here at Duo have been building and providing in-house software security trainings for over two years. When we started, the goal was to build a curriculum that people would want to take and tell others to take, too. To motivate us, we decided that training would not be mandatory for anyone. That meant that we’d actually have run trainings that people heard good things about and added real value to their skills. Wild idea, I know!

We offer each of our (currently four) training courses every single quarter, visiting different Duo offices to ensure we can go where our engineers are whenever possible. While the lessons are important, building relationships with the engineers we are here to support is just as crucial. After each class we send out a comprehensive survey to our attendees that allows us to recalibrate our effort on aspects from room logistics, to instructor delivery, to lab difficulty. For us to maintain a great reputation for our trainings, we have to be willing to leverage feedback!

Increasing Developer Engagement via… Development!

Over a year ago, Duo started to evaluate how we could provide on-demand application security education to our engineers to go beyond quarterly trainings. Further, we had been running much of our own lab infrastructure to support trainings that took more effort than was desirable. This led us to discuss with Fletcher Heisler at Hunter2 what his company was up to.

Hunter2 provides an interactive, web-based experience for engineers where they get to use a code editor, interact with a real Linux server, and real application stacks. The platform enables guided lessons that help engineers understand vulnerability classes, exploit them, and most importantly… patch the issues! While it may seem obvious, many “software security” training technologies are actually just penetration testing since they don’t provide an avenue to learn in specific contexts how to actually prevent issues in code. That should be the whole point.

Our team chose this platform for not just the level of interaction engineers have, but because unlike other offerings the labs it comes with are not the end of the road -- we could bring our own lessons, too. That’s a critical feature for our team that enables us to cater specifically to our engineer’s needs and also to keep pace with application security trends more readily.

Growing the Application Security Education Community

Today’s release by Duo Security and Hunter2 involve three core focuses:

1. The release of Hunter2 Community, which is a free application security learning platform where users can explore guided, interactive lessons provided by the community. The platform will also support having community members submit their own lessons, too.
2. Duo Security will be open-sourcing six custom lessons that will be accessible via the Hunter2 Community and serve as examples that others can leverage to build their own.
3. Duo Security will also be releasing for-public-consumption versions of our “Introduction to Application Security” and “Advanced Application Security” training course slide decks.

Fletcher and I are hopeful that we can encourage more application security teams to provide valuable, highly-interactive educational opportunities to their teams. By leveraging all of these resources, teams will have a jumping-off point to start providing more robust trainings, build custom lessons that resonate with their engineers, and contribute back via Hunter2 Community.

Even if your organization doesn’t have an application security team, we’re hopeful that you (our avid reader) will share these opportunities with security-minded engineers or grow passion for software security as an internal champion. Starting from scratch is hard, so we’re excited to share this content as a means to reduce the friction in attempting to spin up such an effort.

We hope you take a chance to check out Hunter2 Community, our open-sourced Hunter2 lessons, and our training slide decks. While we can’t guarantee our curriculum or lessons will be exactly what your team needs, we do think that they will spur conversations that begin a process leading to your own tailored content. Looking for other great content beyond ours? You should take a look at PagerDuty’s fantastic Security Training for Engineers courseware, too.

Software security is a big challenge and progress is moving slowly. Let’s do our best as a community to share more of our own presentations, labs, and passion for helping engineers do their best, most security-minded work. 

Oh, and curious what you missed in our talk at Black Hat? Check out our slides or watch the webinar redux of the presentation. We hope they inspire you to take up this important challenge!

On 25th July 2019, the New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, making it a state law. This act amends and broadens the coverage of the existing data breach notification law by expanding the definition of:

1. Covered Entities to include any individual or entity that holds the private information of a New York State resident, regardless of whether that individual or entity does business in the state of New York.
2. Private Information to include - username or email address in combination with a password or security question; biometric information such as fingerprints, voice print, retina or iris image; account number, credit or debit card number that can be used to access an individual's financial account without additional identifying information.
3. Data Breach to include unauthorized access to private information regardless of whether that data has been acquired by unauthorized personnel. The data breach notification law would be triggered indications if private information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.

