<![CDATA[Duo Security Bulletin]]> https://duo.com/ Duo Security provides two-factor authentication and endpoint security as a service, built to protect against account takeover and data theft. en-us info@duosecurity.com Copyright 2017 3600 <![CDATA[Privacy & Security Challenges in Investigative Journalism]]> https://duo.com/blog/privacy-and-security-challenges-in-investigative-journalism https://duo.com/blog/privacy-and-security-challenges-in-investigative-journalism Mon, 27 Mar 2017 09:00:00 -0400

Last week, I attended the talk, Privacy & Security Challenges in Investigative Journalism, hosted as part of the University of Michigan speaker series, Dissonance: Conversations at the Confluence of Technology, Policy, Privacy, Security & Law.

The talk featured two guest speakers, Knight-Wallace journalists Bastian Obermayer and Laurent Richard, moderated by Gautam Hans, Clinical Fellow in the U-M School of Law.

Bastian is the deputy head of the investigative unit at Süddeutsche Zeitung in Munich - he is also the reporter initially contacted by the anonymous source of the Panama Papers. Laurent is investigative reporter and editor-in-chief at Premières Lignes Télévision in Paris. He leads investigations into dictators in the Caucasus region and Central Asia.

How do privacy and security concerns affect your current, ongoing investigations?

Now with technology, there are many more possibilities to encrypt and secure communication. But the government also has the best tools to track and surveil journalists, as well, as Laurent pointed out. He was concerned about what would happen in the U.S. in regards to privacy and safety of journalists and sources.

The main concern is known as the “first contact” problem - you may lose or risk losing your job if you send an initial email to a journalist. It’s best to know how to secure oneself from the very first point of contact to avoid exposing oneself as a source.

According to Bastian, during the Panama Papers project before publication, there was an entire team dedicated to only this project, working in a room without any Internet contact whatsoever. His boss used faxes and other low-tech ways to work and communicate with his team. They had to work an entire year in secrecy, using PGP (Pretty Good Privacy) - a protocol for encrypting email communication using public key cryptography.

There are monetary costs involved with ensuring private and secure communication for journalists and their sources - it can be expensive and difficult to design secure systems. Plus, there is the human cost that requires a lot of training and retraining. One point of weakness can jeopardize the investigation and reporting, whether from the government, private entity or competitor.

Safety means nothing if just two people don’t respect the chain of security, according to Laurent. He suggests talking about the most sensitive things in person, one on one, as well as establishing some type of code in order to privately communicate with your contacts.

Another caveat is, many companies will track sources and fire them to set strong examples and a precedent to discourage employees from talking to journalists.

Additionally, if your source has sensitive information on the server of his or her company, don’t let them send it to his private email. If you ask them to send the information to his private email, you could be named an accomplice in the crime of stealing information from a company. Make sure to ask your source how they are procuring the information and if they are doing it in a legal way.

What kind of tools do you advocate using for other journalists and sources?

According to Laurent, PGP for email communication, Signal and Wire for encrypted chat. Most big newsrooms like The New York Times or The Washington Post use SecureDrop via Tor. SecureDrop is the open-source whistleblower submission system that media organizations can use to secure accept documents from and communicate from anonymous sources, according to SecureDrop.org.

Back in 2014, Duo hosted a Duo Tech Talk featuring guest speaker Runa A. Sandvik who was working at the Freedom of the Press Foundation at the time. She is now the Director of Information Security, Newsroom at The New York Times. In her talk, she described how Tor and SecureDrop work - check out Encryption Works: A Look at Tor and SecureDrop to learn more.

While using certain tools can make communications between journalists and sources safer and more difficult to surveil, no method is 100 percent safe. Again, as Bastian said, it is sometimes safer to meet in real life. It can also be wiser to stay in the dark - it can be safer to not know the name of your source, so there is no way a journalist could accidentally leak it.

According to Bastian, during an investigation abroad, their team had to buy burner phones for Russian sources to use for a limited amount of time. There is always going to be a balance between safety and productivity - trying to find that balance between security and usability is a constant issue.

There have been advances in tools and security technology that address that issue. Two-factor authentication is one good example of that. And while PGP sounded complicated in the beginning of Bastian’s career, he learned how to use it.

How do you prepare for legal, government or company pressure?

They must employ a lawyer to reply to company lawyers. And oftentimes, they have to cut many news articles due to legal issues, according to Bastian. They also must hire international lawyers to address issues abroad, which is extremely expensive. The biggest fear for a small newspaper is that legal fees would be the end of the paper - one mistake could end the history of a longstanding newspaper.

According to Laurent, one strategy used to shut journalists down is to arrest and sue them. The state of France used their best lawyers to sue him personally. The main signal the government was sending to international reporters was, don’t come to our country to write these stories; look at what happens to journalists in France.

Bastian and other reporters bought insurance to protect themselves in case they got sued, as private citizens. For other reporters, this is warning, as they can be sued individually for anything they write as journalists, and their newspaper can fire them, forcing them to show up in court and pay a lawyer on their own. Many insurance companies do not want to insure journalists in the event of libel cases.

The Panama Papers

Finally, Bastian was asked to describe the Panama Papers briefly for anyone that wasn’t aware of the incident.

He received a leak of 11.5 million financial and legal documents that belonged to a law firm in Panama revealing offshore companies that were technically legal, but used for financial crimes, such as drug cartels, tax evasion, human trafficking, the mafia, etc.

They found a lot of politicians, head of states, and political family members implicated in the papers. There were massive demonstrations, many officials had to resign or step back, new laws and policies were established, etc.

Due to the size and gravity of information, it was shared with many other news organizations worldwide that published their stories on the same day.

Future Events

The Dissonance speaker series explores topics related to technology, law, privacy and security. To stay informed of upcoming Dissonance events, you can sign up for their email list.

<![CDATA[Website Security: Protecting Against Spammers]]> https://duo.com/blog/website-security-protecting-against-spammers https://duo.com/blog/website-security-protecting-against-spammers Thu, 23 Mar 2017 09:00:00 -0400

There’s been a 32 percent increase in hacked sites from 2015 to 2016, with no expectations of the trend slowing down, according to Google.

Why are sites getting hacked? Attackers may hack websites in order to steal information from unsuspecting visitors, or to deliver malware payloads that infect users’ computers (also know as drive-by attacks).

These attacks can leverage exploit kits or vulnerabilities that check users’ devices for out-of-date software and operating systems - then compromise them if they’re found susceptible. Or, they may hack websites to redirect traffic to a malicious domain. Or, spammers may hack websites, seeking to use the domain to send spam or steal user contact information, like email addresses.

How Websites Get Hacked

Google provided a few useful resources for site owners, including information on the top ways that websites get hacked by spammers. Those include:

Compromised Passwords - Password-guessing or brute-force tools are used to automate attacks against logins. To protect against a password attack, implement two-factor authentication to provide another layer of security that requires physical possession of your personal device in order to verify your identity. That way, an attacker can’t log into your accounts using only a stolen or brute-forced password.

Missing Security Updates - As mentioned above, out-of-date versions of software can open up users to an exploit - the same goes for websites. Regularly checking and patching web server software, content management systems and all website plugins/add-ons/themes with the latest updates can protect your website against known vulnerabilities.

Set up automatic updates wherever possible. With Duo Access, you can check every device that logs into your applications for secure, up-to-date software, enabled security settings and more. Plus, you can create custom device access policies to restrict access to your applications from risky devices.

Social Engineering/Phishing - These attacks trick users into providing confidential information, such passwords. A phishing email sent by what would appear as a credible or familiar source is a form of social engineering. Typically, the email will contain links to spoofed sites or login forms, or ask for confidential information. Test your organization’s resiliency and risk of a phish by conducting an internal phishing simulation.

Strong Security Policies - Google states that poor security policies can lead to a compromise of your website. As a system or website administrator, it’s important to enforce strong passwords for users, limit administrative access, enable HTTPs, etc.

Hacked Websites in the News

Most recently, the website of the UK’s largest travel association was hacked after attackers gained unauthorized access to the site using a web server vulnerability - their web servers are managed through a third-party web developer and hosting company. Around 43,000 individuals may be affected, with personal information accessed, according to ZDNet.com.

KrebsonSecurity.com also reported that Google’s “This site may be hacked” warning may indicate that a certain restaurant conglomerate company’s website was compromised, pointing to the source of a large credit card breach that resulted in fraudulent use of customer’s cards used at high-end restaurants across the country.

Check out Google’s WebMaster’s Guide for more on different ways websites get hacked and security tips.

<![CDATA[Essential Information Security Controls: Device Inventory]]> https://duo.com/blog/essential-information-security-controls-device-inventory https://duo.com/blog/essential-information-security-controls-device-inventory Wed, 22 Mar 2017 09:00:00 -0400

The Center for Internet Security’s (CIS) Security Controls is a set of best practices for preventing cyber attacks, developed and validated by leading experts around the world.

These critical controls are widely lauded as the baseline security measures that can help create a solid foundation for any organization to build upon.

The top five CIS controls include:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges

I cover the first control on device inventory and its sub-controls here:

Inventory of Authorized and Unauthorized Devices

This refers to actively managing all of your hardware devices on the network to ensure only authorized devices can be given access. That includes inventorying and tracking any unauthorized and unmanaged devices to prevent them from gaining access.

The sub-controls are summarized below:

1.1 - Asset Inventory Discovery
Deploy an automated asset inventory discovery tool to build an inventory of systems connected to your organization’s public and private networks.

1.2 - DHCP Server Logging
Deploy dynamic host configuration protocol (DHCP) server logging (if you are using DHCP to dynamically assign addresses) and use this information to improve your asset inventory and detect unknown systems.

1.3 - Equipment Acquisition Updates
Ensure all equipment acquisitions automatically update the inventory system as new, approved devices connect to the network.