The New York Law Journal reports:

"The SHIELD Act does two things, primarily: It amends New York’s data breach notification statute, General Business Law §899-aa to update its definitions, and also creates a new §899-bb requiring substantive data security controls of any person or business that owns or licenses computerized data including the defined “private information” of a New York resident. In doing this, New York has brought itself into line with a number of states concerning how they define a data breach, and, where applicable, what substantive security controls they require. The SHIELD Act also adopts the approach of several states, including Massachusetts, Florida, and Nevada, which purport to extend their jurisdictional reach to any person or business, anywhere in the world, that owns or licenses data concerning a resident of that state. In this regard, New York has converted §899-aa into, and created a new §899-bb that functions as, a possession statute: 

If you process computerized private information concerning a New Yorker, you now fall under the statute’s requirements. This change in territorial scope, of course, vastly increases the pool of persons and entities that are subject to possible enforcement under §899-aa, and creates an entirely new ground for enforcement against this increased pool under §899-bb. The statute’s expanded definition of “private information” also increases the likelihood of enforcement."

The SHIELD Act also amends the general business law by adding a new data security protections section 899-bb. This section outlines the compliance requirements for a data security program with “reasonable safeguards” to protect private information. The reasonable safeguards extends to the service providers of the covered entities and the safeguards must be required by contract.

The SHIELD Act’s amendments to the breach notification law take effect on October 23, 2019. And the data security amendments to the general business law take effect on March 21, 2020.

Who Does the Shield Act Apply To?

The SHIELD Act applies to any person or entity, regardless of their location, that owns or licenses computerized data which includes private information of New York State residents.

What Should Businesses Do to Comply?

Organizations that comply with HIPAA, GBLA, NYDFS and other federal or New York State data security regulations are considered compliant with the reasonable safeguards requirements section of the SHIELD Act. The reasonable safeguards include:

1. Administrative Safeguards
1. Designate one or more employees to coordinate the security program
2. Identify internal and external risks
3. Training employees on security program practices
4. Select service providers capable of maintaining appropriate safeguards and require those by contract
2. Technical Safeguards
1. Assess risks in network and software design and in information processing, transmission and storage
2. Detect, prevent and respond to attacks or system failures
3. Regularly test and monitor the effectiveness of key features of the security program
3. Physical Safeguards
1. Assess risks associated with information storage and disposal.
2. Detect, prevent and respond to intrusions.
3. Protect against unauthorized access to or use of private information during or after collection, transportation or destruction of information.
4. Dispose of private information within a reasonable amount of time

According to the SHIELD Act:

“Small businesses are also subject to the reasonable safeguards requirement; however, safeguards may be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” A small business is any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets”.

What Is the Consequence?

The SHIELD Act does not authorize a private right of action and a class action litigation. But, the Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For reckless and knowing violations courts may impose penalties of the greater of $5000 dollars or up to $20 per instance but no greater than $250,000. For reasonable safeguard requirement violations, the court may impose penalties of not more than $5,000 per violation.

How Can Duo Help?

A strong data security program must include an adaptive multi-factor authentication mechanism to safeguard against unauthorized access. Your organization can easily comply with the SHIELD Act and strengthen security posture using Duo. Duo enforces strong access security policies to prevent unauthorized users and devices from gaining access to private information, even when the users’ credentials are compromised.

Multi-Factor Authentication - Duo verifies users’ identities with strong two-factor authentication before granting access to applications that may contain personal information. This protects user identities and ensures that only authorized users are able to access PI/sensitive data.

Device Visibility - Duo provides IT teams with visibility into which corporate-managed and unmanaged devices are accessing company applications and data. This provides organizations with the ability to set security policies to protect their sensitive resources

Trusted Endpoints- Duo checks the security hygiene of devices before granting access, giving complete control over what and who has access to systems storing PI/sensitive data. By leveraging Trusted Endpoints organizations can augment their security posture to ensure that only healthy, trusted devices gain access to sensitive resources and can block unauthorized devices.

Access Policies - Enforcement of strong policies ensures only trusted and authorized users and healthy devices can access critical business applications and the data they store while blocking unauthorized access. By enabling enforcement of access policies at an app level organizations can differentiate critical corporate apps (ex: ERP) from generic work apps (say cafe menu).

Reporting/Audit - Duo’s dashboard and reports enables administrators to monitor authentication attempts and identify suspicious login events in case of compromised credentials. Duo also records comprehensive logs that help businesses demonstrate compliance during audits.

Conclusion

Complying with regulatory requirements helps prevent penalties and fines due to willful violations. More importantly, compliance minimizes risk of a breach. Many organizations choose Duo because of the ease with which they can achieve compliance and improve security posture.

Read the following blogs to learn more on how Duo can help achieve compliance for HIPAA, CCPA and NYDFS regulations.

Download this Duo for Compliance datasheet to get an overview on how Duo’s solutions satisfies specific controls.

See how some customers have leveraged Duo to satisfy compliance requirements: HIPAA, GBLA, NYDFS

Sign-up for a free trial to experience the product and see how Duo can satisfy some of the requirements outlined by various data privacy regulations

Amazon Web Services (AWS) stores a history of API calls to the data storage service S3 via a service named CloudTrail. These logs are important for auditing what has happened in an AWS account. They can be used to understand errors that have occurred, review historical usage so that tighter IAM policies can be implemented (such as with CloudTracker), test ideas for new detection rules, investigate incidents and more. To search these logs, you can download them and use grep or jq to search through them, but that can be slow. You could ingest them into a log analytics platform—but that can be expensive, difficult to maintain and require consideration of resource consumption. 

To solve these problems, we’re excited to announce cloudtrail-partitioner which automatically organizes your CloudTrail logs in a format suitable for quick, cheap and simple querying with Athena. 

How it works

The cloudtrail-partitioner is based on work by Alex Smolen in his blog post Partitioning CloudTrail Logs in Athena. Our contribution is to make that work easier to run by incorporating it into a CDK (Cloud Development Kit) app and adding functionality to incorporate new regions and logs from new accounts automatically. Athena is a serverless AWS service that allows you to use a SQL interface to query data stored in S3 buckets.

When using Athena one needs to define a table to describe where your data is located and its format. You can additionally define “partitions”, which are based on the folder path structure to limit the amount of data read. This is useful because the Athena pricing model is based on the amount of data read, so by defining which files should be looked at you can reduce your costs. In my experience, querying less data also results in the queries running faster.

The file path used by CloudTrail logs includes the year, month, and day. As these values change every day, you’ll need to regularly create new partitions daily. AWS also periodically adds new regions, which are also part of the file path, so again, you’ll need to ensure you create new partitions to account for the new regions. Finally, your company may add new AWS accounts, which you’ll have to create new Athena tables for. It is due to all this work that we built the cloudtrail-partitioner to perform all those tasks automatically.

To use the cloudtrail-partitioner, you’ll need to first edit a configuration file to define the S3 bucket that contains the logs and an SNS to send any errors to. Then we recommend you run the  cloudtrail-partitioner manually, which not only helps ensure things are setup correctly and allows you to use Athena tables immediately, but also creates partitions for the past 90 days by default. After you then deploy the CDK app, a Lambda will be created that runs on a nightly schedule to create the new partitions. This will figure out what CloudTrail logs you have, whether they are configured by the account or via AWS Organizations.

Using the Athena tables

Tables are created for each AWS account, which will look like cloudtrail_000000000000. You can query those directly, or if you want to run a query across all account logs, a view is created named “cloudtrail”. An example query that makes use of the different partitions is:

A more advanced query can be used to find counts errors by user across all accounts.  This can be useful for finding applications that aren’t working correctly, or could identify compromised applications that are attempting API calls they aren’t allowed to make:

Conclusion

Using Athena can be a cost effective and low maintenance solution to provide your teams with an easy way to query their CloudTrail logs using SQL. This solution makes setting up the required tables and maintaining the partitions easy and with best practices of infrastructure as code, least privilege, and monitoring for errors. 

Try it out for yourself at https://github.com/duo-labs/cloudtrail-partitioner

The financial services industry is broad and roomy as it covers everything from stocks and investment portfolios, to banking and insurance, to technology that caters to the FinServ industry. There is that old saying “follow the money” and when it comes to breaches with high impact, they typically involve bad actors trying to get to the money. The impact of a breach for financial services is significant, with one study reporting an average cost of $1.3 million to restore services after every DNS attack and an average of 10 attacks per year, and that is not including downtime or resources required to address the breach. The good news is essential financial services breach protection begins with an affordable solution, two-factor authentication (2FA). 

As financial institutions move into the hybrid cloud and incorporate more mobile technology, new data shows that 45% of access requests to protected applications come from outside the firewalls. To stay compliant with the new federal, state and local laws, financial firms are putting 2FA in place as a preventative measure and to stay compliant. 