1.4 - Network, System & Device Inventory
Maintain an asset inventory of all systems connected to the network and network devices, recording the following information:

  • Network addresses, machine names, system purpose, asset owner, associated department
  • System inventory including IP address for desktops, laptops, servers, network equipment, printers, storage area networks, VOIP phones, multi-homed addresses, virtual addresses, etc.
  • Device inventory including whether or not the device is portable and/or personal, and type of device, including mobile phones, tablets, laptops, and other portable electronic devices that store or process data

One way to keep a device inventory is by using Duo’s Device Insight that collects detailed information about every device authenticating into your network, without the use of agents. That means every type of device is accounted for, not just ones that have a company-installed agent on them.

The type of information includes:

  • Operating system, platform, browser and plugin versions
  • Passcode, screen lock, full disk encryption and rooted/jailbroken status

With Duo Beyond, you also get insight into company-owned vs. personal devices, and the ability to create application-level access policies to determine which users/devices can access certain applications. Duo’s Trusted Endpoints feature allows you to track managed devices by easily deploying client certificates on company-owned endpoints.

1.5 - Network-Level Authentication
Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized vs. unauthorized systems.

1.6 - Client Certificates
Use client certificates to validate and authenticate systems prior to connecting to the private network.

Check out The CIS Critical Security Controls for Effective Cyber Defense, Version 6.1 (PDF) for more detailed guidance on how to achieve complete device inventory.

Why is Device Inventory Considered Critical?

According to CIS, this control is considered critical because attackers are:

  • Constantly scanning for new, unconfigured or unpatched systems to be attached to your network
  • Looking for new devices, like laptops, that may connect and disconnect to your company’s network, and may be out of sync with security updates and patches
  • Looking for employee’s personal devices to connect to your company’s network (also known as Bring Your Own Device or BYOD) - these devices may already be compromised and used to infect company resources

Track every device that accesses your applications and systems to get information about out-of-date software and company vs. employee-owned devices, and block or notify users with Duo’s Endpoint Remediation.

That way, you can detect and stop risky devices from accessing your environment, based on your company’s own custom security profile. For example, you may decide that only company-owned laptops can log into your Salesforce application, running the most up-to-date, fully patched operating system.

Pairing device visibility and granular control can help you achieve secure, Trusted Access to your network and applications by Trusted Devices.

Learn more about device enrollment, including inventory, inspection, discovery and verification in BeyondCorp: Enrolling Users and Endpoints.

<![CDATA[Looking Back at Android Security in 2016]]> https://duo.com/blog/looking-back-at-android-in-2016 https://duo.com/blog/looking-back-at-android-in-2016 Wed, 22 Mar 2017 00:00:00 -0400

We are three months into the new year, but it’s never a bad idea to look back at 2016 and take stock of what happened. Google’s Android Security 2016 Year in Review makes it pretty easy to do so.


Google’s report highlights the steps they took in the past year to keep Android devices safe, such as the release of the Safe Browsing API, file-based encryption, and media server hardening, to name a few. More importantly, they quantify the impacts of many of these improvements.

Using Duo’s population of nearly one million active Android devices, we are able to provide some context and make some apt comparisons in the areas of security update adoption, device compatibility and integrity, and screen lock usage. Moreover, since our data is compromised of Android devices used for work purposes, we can illuminate the differences between these devices and Android devices in general.

SafetyNet and Device Checks

In the past year, Google made an important change to the SafetyNet Attestation API by adding the basicIntegrity field. Now, in addition to checking that the device matches a known-good Android profile, developers can also check whether a device has likely been tampered with. At the end of 2016, we began leveraging the SafetyNet API to improve our assessments of device health.

In addition to checking the basic integrity of the device, we also use the ctsProfileMatch to ensure that devices match the profile of a device which has passed Android’s Compatibility Test Suite. Our SafetyNet data shows that 95.7% of devices used in the US have a CTS profile match. That number is on par with the 94% reported by Google.

These figures show that the vast majority of Android devices, whether they were used for work or not, fulfill Android’s security and compatibility requirements.

Patching Again; Yes, Patching

While the Android security bulletins began in 2015, 2016 was the first full year of their monthly patches. Google mentions in their report that “over half of the top 50 devices worldwide had a recent security patch.” That number is pretty impressive when you consider the fact that devices that aren’t part of the Nexus or Pixel family are at the mercy of their OEM or carrier as to when (or if) they would receive these updates.

Even though we’ve previously written about the importance of applying these security patches, the Duo Labs team took another look at our endpoint data to see how Android users were doing as of the end of February 2017. When we analyzed the rates at which users applied the monthly security updates for the top 50 models in our dataset, we found that only 35.9% of devices were on one of the patches that had been released in 2017, which means that most Android devices are vulnerable to some, if not all of the 38 critical CVEs that have been patched this year.

Android Security Patch

So that’s the state of affairs as it relates to patches released in 2017, but let’s see how things look for the patches associated with QuadRooter. For those who may not be familiar with QuadRooter, it was a set of vulnerabilities that could be leveraged to perform privilege escalation on Android devices built using a Qualcomm chipset if a user installed a malicious app and didn’t have Verify Apps turned on.

The thing to note here is not the set of vulnerabilities or its potential impact, but that the last patch for these vulnerabilities was released back in September. When analyzing the data associated with the affected devices, we found that 39.8% of them had not applied the aforementioned update.

With a sizable amount of devices still being susceptible to attacks associated with vulnerabilities that were patched five months ago, it is apparent that we still have a lot of work to do when it comes to relaying the importance of these monthly updates. While the numbers above might not look that great, it’s not all gloom and doom. It appears 96.2% of Android devices are on an OS version or could upgrade to an OS version that would allow them to receive the monthly security patches.

Screen Locks

In the category of on-device protections, Google also improved Smart Lock in 2016. In their Year in Review, they stated, “Devices running Android 7.0 and above prompt users to set a lock screen and enable Smart Lock’s on-body detection to remove the friction of entering a PIN or password.” With lock screens being the first line of defense to attackers who have access to the phone, advancements in this area that are more user-centric are a welcome sight.

While those opinions are purely qualitative, Google reported that 48.9% of devices enabled a secure screen lock; the numbers that we have in our dataset are a good deal higher with 70.7% of Android devices having a screen lock enabled. A potential reason for that difference is because devices in our dataset are more likely to be subject to some type of policy which makes users enable a screen lock on their devices. Nevertheless, that 70.7% stands as a 5% increase over the numbers we saw around this time last year.

Android - Percent Locked

So, there’s a substantial difference when we compare Android devices used for work and Android devices in general as it relates to having a secure screen lock, but things get even more interesting when we make comparisons across platforms. When looking at our endpoint data and specifically iOS devices, we found that 99% of devices were using a passcode. That’s a pretty huge number; however, the aforementioned figures only describe the what and not the why.

One hypothesis is that Touch ID plays a role. Out of the box, iOS users on newer hardware are guided through setting up Touch ID, which requires a screen lock to be configured. In our dataset, we see that 91% of iOS devices support Touch ID and 86% of those devices have configured it. Those numbers are a bit lower when it comes to Android with 71% of devices supporting fingerprint unlock and 65% of them having it configured.

Percent of Android and iOS Devices Locked

The Wrap-Up

First, we think it’s great that Google has released this report and hope that they continue to publish data like this in the future. Second, our analysis above shows that there are substantial differences in the areas that we covered as it relates to the devices in our dataset and Google’s. While these differences can be partially explained by the reasons we outline in their respective sections, another reason is because our dataset focuses on a particular subset of devices used for work and predominantly by individuals in North America and Western Europe.

Last, we believe that Google continues to create and improve the security mechanisms on the device to protect their users. And while creating these features is half the battle, the next step (and potentially harder challenge) is getting users to adopt them.

<![CDATA[Duo Signs Letter to Support Internet of Things (IoT) Security Policy]]> https://duo.com/blog/duo-signs-letter-to-support-internet-of-things-iot-security-policy https://duo.com/blog/duo-signs-letter-to-support-internet-of-things-iot-security-policy Thu, 16 Mar 2017 09:00:00 -0400

Today, Duo signed a joint letter with Rapid 7, Electronic Frontier Foundation, Center for Democracy & Technology, Global Cyber Alliance, Bugcrowd along with many other companies and individual security researchers in response to the Department of Commerce’s Green Paper, Fostering the Advancement of the Internet of Things (PDF) to support cybersecurity policy in the Internet of Things (IoT) industry.

The Green Paper is important because it will set the general policy agenda and priorities for the Dept. of Commerce on IoT, and the letter we jointly signed is our response to the department’s request for public comment. The main intent of the letter is to ask the Dept. of Commerce to highlight the benefits of actively encouraging IoT providers and operators to develop and implement vulnerability disclosure and handling processes.

Gartner forecasts that 8.4 billion connected things will be in use worldwide in 2017. That’s a 31 percent increase from last year, and the research and advisory firm predicts that number will reach 20.4 billion by 2020. Additionally, Gartner predicts that IoT services are on pace to reach $273 billion in 2017. The demand is growing, the market is growing, which also means the security risks are increasing.

The two main considerations requested in the letter are:

The Green Paper should more clearly explain the benefits of adopting vulnerability disclosure and handling processes to both the IoT device manufacturers as well as the software providers who build the ecosystem within which those devices operate.

IoT security strategies should include vulnerability disclosure and handling processes. Due to the quantity and complexity of connected devices alongside the realisation that there is no such thing as perfect security, it can be difficult for many IoT providers to catch all vulnerabilities prior to their release to market.

That’s why it’s important for IoT tech providers to establish a vulnerability disclosure and handling process in advance of the discovery of any issues in order to help quickly address vulnerabilities when they are disclosed to them by external sources.

Having a clear process in place can also help protect security researchers, giving them a way to communicate their vulnerability findings while reducing the risk of conflict or misunderstanding.

The Green Paper should also contain a commitment that the Dept. of Commerce will continue to work with industry, government and other stakeholders to promote the voluntary adoption of vulnerability disclosure and handling processes by the IoT industry.

The letter also notes that promoting the voluntary adoption of vulnerability disclosure and handling processes is not a discrete task, but an ongoing endeavor. As such, we are recommending that the Dept. of Commerce explicitly commit to working with the IoT industry and the associated stakeholders in an ongoing manner to ensure effective implementation of the guidelines. .

We are proud to be able to contribute to this important conversation and you can view the letter we sent here: Joint Comments on "Fostering the Advancement of the Internet of Things"(PDF)

<![CDATA[Wise Words from Women in Tech at Duo Security]]> https://duo.com/blog/wise-words-from-women-in-tech-at-duo-security https://duo.com/blog/wise-words-from-women-in-tech-at-duo-security Wed, 15 Mar 2017 09:00:00 -0400

At Duo, there are some truly remarkable human beings working on our Security, Engineering, Product, Legal, Marketing, Sales, you-name-it teams, many of whom happen to be women.

In honor of Women’s History Month, here are the wise words of a few making history at Duo:

Jennifer Lawrence at Duo

Jennifer Lawrence, VP Inside Sales - Americas


What advice do you have for other women in tech?
Advice I have for anyone coming up in their careers:

  1. Jump in before you believe you are ready.
  2. Remember to say thank you. It goes a long way.
  3. Assume positive intent.
  4. The do'ers are some of the most important people in an org. Thank them and invest in them.
  5. Care about the people around you. It isn't just about the numbers. Treat people like humans and you may be surprised what you get back.
  6. Always hustle.

What has your experience been like at Duo, compared to other companies?
I have worked for companies that led by fear and intimidation. QBRs would be in front of 150 managers and the goal was to Stump the Seller vs. collaborate and move people forward. They looked for mistakes in your PowerPoint to focus on.

I came to Duo for three reasons: Cutting edge tech, customer evangelists and a culture of collaboration.

It was a bit of a leap of faith to trust the collaboration part - you don't really know until you are in it. I never understood how much life would change if I took a risk and jumped into something that I loved. I had all different types of people from my parents to neighbors to friends who told me - You look different - you look relaxed and happy, after starting at Duo.

I walk into Duo every day with a smile and leave with a smile. I never thought it could be like this - a team who drives towards results, yet, are always helping each other. I have never seen anything like it. I call them Hunter Helpers.

We encourage each other and we support one another. This is what makes it so unbelievably rewarding. Duo is such a special place.

LuLu Tang at Duo Security

Lulu Tang, Product Designer


What advice do you have for other women in tech?
An easy tip for being bolder and taking action is to change your requests from:

--> "Would it be possible if you could ..." "Maybe if we ... that would be great." etc.


--> "Let's do [Action]."

If people have questions or concerns, they can still voice them. Phrasing the request in a statement like this automatically assigns you as the point of contact (giving you more leverage), presents a concrete decision, and still sounds amicable.

It's a really small change, but has made me feel more confident in my decisions and also helped move along discussion much faster!

Wendy Nather at Duo Security

Wendy Nather, Principal Security Strategist


What advice would you give yourself, years ago?
"It's going to be all right." When I started in this field [information security], we were all figuring it out as we went along (and I'd argue that we still are, bigtime). I took chances on opportunities in very different roles and environments, and I'm glad I did all of them. As women, we can sometimes question ourselves too much when we need to be bold and jump. When we're comfortable with uncertainty, we come across as confident. It's okay not to know what you're doing. It's called "learning," and everyone should try it. :-)

The only thing I can recommend [to other women in tech] is "find you a place where you don't feel like a unicorn."

I can only hope that more companies will be like Duo, where being a woman is unremarkable because there are so many of us.

I want to concentrate on my work in security; I don't want to waste cycles Being Female, because it's distracting and it's tiring.

Kendra Mitchell at Duo Security

Kendra Mitchell, Assistant General Counsel


What advice would you give yourself, years ago?
Be confident in your voice and your perspective. Imposter syndrome is very real and can be heightened when you’re sitting in a room with men who may speak more loudly and forcefully than you do.

But do try to remember: the loudest voice in the room is not necessarily the most informed voice.

Also, I’d say, give yourself the space to take on new challenges, be uncomfortable, dream big - and fail. Don’t internalize failure, instead view it as a byproduct of growth and ambition. Research suggests that women have been socialized to be less risk averse. So, this is not a trivial obstacle to overcome. Still, give yourself the permission to, say, take on daunting projects, learn new skills ... maybe even consider a different career! If you have yet to experience failure, you have yet to learn how to do life right!

What has your experience been like at Duo, compared to other companies?
Certainly worlds apart from a law firm, where being both young and a woman can be negative assets. And similar to the tech company I was at previously, wherein people are given opportunities to challenge themselves and succeed - regardless of their age and gender (or race).

Kimi Heskett at Duo Security

Kimi Heskett, Senior Manager, Marketing Operations


What advice would you give yourself, years ago?
There's no path to follow, no rule book, no right way to get "there" -- there is only your own way. Don't be afraid to work hard, don't be afraid to put things before work when it matters to you and don't be afraid to be yourself.

What has your experience been like at Duo, compared to other companies?

Working at Duo Security has let me feel safe to make bold decisions, do my best work and quiet that voice questioning my decisions.

I hope all women, and men, have the chance to work at an inclusive and inspiring company such as Duo.

<![CDATA[BeyondCorp: If You Liked It, You Should Have Put a Cert On It]]> https://duo.com/blog/beyondcorp-if-you-liked-it-you-should-have-put-a-cert-on-it https://duo.com/blog/beyondcorp-if-you-liked-it-you-should-have-put-a-cert-on-it Tue, 14 Mar 2017 00:00:00 -0400

In our first blog post introducing the BeyondCorp concept, we discussed what organizations should think about when trying it for themselves. The steps may not happen in sequential order, but they are generally:

In this post, we’ll talk about marking trusted devices with certificates.

What Does “Trusted” Mean?

Only you can decide that. It used to be that if a user provided the correct login name and password, it proved that the right person was at the keyboard — and we all know how well that worked out. We ran into the same problem with devices: because it was on the corporate network, we assumed it was supposed to be there, and it got access to anything it asked for. Both of these “tests” failed for a number of reasons:

  • Stolen passwords
  • Spoofed network addresses
  • Compromised endpoints
  • The ability to spread out laterally to other vulnerable systems

Now, the path to trust needs more checkpoints, such as authentication factors and conditions placed on the device. One of these conditions can be whether it’s a managed, corporate-owned endpoint.

Why “Managed”?

A managed endpoint is presumably owned by the enterprise, or at least known: it may be tracked as part of an inventory, enrolled in a configuration and patch management program, and monitored for security events. For this reason, you may choose to trust it more than you would trust an unmanaged, personal device.

Many organizations have the policy that only the endpoints they own and assign to staff can be used to access business data. However, this policy can be difficult to enforce, especially if there’s no way to check. There are a few different ways to try:

  • Virtual private network (VPN) software - if the endpoint has the VPN client installed, it’s assumed to be an approved and managed asset, so whoever is using it will be allowed to access the internal network from the outside (say, at home, or from a hotel or coffee shop). SSL VPN software doesn’t require an installed client, so it provides more convenience for the user, but it also removes that implicit enforcement.
  • Network access control (NAC) software - with common port-based NAC, if the endpoint has an 802.1x certificate installed, it’s assumed to be an approved and managed asset, so whoever is using it will be allowed to connect to the internal network from inside the building.
  • Mobile device management (MDM) software - enrolling mobile devices into this system allows you to enforce configuration policies by installing an agent.

In each of these cases, you’ve marked the endpoint as trusted by installing something on it (or given it a second factor, “something it has”). However, many of these systems are complex and take months to set up. Digital certificates are lightweight and relatively easy to deploy, but they require a public key infrastructure (PKI) to be set up and maintained, which can end up being too onerous for some organizations. (Duo makes this part easier by creating the device certificates for you).

What else could this marking mean for a “trusted endpoint?” It could be used for endpoints that don’t belong to the organization, but that have been vetted (for example, a consultant’s laptop that has been scanned). The important point is that you’ve seen the device before and expect to grant it access, as opposed to endpoints that are trying to access your applications that you’ve never seen before that may be used by attackers. Either way, it can be used to control which devices can access your business data.

All the Single Endpoints

In Google’s BeyondCorp framework, certificates offer a way to identify the device as managed. In Duo Beyond, we take it a step further by including device and user data in the certificate, tying them together so that neither one’s credentials can be leveraged alone. You can set policies so that users must use known and approved endpoints to access the most critical data and applications (for example, privileged users must use a corporate-owned device). Likewise, even if a user loses credentials to an attacker, the attacker still needs to use a valid endpoint belonging to that user to get into an application.

What do you do now that you’ve marked your endpoints? Why, you manage the access of their users. We’ll discuss access policies in the next blog installment.

<![CDATA[Why Did I Join Duo? Three Big Reasons]]> https://duo.com/blog/why-did-i-join-duo-three-big-reasons https://duo.com/blog/why-did-i-join-duo-three-big-reasons Thu, 09 Mar 2017 09:00:00 -0500

Inquiring minds want to know, what brought me to Duo? Sure, a solid product was one aspect of the equation (which Duo nailed!), but company culture was the key differentiator. Freshly minted with an Executive MBA from UC Berkeley (Haas School of Business), which supported my personal values of intellectual growth, ethical leadership, confidence without attitude and questioning the status quo, I knew that I wanted to be part of an organization where those were mirrored in the culture.