The perimeter has shifted, and to reduce the risk of a breach amid this shift, financial organizations of all sizes are enforcing 2FA as a cost-effective security control that can establish user and device trust before granting access to applications (this process is known as a zero-trust security approach where no device or user is trusted until authenticated and authorized by multiple factors vs. just a password). 

These security controls include strengthening user authentication, requiring screenlocks and disc encryption, disallowing devices with out-of-date browsers and operating systems, or blocking anonymous IP addresses, designating safe regions, among other steps. Organizations are able to use zero-trust tactics by implementing 2FA to quickly mitigate threats posed by zero-day vulnerabilities.

Passwords Just Aren’t Enough Protection

The main reason why two-factor authentication matters is that a password is no longer strong protection for financial services data. Here are a few statistics as to why: 

• 81% of data breaches have been the result of weak or stolen passwords
• 92% of organizations have credentials for sale on the Dark Web
• 61% of people reuse the same or similar password everywhere
• “123456” and “password” were still the top two password choices in 2018

How Duo’s 2FA Can Be a Preemptive Barrier to a Financial Services Breach

The overwhelming majority of financial services breaches begin with stolen credentials. Credentials are stolen in a multitude of ways but the most common is by phishing or spear phishing, new technology like persistent keyword stuffing or weak passwords. The adoption of business on-the-go via mobile can make it less apparent that an email or link is fake due to shortened information displayed. Breaches happen, but to those who take a defense stance and adopt 2FA have a huge advantage to thwarting breaches because 2FA has been proven to prevent stolen credentials and is sanctioned by the White House as an important measure to prevent security breaches. 

Why Financial Organizations Choose Duo’s 2FA Solution 

Cisco recently released the 2019 CISO Benchmark Study that confirms gaining clear visibility into network threats and getting to zero trust is a top priority for Financial Services CISOs. Duo Beyond is a zero-trust security platform that addresses user and device risk for every application so that CISOs can relax and rest easy, saving their energy for real problems. Duo helps financial companies:

• Stay compliant. Duo provides end-to-end visibility, reporting and logs of assets. Duo's endpoint visibility gives a detailed overview of users' devices (managed or unmanaged, mobile and laptops/desktops) with compliance-friendly reporting and logs
• Reduce time to security: Duo's native integrations protect on-premises, cloud, remote access, VPNs, etc. to enable business agility, allowing admins to roll out security in a matter of hours and days
• Compromised credential prevention. Eliminate the threat of attacks that stem from compromised credentials with Duo's easy and effective 2FA. When a user logs into an application, they verify their identity with Duo’s two-factor authentication (2FA), preventing the risk of unauthorized access due to stolen or weak passwords
• Duo detects and tracks every device accessing protected applications, including desktop, laptop, mobile, corporate and personally-owned devices – without using an agent like MDM. Identify mobile devices with certain security features enabled or disabled, as well as their security posture. BYOD, no problem
• Secure cloud infrastructure access. DevOps and engineering teams can SSH to servers remotely and securely with Duo to access development environments and deploy code, as required by compliance regulations
• Duo does the work of many different security tools, all in one platform: strong/adaptive authentication, endpoint visibility and control, remote access and single sign-on – increasing the value of your security investment
• Duo's technology and security partnership ecosystem makes it easy for you to eliminate complexity while protecting your existing IT investments
• Notify users to update. Duo alerts users to install required updates to prevent risk
• Have more policy control. Start adopting zero-trust security. Manage contextual policies, role-based policies, app-specific policies, location-specific policies and more with Duo. 

Duo Helps Align Security Operations with IT Operations

The Chinese symbol for danger doubles as the same symbol meaning opportunity. This paradox is similar to the competing priorities between CSOs and CISOs. On one hand, the CISO manages the security operations team with the goal of enforcing and controlling trust to keep data safe; while on the other hand the CIO manages the IT operations team and is tasked with completing projects and increasing revenue with a focus on expanding business with new technology. They often have similar but competing goals to modernize the way business is done and to be secure while maximizing efficiency and business objectives. 

Duo 2FA helps to align security operations with IT operations by streamlining multiple security tools in one agnostic platform.

Sign-up for a free trial to experience the product and see how Duo can preemptively help protect your financial organization from a cyber security breach and stay complaint.

Blog Recommendations:

#Winning: Securing FinServ Hybrid Clouds with MFA

How Duo Enables Compliance and Improves Security for the NYDFS Finance Regulation 23 NYCRR 500