As part of the journey to find my career North Star, I had the opportunity to meet Duo’s leadership team. They spoke about the tenets of their culture consisting of engineering the business, learning together and being kinder than necessary. Honestly, I was a little skeptical. Did Jono use his Professor X power and read my mind? After more research and meeting with other members of the team, I felt it was the right move for me.

Was it all smoke and mirrors? I’ve been here for a month and quickly realized why Duo is so awesome: the people and culture. Everyone I’ve met radiates the company ideology.

Engineering the Business: There are beautiful opportunities each day for me to make the business better. I am self-empowered and given the freedom to question the status quo. In the immortal words of Vanilla Ice, “If there was a problem, yo, I’ll solve it.” Everyone at Duo thinks this way. It cultivates innovation and transforms ideas.

Learning Together: From the top down, the level of transparency within Duo is liberating. The emphasis on, “the team, the team, the team” is found in all venues (even at department-level kickoffs and offsites). Each person takes it upon themselves to be open and collaborative. There’s a wonderful sense of community. Additionally, there’s an overarching openness to the pursuit of personal and intellectual growth.

Being Kinder than Necessary: One of the first emails I got from Dug really cemented this. He wrote, “We must act with empathy and integrity every day.” As someone who chooses love over hate, this message was inspiring, especially in the current times. Each day I work with people who go beyond themselves. These are selfless acts that truly demonstrate why Duo is the most loved security company.

I’ve only scratched the surface and I’m already very thankful to be part of this team. I’m excited to write my next life chapter here at Duo and look forward to helping build more democratized security platforms.

<![CDATA[Honoring Women in Information Security]]> https://duo.com/blog/honoring-women-in-information-security https://duo.com/blog/honoring-women-in-information-security Wed, 08 Mar 2017 09:00:00 -0500

Women make up just 10 percent of the information security workforce, according to an (ISC)² study. But with one million infosec job openings in 2016, there are still over 200,000 jobs unfulfilled in the U.S., according to a Peninsula Press analysis of numbers from the Bureau of Labor Statistics.

With no shortage of jobs, closing the gap includes raising awareness and changing the cultural mindset that has led to a major gender disparity. At Duo, we’ve recognized the contributions that women have made to inspire a new generation to transform the information security (infosec) industry for the past three years now, starting in 2015.

To help raise awareness and honor those pushing ahead in the field, Duo’s Women in Security Awards have been awarded to two winners in the industry and academia. They have demonstrated:

  • Significant contributions to the fields of information security and privacy
  • Exceptional knowledge, leadership, and professionalism in technical, academic, or commercial domains
  • Community involvement in the security industry beyond day-to-day employment
  • Sharing knowledge, providing mentorship, and encouraging the empowerment and success of women in the security industry and related causes

Visit our Women in Security page to find out more about the annual awards, who the judges are, and the prizes - and to start thinking ahead for 2018 about who you’d like to nominate!

Duo’s 2017 Women in Security Award Winners

Whitney Merrill We awarded our Industry Award to Whitney Merrill, an attorney at the Federal Trade Commission. She received her master’s degree in Computer Science from the University of Illinois at Urbana-Champaign, where she explored issues associated with the intersection of technology, information security, privacy, and the law.

During her time at UIUC, she was an Illinois Cyber Security Scholar and member of the Illinois Security Lab. Whitney also runs the Crypto & Privacy Village, which appears at DEF CON & other conferences each year.

Here is her story:

Thu: How did you get into the information security industry?

Whitney: In short, it was a series of serendipitous events. Computers and technology have always played a large role in my life, and I attended law school to focus on the intersection of law and technology. But my focus in information security and privacy started after I attended DEF CON for the first time as a legal intern at the Electronic Frontier Foundation. I connected with the hacker and information security community and began to invest my time and energy on learning about the legal issues that affected them. Ultimately this led to the pursuit of my master's in computer science and the foundation of the Crypto & Privacy Village.

Thu: What drew you to it? What made you keep going?

Whitney: I identify with many of the skills valued in the community: I have a desire to understand how things work (mechanical things, technical things, and the law), love puzzles, and enjoy solving complex problems. The industry is really still in its infancy, and there are still significant legal, technical, societal, and policy challenges that need to be solved (but perhaps there always will be). I continue to participate in and give back to the industry because it is rewarding.

Thu: Do you have any role models? Who and why?

Whitney: I admire individuals who take on some of the most difficult challenges in security, such as building secure systems and training regular users/consumers.

Thu: Describe an achievement you were especially proud of, and why.

Whitney: I've taken an unusual career path. In undergrad, I was a public policy major and only took a handful of computer science classes. When I was accepted into the NSF's CyberCorps program in law school and offered the opportunity to pursue a CS degree, I needed to take the necessary prerequisites to apply to the master's CS program at the University of Illinois at Urbana-Champaign. Determined to take on the challenge, I enrolled as a full time undergraduate CS student, taking a total of 29 credits during my last semester of law school. This achievement was a pivotal and defining point in my career. I learned what I was capable of achieving if I seized opportunities, fed my curiosity, and worked really hard.

Thu: Have you faced any difficulty or obstacles in the field? Describe.

Whitney: Most organizations (including the U.S. Government) have not optimized for a cross-disciplined approach to law and security issues, so much of my struggle has been trying to figure out what that path looks like.

Thu: What are your goals going forward in the security industry?

Whitney: I'd like to continue to promote diversity within the industry. I also strive to facilitate better communication between communities addressing security issues (legal, hacker, government, academic). It's telling that some say 'cyber' while others laugh at the term.

Thu: What are a few things you would like to change the most about the infosec industry, or culture?

Whitney: I encourage the industry to be more empathetic. I'm also worried about the effect schadenfreude and rockstar worship has on the industry.

Katelyn Corberley We awarded our Academic Award to Katelyn Coberley, a recent Eastern Michigan University (EMU) graduate. Katelyn's pursuit of her B.S. in Information Assurance at EMU sparked a passion for cybersecurity and encouraging involvement in the field.

Throughout her time at Eastern, she co-founded a Women in IA student group and led multiple sessions of the Digital Divas program for hundreds of young high school and middle school girls exploring STEM careers. She graduated magna cum laude in December 2016.

Here is her story:

Thu: How did you get into the information security industry?

Katelyn: I dual-enrolled in an Intro to Information Assurance college course on Saturdays during my senior year of high school. That was my first exposure to information security as a whole, and was a nice bookend to the computer information services course I took at a local technical center during the rest of the week. The course was taught through Eastern Michigan University, where I ended up going to pursue Information Assurance studies as a major.

Thu: What drew you to it? What made you keep going?

Katelyn: I'll admit, what initially drew me to information security was the cool factor. My pre-college days were spent searching for a topic I would never get tired of, something that would keep my curiosity bug fed daily. Information security definitely hit that mark. It's the perfect combination of a necessary component (security) and a constantly shifting field (technology). I was hooked! As someone who often stays up until 2 a.m. on Wikipedia binges, finding this field ensured I would never be bored.

Curiosity drew me into cybersecurity, but there were two main reasons I stayed with it. One of those reasons was the great community of infosec nerds I found at EMU. My peers and favorite teachers encouraged and challenged me. I thrived in that type of environment.

The second reason I stuck with information security was I felt there needed to be more women in the field. I wanted there to be more girls in my classes, in the meetings I went to outside of college... and I still feel that way. The best way I learned to initiate change was to be part of it, so I continued to get out there and pull along as many pals as possible.

That was how my good friend Jessica and I started Women in IA at EMU! We saw a potential to grow the number of girls in our classes and jumped on the opportunity. Another way we've been encouraging diversity in infosec is through initiatives like Digital Divas, reaching out to younger girls to spark their interest early and often.

Thu: Do you have any role models? Who and why?

Katelyn: I aspire to be the level of infosec awesome like some of the folks I follow on Twitter (@mzbat, @level2three, @infosecsherpa, @infosystir, @malwareunicorn, @hacks4pancakes).

Thu: Describe an achievement you were especially proud of, and why.

Katelyn: I'm pretty proud of this one! To me, this award shows that the people in my time at EMU saw what I was doing was worthwhile. I hope it means they'll continue my efforts to encourage girls in infosec, at all levels.

Thu: Have you faced any difficulty or obstacles in the field? Describe.

Katelyn: The early days found me struggling with a lot of imposter syndrome, feeling like I didn't belong. My childhood did not feature computers or a fast internet connection. I grew up reading books, not figuring out ways to get around my school's Wi-Fi proxies. I didn't see a lot of other girls in my college classes, out-of-class meetings were usually at night and didn't welcome newcomers.

It took a lot of Googling acronyms and late night research binges to get to the point where I felt my lack of knowledge wasn't working against me. I started talking more to people about infosec, even people outside the field.

In the Women in IA group, we're trying to initiate a change in gendered language in the program and to make infosec a welcoming space. No one should have to feel like a stranger in our field.

Thu: What are your goals going forward in the security industry?

Katelyn: I want to keep learning. I'd like to do more research and present at conferences.

Thu: What are a few things you would like to change the most about the infosec industry, or culture?

Katelyn: There's not a great space for responsible disclosure of vulnerabilities. There seem to be more examples of this with each passing day, and no real "best practices" guide followed.

It'd be neat to see a "white net" developed for security researchers to share critical vulnerabilities. A sort of grey area post-disclosure to a company, that would be a step between releasing on the public internet or waiting for the company to publish a patch/fix. I'm sure such a space would be useful. I believe that not everyone who discloses vulnerabilities on Twitter is doing it for l33t hacker points.

See our past award winners and learn more about Duo’s Women in Security Awards.

<![CDATA[Federal Contractors Must Meet Cybersecurity Compliance by Dec. 31, 2017]]> https://duo.com/blog/federal-contractors-must-meet-cybersecurity-compliance-by-dec-31-2017 https://duo.com/blog/federal-contractors-must-meet-cybersecurity-compliance-by-dec-31-2017 Tue, 07 Mar 2017 09:00:00 -0500

In October 2016, the Department of Defense (DoD) issued a final rule to clarify the Defense Federal Acquisition Regulation Supplement (DFARS) that requires contractors to implement information security guidelines as soon as practical and no later than December 31, 2017.

These requirements ensure the protection of controlled unclassified information (CUI), affecting any managed service provider with a federal contract.

Who’s in Scope?

That means businesses contracting with the Department of Defense (DoD) and federal civilian executive branch agencies must implement the National Institute of Science and Technology (NIST) SP 800-171 security requirements. That includes:

  • Service providers that process, store and transmit federal data on their systems, such as cloud service providers (CSPs)
  • Credit card & other financial services providers; web and email service providers
  • Background check companies for security clearances
  • Cloud and data hosting providers
  • Contractors that develop communications, satellite and weapons systems

And many others not listed here.

Security Standards for Federal Contractors

The specific standard, 252.204-7012 - Safeguarding covered defense information and cyber incident reporting requires contractors to meet security standards listed in NIST SP 800-171 (unless the DoD CIO has determined that one or more security requirements is non-applicable, or has an alternative, equally effective security measure that may be implemented in its place).

Contractors can outsource these requirements and/or use subcontractors, but they’re held responsible for ensuring their IT vendors also meet adequate cybersecurity standards, according to the Office of Small Business Programs of the DoD.

Here are a few notable security controls outlined in the NIST SP 800-171:

Access Control

3.1.5 - Employ the principle of least privilege, including for specific security functions and privileged accounts.

The concept of least privilege means allowing employees access only to what they need in order to do their job - this can reduce your attack vector and the scope of risk. If one set of user credentials is compromised, the attacker cannot access your entire network or critical applications, only a few applications.

3.1.14 - Route remote access via managed access control points.

For users connecting to your applications and network remotely, give them controlled, managed access. Gain application-level access control and segmentation by using Duo’s secure single sign-on (SSO).

By logging into a web portal, your users can securely access only certain on-premises and cloud applications, without connecting to a virtual private network (VPN) or installing remote access software on their device.

Identification and Authentication

3.3.1 Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.

Track user activity and get fraud alerts with Duo’s detailed security logs. Authentication logs give you usernames, location, time, type of authentication factor and more, allowing you to normalize user patterns so you can identify abnormal activity. Administrator logs let you track administrator activity, so you can identify major admin changes and any suspicious activity, giving you data you can use to investigate.

Duo’s administrative APIs also allow you to easily export this data into security information and event management (SIEM) tools like Splunk for better tracking and monitoring.

With Duo’s Device Insight, you can collect detailed information about your devices without using an agent, which means you get insight into every device logging into your applications, not just the ones you’re tracking with an agent. This gives you more complete audit records of both company-issued and personal devices on your network.

3.5.3 Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

NIST defines multi-factor authentication (MFA) as using two or more different factors to achieve authentication - something you know (password, PIN); something you have (smartphone app or hard token); and/or something you are (biometric like a fingerprint or retina scan).

Note - this requirement shouldn’t be interpreted as requiring Personal Identity Verification (PIV) cards or Department of Defense Common Access Card (CAC) solutions. Duo provides a multi-factor solution (MFA) delivered via an authentication mobile app on your smartphone, and in a variety of other methods.

The requirement 3.7.5 also calls for requiring multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. Duo’s MFA has native integrations with VPN and remote access gateways such as CA SiteMinder, Oracle Access Manager, Juniper, Cisco, Palo Alto Networks, F5, Citrix and more.

Department of Defense (DoD) Issues Cybersecurity Directive

In addition, the DoD issued a Directive-Type Memorandum (DTM) 17-001 on Cybersecurity in the Defense Acquisition System.

Their policy was to “ensure cybersecurity is fully considered and implemented across acquisition programs across the life cycle,” outlining requirements for program managers that are held responsible for the security of their systems and information.

The DoD outlined several risk areas to address:

  • Government Program Organization - Poor cybersecurity practices, untrained personnel, malicious insiders, inadequate network security, and incorrect classification of information can be leveraged by attackers to gain information system knowledge.
  • Software and Hardware - Weaknesses or flaws in systems and software can be used to compromise systems.
  • System Interfaces - Poorly configured or unprotected network and system interfaces can be used to gain system access or deliver malware.
  • Update and Manage Software - Plan for and implement software configuration updates to include software patch management to mitigate newly discovered vulnerabilities. Duo’s Device Insight can help identify out-of-date devices when they access your applications, while Endpoint Remediation and Self-Remediation features allow you to block risky devices and notify your users to update.

These are just a few of the key activities they require program managers to do in order to mitigate cybersecurity risks:

  • Identify all unclassified covered defense information (CDI), and assess the impact of the exposure of unclassified information on unclassified networks.
  • Promote a strong culture of cybersecurity awareness and behavior in program offices and among contractors. One way to increase awareness is by launching internal phishing campaign simulations to identify risky users and behavior.
  • Encourage contractor and industry participation in public-private information sharing activities.

See Covington and Burlington’s resource, *Department of Defense Issues Final Rule - Network Penetration Reporting and Contracting for Cloud Services (PDF) for more information.

<![CDATA[Dissecting Duo’s Data on iOS 10 Adoption]]> https://duo.com/blog/dissecting-duos-data-on-ios-10-adoption https://duo.com/blog/dissecting-duos-data-on-ios-10-adoption Mon, 06 Mar 2017 00:00:00 -0500

Several months after the release of iOS 9, Duo Labs used our exclusive collection of endpoint data to release an analysis of devices that continued to use outdated software. We’re revisiting that analysis here to learn whether the iOS 10 rollout continued to show the same patterns.

Why Do iOS Upgrades Matter?

Unpatched devices are vulnerable devices.

Click to tweet

In contrast to its desktop operating system, Apple generally does not continue to support old versions of iOS with security patches after a new version has been released. That means users who choose not to upgrade to a new version are not just opting out of new features and user experience changes; they are also opting to continue running vulnerable software.

Adoption of iOS 10

According to Apple, 79% of iPhone users are now on iOS 10 as of February 20, 2017. iOS 10 offered numerous improvements including:

  • A revamped Apple Music user experience
  • Siri integration with third party apps
  • Improvements to Apple maps
  • The ability to delete default apps
  • Widgets on the lock screen

By all accounts, users should have been motivated to take advantage of this free upgrade. But despite the relative ease of doing so, users delayed applying updates as they became available. This matches the behavior we have seen with past releases. As with the release of iOS 9, we found that 85% of users had not upgraded within 7 days of release. At 90 days after release, a third were still running outdated software.

iOS 10 Adoption

Factors Driving Adoption

One might think that, despite controversy about elimination of the headphone jack, purchases of new iPhone 7 hardware would be a major factor in the prevalence of iOS 10. Apple ships new phones with the latest operating system preinstalled. However, Duo’s data does not bear this out.

At 10 days after release, the iPhone 7 accounted for barely 1% of iOS devices using Duo’s services and this rose steadily to just over 10% in the first 90 days of availability. So purchases of new hardware account for only a small portion of up-to-date device software.

iPhone 7

On the other end of the spectrum, we have users who could not upgrade to the most recent operating system even if they wanted to. We found that 90 days after the release of the iPhone 7, about 6% of iOS devices in use were too old to receive updates, including security fixes, from Apple.

Unsupported iOS Devices

With 10% of phones shipped with the latest operating system and another 6% unable to upgrade, we’re left with about 84% of users who have a choice about whether or not to upgrade. Nearly a third of these users choose not to do so. We might hope that end users are simply cautious about major software updates and would react differently toward an update focused on security fixes rather than new features.

Sadly, the opposite is true. On October 24, 2016, Apple released iOS 10.1 containing security patches as well as fixes to numerous non-security bugs. Users installed at significantly lower rates in the first five days of availability, compared to the iOS 10 release a month earlier.

iOS 10.1 vs. 10.0 Adoption

It seems that new features, rather than bug fixes, compel most users to upgrade.

Adoption Varies Across Industries

Some industries significantly lead others in the adoption of iOS updates. End users employed at electronics and consumer web companies are nearly twice as likely to update within 30 days compared to users working in the energy or federal government sectors.

Adoption Rates by Industry

Though we have not yet studied the underlying causes of these industry differences, we do know that some organizations actively discourage timely updates for compatibility and stability issues, such as those related to mobile device management. With the 30 day time window in the above figure, these factors should be minimized, so this bears further investigation.

In any case, visibility by administrators into their end users’ device state is the first step in forming a strategy to ensure that unpatched devices are not exposing your organization to unnecessary risk.

Security Recommendations

As a security professional, allowing unpatched devices on your network introduces unnecessary risk of a compromise. Company-issued laptops are usually subject to policies that ensure that they stay up-to-date, but with many organizations supporting BYOD policies, this is less often the case with mobile devices. So what can you do? To echo our past advice, you should:

  1. Educate your users about the importance of applying updates in a timely manner.
  2. Help users apply updates when it is convenient for them. Many users are not aware that they can schedule iOS updates to run while they are sleeping!
  3. Deploy an endpoint security solution to help ensure the security hygiene of all devices accessing your network.
  4. Limit access from untrusted endpoints to your internal network.

User Device Security Tips

<![CDATA[Building Trust in Your Security Strategy]]> https://duo.com/blog/building-trust-in-your-security-strategy https://duo.com/blog/building-trust-in-your-security-strategy Fri, 03 Mar 2017 09:00:00 -0500

One of the most common challenges we hear from the Managed Service Provider (MSP) community today is the requirement to deliver more with less. This resonates with most IT practices in general, but when it comes to the MSP model, the balance of increasing security challenges while competing on diminishing margins is more meaningful than ever before. Churn can severely impact an MSP, so there’s a constant struggle to strike the balance of ensuring a great customer experience with exceptional service and solutions, while maintaining efficient use of time and operations.

If you were to summarize this with a single word, it could best be described as trust.

Trust defines the core of what an MSP is. Businesses need to trust that their Managed Service Provider is delivering a complete package of function, service and security that works together seamlessly. Companies need to trust that their employees can work effectively, regardless of when and where, without compromising critical systems and data that are the organization’s lifeblood. MSPs have to trust that the technologies they choose are effective without being burdensome, and that their partners understand their challenges and are there to enable business outcomes, not sell products.

To an MSP, trust means lasting relationships. Trust means you’ve earned the title of advisor. Trust should define your business’s success and profitability.

Duo’s Trusted Access Story and You

There are innumerable reports showing us that the headwinds in cybersecurity are growing at an alarming rate. According to the 2016 Cost of a Data Breach Study: Global Analysis (PDF) by the Ponemon Institute, there are seven megatrends and countless stats that paint the picture of the challenges we face from a financial perspective, but this one really resonates: “The cost of lost business [as a result of a data breach] was particularly high for U.S. organizations ($3.97 million). This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.”

That’s why today, more than ever, we need to be able to deliver a story of Trusted Access. A story where only the right users, using only devices that are up to a business's security standards, can access only the right applications for their job. Businesses need to trust that the users are who they say they are, and users need to trust that they can do their work without jumping through frustrating hurdles, whether they’re at the office or on the road. Businesses need to be able to deliver an effective solution that addresses Trusted Access but doesn’t break the bank or require months of dedicated time and resources to implement.

MSPs also need to ensure that they can solve for Trusted Access in an efficient manner. You need to be able to minimize the management and maintenance of multiple solutions to accomplish one outcome. Operational efficiency is a critical component to the success of your business, so finding solutions that can do more with less is imperative. An effective solution that’s low-cost, incredibly easy to implement and significantly reduces help desk interaction sounds ideal but is unrealistic. Truly securing systems and users is painful and costly, isn't it? Not anymore.

Trusted Access in a Cloudy BYOD World

Two of the largest trends ever seen in technology are the adoption of cloud and Bring Your Own Device (BYOD). They’ve also brought with them some very challenging side effects related to IT security. The traditional network perimeter has all but vanished, and employees are increasingly leveraging personal devices to access company applications that are hosted in the cloud or only offered as a service (SaaS).

So how can a business trust not only that the user is who they say they are, but equally as important, that the device they’re using to access the data isn’t presenting a huge security risk? There are lots of options in the market, but time is money, and “easy, effective and low-cost” don’t generally fit the description of most options.

Employees require the privacy of personal devices, and the agility to work on the go. Employers want to empower productivity, but can’t sacrifice security.

It’s time to rethink strategy. It’s time to approach today’s challenges while letting go of the notion that solutions from the past will present the answer. It’s time to do more with less. This is where having a partner whose foundation is built on security in the modern era can be the difference between leading a trusted engagement from the beginning, versus scrambling to mitigate the impact of a breach after the fact. We face endless challenges in IT, but delivering Trusted Access shouldn’t be one of them.

To learn more about how Duo Security is partnering with the MSP community to address Trusted Access with an easy, effective, and low-cost solution, visit our MSP page.

<![CDATA[Convert > To Current Swift Syntax: Updating DuoAPISwift to Swift 3]]> https://duo.com/blog/convert-greater-to-current-swift-syntax-updating-duoapiswift-to-swift-3 https://duo.com/blog/convert-greater-to-current-swift-syntax-updating-duoapiswift-to-swift-3 Thu, 02 Mar 2017 12:00:00 -0500

At Duo, we find ourselves increasingly utilizing the Swift programming language for internal projects and always like to offer tools to our customers to use our APIs. As a relative newbie to Swift myself, I thought converting the DuoAPISwift would be a great way for me to take on a lightweight project in Swift and learn a thing or two about the language in its latest iteration. So last week I began the task of converting our Duo Auth API client to Swift 3.

The first step for most when it comes to Swift conversion seems to be to pray and the next is to run the automatic conversion tool in Xcode. If you’re one of the lucky ones, everything may build fine and no new bugs will be introduced. Of course, this is almost never the case. We were no exception, the tool did do a lot of the major leg work, but we did have to spend a bit of time getting everything working again afterwards.

One of the simplier things the auto conversion tool commonly missed was the change required to mark closure arguments as escaping. We had to go back and make sure that all of our block method parameters were correctly marked as escaping when they did so. Simple enough!

The largest issue we dealt with when converting to Swift 3 was due to the changes in implicit bridging conversions. Specifically, we had a lot of implicit casts in method parameters as we passed around String/NSString types as AnyObject types. As we went through and added our explicit casts we realized just how much implicit conversion we were relying on. Our method parameters, often being AnyObject types, can sometimes be hard to understand and easily used incorrectly. It became clear through this conversion that our next version of the DuoAPISwift should address this by making our types more explicit and reducing the amount of casting.

In all, this project was a simple one that gave me a good overview of some of the new features into Swift 3. It reminded myself and others how important it is to keep up to date on a language like Swift that’s changing so quickly. And it’s even more important to make sure we design APIs that are explicit and eliminate potential confusion as much as possible.

<![CDATA[RSAC 2017: Meaningful Use or Meltdown - Is Your EHR System Secure?]]> https://duo.com/blog/rsac-2017-meaningful-use-or-meltdown-is-your-ehr-system-secure https://duo.com/blog/rsac-2017-meaningful-use-or-meltdown-is-your-ehr-system-secure Thu, 02 Mar 2017 09:00:00 -0500

A few weeks ago, I attended a talk on electronic healthcare record (EHR) system security given by Leido’s Chief Cybersecurity Strategist Gib Sorebo at the 2017 RSA Conference.

Overall, the estimated annual costs of data breaches has totaled $6 billion in the healthcare industry, with healthcare organizations spending an average of $2.1 million to resolve the consequences of a data breach in the past two years. Gib reported that an estimated 73% of patients will choose another provider if their current one was breached, based on a healthcare data privacy and security study by the Ponemon Institute.

Security in the healthcare industry is relatively immature, as the industry moved toward adopting EHR systems to store, collect, process and share patient data in recent years, motivated by government incentives called Meaningful Use (as well as penalties for not meeting the standards). In 2016, the goals for using EHRs included improving the outcomes of data capture, sharing and advancing clinical processes.

Another goal is to be able to facilitate care between multiple providers for patients and ensure secure sharing of patient data. While EHR incentives have started to fade away, the net-new installs of EHR software has seen a decline.

Gib recognizes the immature level of healthcare security - many security researchers have reported they’ve had trouble finding a place to report vulnerabilities in the industry. But like security in any other industry, it will take awhile for it to develop.

Information Security Challenges in EHR Systems

Many EHR systems overlap with Enterprise Resource Planning (ERP) systems and other enterprise applications, causing complexity, dependencies and challenges for security.

Vendor dependency can present security challenges since EHR patching and other maintenance are typically controlled by the EHR vendor, which can make it difficult for the healthcare organization to take a more proactive role, since they must wait for their EHR vendor to act.

According to Gib, some EHR vendors like Cerner are taking a more active role in IT implementations for their customers, as they see themselves as the IT provider for organizations due to the breadth of EHR systems. EHR systems are often the focal point of a healthcare organization’s environment that other applications interact with and support.

Identity management can be more challenging in the healthcare field, as there are so many diverse users - patients, nurses, doctors, non-employees, finance, etc. that must have different levels of access, often to very large sets of historical and current sensitive patient data to do their jobs.

A clinician or nurse may need access to historical healthcare data in order to avoid duplicating resources - for example, calling for duplicate MRIs if a patient has already had one at a previous provider.

EHR Interoperability Problems

The typical EHR architecture includes a client - usually a thick client on desktop or in a virtual environment. Then, there’s middleware, which includes an application server and related programs; plus a database.

When there is a lack of interoperability between EHR systems and other providers, people will often use workarounds that can create security problems.

EHR Attack Vectors Diagram

According to Gib’s slide on where EHRs are vulnerable, diagramming the typical EHR system with its interfaces, the attack surface can include:

  • External and legacy systems
  • Patients and authorized users
  • Mobile devices
  • External service providers (e.g. labs)
  • Research and HIEs (health information exchange providers)
  • Government oversight and dashboards
  • Insurance companies
  • Wireless infrastructure
  • Bedside technologies (medical devices)
  • Data center security (authentication)
  • Business continuity & failover

Security Recommendations for Healthcare

Gib’s security recommendations include adopting a defense in depth security approach, that is, layered security. Authentication systems require a higher level of security than other systems.

He also recommends implementing network segmentation - segmenting based on use in order to monitor data as it moves through different junction points in the organization. By monitoring what type of data is transferred from medical devices to clinical operations, you can determine if that’s the correct and safe route.

Healthcare Network Segmentation

Good cyber hygiene, patching systems regularly, and log analysis is key only if you understand what those logs mean and can put them into context. Gib mentioned that visibility into every system isn’t there today, and is one area of security that needs attention.

He also recommends watching your users’ roles - don’t just use the EHR’s default roles for different users, but configure your own based on your organization’s specific needs.

In the Next Six Months…

To apply some of the best security practices, he suggests ingesting EHR log data or output from an anomaly detection tool into your SIEM (security information and event management) or other centralized log aggregation tool. Duo’s Trusted Access sol ution provides detailed authentication, user, administration, device and other security logs to help you monitor and track any risks.

Another recommendation is to include EHR components in regular vulnerability scans, and look into the use of anomaly detection tools to detect suspicious activity, and the feasibility of application whitelisting for EHR components.

And, where feasible, implement two-factor authentication for EHR administrative functions. Duo’s two-factor authentication solution can be integrated with healthcare applications and systems like Epic’s EHR to both protect against credential theft attacks and help meet healthcare compliance requirements for strong authentication - such as for e-prescriptions. Learn more about Duo for Healthcare.

<![CDATA[BeyondCorp: Enrolling Users and Endpoints]]> https://duo.com/blog/beyondcorp-enrolling-users-and-endpoints https://duo.com/blog/beyondcorp-enrolling-users-and-endpoints Wed, 01 Mar 2017 07:00:00 -0500

In our previous blog post introducing the BeyondCorp concept, we also discussed what organizations should think about when trying it for themselves. The steps may not happen in sequential order, but they are generally:

  • Enrolling your users and their endpoints
  • Marking trusted devices with certificates
  • Setting up the access proxy and its policies

In this post, we’ll talk about enrolling users and their endpoints.

What Does Enrollment Involve?

Enrollment usually involves a combination of inventory, inspection and verification. You create a list of entities to be entered into the system that you’ll use to authenticate them and grant them access (in this case, a list of authorized users and a list of endpoints they’re using). You can use bulk enrollment — that is, you can use the list to create entries for each one without your users having to do anything — or you can use self-enrollment, where the users make contact and supply shared data so that you can recognize them.

Inventory: What corporate-owned or managed endpoints do you have, and who are the authorized users? What other endpoints are you going to allow?

Inspection: Does it conform with our security requirements? (Note: enrollment isn’t the only time you’ll inspect the endpoint; it should happen automatically with every access decision.)

Verification: Is this the known user who is presenting the endpoint for enrollment? Is this the same endpoint that we have in our inventory?


Start with what you know you have. Regardless of whether you pre-enroll the devices you know about or whether you let users enroll them individually, the process needs to have controls in place so that you have visibility over which assets you expect to see. Starting with a basic list of hardware tags (or phone numbers) and assigned users will let you recognize corporate systems as opposed to personal ones. For best coverage, plan to start with bulk enrollment, and then fill in the gaps with self-enrollment, because you’ll need to plan for ...


An important issue within the inventory process is discovery. Are you sure you know all your users and all their endpoints? How will you handle new or forgotten users? How will you deal with changes in endpoints? One way to handle this is to put discovery into the enrollment workflow, and place it where the users have to go in order to access something important. Make sure they will access it early and often. Everyone accesses an HR system sooner or later when they need to download their tax forms, but that will only be once a year; it’s better to place discovery in front of something they use all the time, such as email, reference wikis, or directories.

Don’t neglect discovery. Here at Duo, we have had customers who had policies against using personal devices on the corporate network, but they found out through our Device Insight that literally hundreds of users were doing it anyway.

The Power of Puzzle Pieces

User Devices What do you do about enrolling shared devices? Remember that it’s the combination of user and endpoint that you decide to trust, so you can’t just decide to trust all devices independently of the users; an attacker could take control of a given endpoint and leverage any other known username and password to get access. To avoid this, you need to enforce user-device pairs by adding multi-factor authentication.

In order to break in, the attacker would need to have the username, password, access to the second factor (such as the Duo application on a phone), and the endpoint — making it more difficult to get unauthorized access with every piece you add to the puzzle.

So make sure that you have an entry only for those combinations of user and device that you expect to see. Sharing may not happen that often, but when it’s needed, the enrollment process should accommodate it.


It would be great if the user’s endpoint were in a known clean state when it was enrolled, but this isn’t always possible. At the very least, you can decide on what hygiene and configuration settings you want to see: no known dangerous apps installed, encryption and lock screen turned on, and updated operating systems and plugins. If you already have an agent installed on the endpoint, you can get whatever data it provides you; if you don’t, or if this is the first time you’re seeing the device, Duo can perform a hygiene check without an agent.


As we discussed above, it’s the combination that earns the trust, so you need to make sure to authenticate the user during self-enrollment. From that time forward, the user will be re-authenticating (with more than one factor!) to the access proxy, along with that user’s assigned endpoint.

How do you uniquely identify an endpoint? It’s harder than it sounds, particularly when hardware components and their IDs get replaced. Google’s BeyondCorp paper describes how it used a combination of observed and prescribed data to do this. Organizations will probably end up using whatever data they can most easily obtain and match, for example from Active Directory or a management system such as JAMF; whatever you do, aim for consistency.

Google ended up deciding that it would be the certificate that was the arbiter of endpoint identity: if the certificate didn’t match what was enrolled, it didn’t matter whether any of the system components matched. Identifying devices through certificates is another key component of the BeyondCorp framework; we’ll talk about using them to mark your trusted endpoints in the next blog entry, “If You Liked It, You Should Have Put a Cert On It.”

<![CDATA[Honoring Black History Month in Cybersecurity]]> https://duo.com/blog/honoring-black-history-month-in-cybersecurity https://duo.com/blog/honoring-black-history-month-in-cybersecurity Tue, 28 Feb 2017 09:00:00 -0500

While Black History Month honors those who've come before us, I wanted to take a moment to highlight some contemporary leaders in cybersecurity who are creating history today, and have personally inspired me.

Black History Month and Cybersecurity

Here are 14 remarkable founders, hackers, academics, executives, and investors in security you should know:

Window Snyder: Window's an old friend and older-school hacker (former VAX/VMS hacker who still owns dec.net :-) and now CISO at Fastly, the fast-growing CDN company. Her impact on our industry is hard to overestimate – with courage and uncompromising integrity, she's led Mozilla, Apple, and Microsoft to address security & privacy strategically and architecturally, defending users as much against nation-state attorneys as nation-state attackers.

Ejovi Nuwere: Ejovi was a fellow member of our w00w00 security crew who went on to have his autobiography Hacker Cracker published by Random House (ghostwritten by Ariel Sharon's biographer) when he was 21. Among his other adventures, Ejovi was censored by the Japanese government after his authorized audit of their national ID system, and became the first foreigner to sue the Japanese government for free speech. He now works for Deloitte in their DC-based cyber risk practice.

Corey Thomas: Corey is CEO of Rapid7, the leading vulnerability management company (founded by fellow OpenBSD hacker Chad Loder) which he successfully took public in 2015. Corey worked his way to the top honing his executive leadership and operating skills across every function at Rapid7 after managing products at Microsoft. I'm grateful for the insights and inspiration Corey's shared with me as a first-time CEO.

Dr. Paul Judge: Paul is the epitomy of the security academic turned serial entrepreneur / investor. A Georgia Tech Ph.D., Paul helped put Atlanta tech on the map leading CipherTrust and Purewire, and co-founding Pindrop Security and Luma. But beyond Paul's entrepreneurial prowess, I am inspired by his commitment to community. When I visited his Tech Square Labs near Georgia Tech's downtown campus last year, he was hosting an all-black hackathon called GoodieHack with 100+ people. Amazing.

Larry Whiteside: Larry is VP Healthcare & Critical Infrastructure at Optiv, and was previously CISO at Spectrum Health, Visiting Nurse Service of NY, and Marsh. A former US Air Force cybersecurity officer, Larry's been involved in just about every side of the industry, from advising security vendors to organizing chapters of the Cloud Security Alliance and Infragard. After our diversity in cybersecurity panel during RSAC, he told me he'd hosted 100 schoolkids to tour Bay Area security companies with his International Consortium of Minority Cybersecurity Professionals.

Stephen Ridley: Stephen is founder of Senrio, a Portland-based startup providing enterprise security for IoT, former CISO of Simple Finance, and Matasano alum. Along the way, Stephen got bitten by the hardware hacking bug, which led to int3.cc, a community venture to support the movement with open-source tooling, as well as Xipiter, purveyors of the finest tools and training for organizations like the NSA, Samsung, and HP. Check out his excellent Duo Tech Talk on The Insecurity of Things.

Marcus Carey: Marcus is a former Navy cryptologist turned security entrepreneur, and founder of vThreat, a cyber attack simulation startup. He was formerly the community manager for Metasploit at Rapid7, well-known in Baltimore/DC for starting DojoSec, and a bonafide security celebrity in Austin, where we last caught up speaking at security founder events and at Austin Startup Week supporting veterans in cybersecurity.

John Lee: John is the hacker formerly known as Corrupt, from the legendary Masters of Deception crew from NYC. John was indicted on federal wiretapping charges during their Great Hacker War with the Legion of Doom in the early 90's, and ended up on the cover of Wired, and immortalized in a book. Since then, he's been busy directing music videos, and with MOD founder Eli (acidphreak), plans on producing more media honoring hacker culture (see their nootropic Hacker's Brew coffee)!

Dr. Fabian Monrose: Fabian is a professor of computer science at the University of North Carolina at Chapel Hill, previously at Johns Hopkins University, and a member of technical staff at Bell Labs. I met Fabian after starting the USENIX Workshop on Offensive Technology, which was colocated at USENIX Security (among other conferences he's chaired). Fabian's contributions to the field broadly cover network security, traffic analysis, system security, user authentication, and privacy.

Chris Young: Chris is CEO of the reincarnated McAfee, formerly the security division of Intel. I first met Chris when he was on Rapid7's board, just before leaving VMware to join Cisco, where he led their visionary acquisition of Sourcefire (for nearly 3 Instagrams, as I tell Marty ;-) – the right leader to re-envision McAfee. Chris also ran products at RSA for 6 years, and was co-founder and COO of Cyveillance.

Tyson Clark: Tyson is a venture capital investor at Google Ventures, previously at Andreesen Horowitz, focused on enterprise SaaS, infrastructure, and security. He's a Goldman, McKinsey, and Morgan Stanley alum, and was also a US Navy nuclear propulsion submarine officer. His investments in security include Pindrop Security and Acalvio. Every time I see Tyson, he's introducing someone interesting to me.

Hugh Njemanze: Hugh is CEO of Anomali, and was previously CTO and co-founder of ArcSight. I've only met Hugh once, but we share Google Ventures as an investor, and I've known many of his ArcSight colleagues for some time. He and his former team are legendary – they were the only Silicon Valley company to go public during the Great Recession in 2008, and then went on to be acquired by HP for $1.5 billion in 2010.

Fredrick Lee: Fredrick has led security at some of the world's fastest growing companies, from Betfair to Twilio, to Netsuite and Square. His background as a developer, security researcher, and executive now leading security is the rare combination every SaaS company needs of appsec, corpsec, and secops – both through hypergrowth and at scale.

Kevin Greene: Kevin is a program manager in the cybersecurity division of the US Department of Homeland Security's Science & Technology directorate, focused on software assurance. He's led research and development, as well as evaluation of various binary, static, and dynamic analysis technologies, and has been working not only to advance secure software development best-practices, but also hold software assurance tools to account. See his recent Dark Reading article on Certifying Software.

<![CDATA[Securing Access After the Cloudflare Bug & Data Leaks]]> https://duo.com/blog/securing-access-after-the-cloudflare-bug-and-data-leaks https://duo.com/blog/securing-access-after-the-cloudflare-bug-and-data-leaks Mon, 27 Feb 2017 14:33:00 -0500

Last week, Cloudflare made a code change that allowed for access to their customers’ cloud servers, leaking private and sensitive data.

The company is a content network delivery (CDN) service, which delivers web content to users based on their geographic location to ensure optimal performance and availability.

Naturally, a bug in this type of service can affect many. However, according to Cloudflare, this affected just a small subset of their customers, around 150. Cloudflare has over two million websites on its network, and the greatest impact was between Feb. 13-18 of this year. The bug has since been patched.

What Happened

In order to increase content delivery performance, Cloudflare used existing code in one language to generate code in another.

But this allowed a user’s query to return data that exceeded a buffer - data from Cloudflare’s servers ran past the end of this buffer and extra data was tacked onto the regular response, according to Mark Loveless, Sr. Security Researcher at Duo.

Private data was returned in server requests, and some search engines crawling the Internet cached this data. The data included session keys, passwords, personal information, etc.

For a far more technical and detailed overview of the incident, response, and timeline of events, check out Cloudflare’s blog.

What To Do

While there’s currently no official list of servers that were affected, hopefully server owners and Cloudflare can work together to help identify what should be done for their users. You can find an unofficial list of affected domains here.

As octal suggests in his blog, site operators that use Cloudflare should practice their incident response process and proactively communicate with customers about how they might be affected. He also recommends updating administrator credentials, and requiring site users to log in again with existing passwords by resetting session tokens, in lieu of a mass forced password reset.

Since sensitive data included credentials - make sure you change your account passwords and enable two-factor authentication, which can prevent an attacker from accessing your accounts using only passwords that may be floating around in search engine caches, as TechCrunch reported.

Using a password manager such as LastPass can help you generate unique passwords and maintain your account logins.

Note: Duo Security does not use Cloudflare for any of its production services.

<![CDATA[Bringing U2F to the Masses]]> https://duo.com/blog/bringing-u2f-to-the-masses https://duo.com/blog/bringing-u2f-to-the-masses Fri, 24 Feb 2017 09:00:00 -0500

Major tech companies like Google Dropbox and, more recently, Facebook have begun allowing users to log in with security keys. These security keys implement an open standard called Universal 2nd Factor, or U2F.

So What is U2F?

In 2011, Google, Yubico, and others created a second factor for authentication that used public key cryptography to securely authenticate a user to a web service. This process works by first having a device generate a keypair and register the generated public key with the server. Then, when a second authentication factor is required, the server sends a unique challenge to the device. To respond to the challenge, the device unlocks its generated private key after verifying a user is actually present (say, by having the user press a button or enter a pin), and then returns the challenge signed with the private key.

An important part of this challenge/response process is that it takes into account the hostname of the URL, or “origin” the user is currently on. Every keypair that is generated is tied to a particular origin. Before performing any signing operation, the device first confirms that the origin is correct, this essentially makes the authentication process unphishable.

In addition to the strong phishing protections, the U2F protocol design provides strong user-centric privacy properties to ensure U2F users have anonymity in the eyes of service providers. A U2F device is not bound to a user’s real identity, be that phone, fingerprint or computer, and as each registration generates a new keypair, it is impossible for a U2F device to be correlated across different services or even across different accounts on the same service.

The companies brought the idea for hardware-backed, unphishable second factor authentication under the umbrella of the FIDO Alliance as an open standard, which became known as U2F. Duo’s goal is to stay on the leading edge of usable, secure authentication, which is why we have proudly been a member of the FIDO Alliance and supported U2F for our customers since 2014.

Here’s how it works:

Driving Increased U2F Adoption

While the U2F standard has been around since 2014, the rate of adoption is not as high as we would hope for such a strong authentication technology. Authenticating via U2F requires having both the 2FA service provider (the Relying Party in U2F speak), and the browser vendor support the U2F protocol. It also requires the user to have a U2F-compliant device that the browser communicates with to perform the actual cryptographic signing. This hardware has, up until now, almost always came in the form of external keys connecting to systems over USB, NFC, or Bluetooth. Some of the best have come from Yubico.

Unfortunately, the requirement of needing an extra hardware device in order to make use of U2F creates some barriers to adoption for many businesses as well as end users due to the costs associated. These costs range from the capital expenditure costs of purchasing new security hardware devices themselves, to the technical logistical costs of losing access to one of the device’s already-limited USB ports (or lack of USB-A ports altogether - thanks Apple!).

While on the face of it, these can be seen as small issues that are easily surmountable for an organization that takes security seriously, the reality is that they can significantly reduce the ability of such projects to get a green light. Even when the barriers to hardware purchase have been circumvented, there is also a responsibility placed on the end user to have their U2F device either on hand or plugged into their device. If they don’t, then they will likely fall back to an alternate 2FA technology such as HOTP/TOTP or even SMS.

As can be seen from the graph below, only about 1% of all 2FA authentications that Duo sees currently make use of U2F, and this trend has not shifted upward to any significant degree over the last 12 months.

Two-Factor Authentication Methods Graph

Duo Labs + Intel

Duo’s service is built to make effective, usable security as easy to deploy and manage as possible. In Duo Labs, we actively partner with other industry leaders and research teams to take advantage of the latest authentication technologies to better protect our customers as early as possible.

Intel’s 7th Generation Core Processors (codenamed Kaby Lake) ship with the Intel Converged Security and Manageability Engine (CSME) and provides the functionality needed for U2F, such as generating, registering and signing U2F challenges with a key pair. Intel has also created “Intel Online Connect,” which enables Windows computers to support the FIDO U2F standard natively without the need for any additional hardware.

The benefit of Intel’s work on bringing native U2F capabilities directly into the chipset means that companies and consumers no longer need to buy additional hardware to leverage U2F and that they can take advantage of it as a side benefit of updating their client fleets. Duo has worked to ensure that Intel’s latest hardware works seamlessly out of the box with the existing U2F support that has been available in Duo’s Trusted Access platform since 2014.

Intel took an interesting approach to their implementation of a U2F client. Instead of the USB hardware devices most people are already familiar with, Intel chose to implement their U2F client in software and display a square on the screen at a randomly-generated location that a user clicks on to fulfil the user presence test. Intel are making use of Protected Transaction Display technology to ensure that the input and output channels cannot be eavesdropped or bypassed programmatically. Once the user presence test has been completed, the U2F challenge is signed by a key that is securely stored in hardware and passed back to the browser.

The software-only U2F implementation will make strong U2F-based authentication available to every user of a Kaby Lake device without any further investment in hardware by users or organizations. From Duo’s perspective, the more people who are able to benefit from the strong second factor authentication offered by U2F the better - what’s a better way to ensure this than having a U2F device built directly into their system to enable a frictionless workflow. We are hopeful that as Kaby Lake devices begin to penetrate the market, we will see an uptick in the adoption of U2F as the user’s preferred second factor mechanism.

Intel & Duo at RSAC 2017

We were really pleased to be able to show off our prototype integration with Intel at this year’s RSA conference and to get to speak to so many people about how this might help increase the security of their organisations.

Thanks to everyone who came by the Duo booth to say hi and chat about embedded security hardware! You can find our official press release here.

Duo's Booth at RSAC

Security is always best when it’s built in, not bolted on. We’re excited to continue partnering with leaders like Intel to bring built-in native U2F support to businesses and consumers to help make it as easy to use as possible.

<![CDATA[RSAC 2017: The Human Exploitation Kill Chain]]> https://duo.com/blog/rsac-2017-the-human-exploitation-kill-chain https://duo.com/blog/rsac-2017-the-human-exploitation-kill-chain Thu, 23 Feb 2017 09:00:00 -0500

One talk I attended at RSAC 2017 was The Human Exploitation Kill Chain, presented by Ira Winkler, CISSP, President of Secure Mentem and Co-Host of the Irari Report, describing the kill chain of a phishing attack. When it comes to social engineering attacks like phishing, everyone blames awareness. However, awareness is not the main problem when it comes to phishing - it’s a systematic failure of a network. If someone clicks on something and brings the whole system down, then it’s your environment that sucks, and it’s the failure of a security team. No one person should have that much power.

The problem with most awareness programs is that they are often training programs that only train people to recognize simulations. A good training program should consistently reinforce good behavior. In a kill chain, each phase represents a point of protection, failure and detection. In the different phases of an attack, an attacker has to find, fix, track, target, engage and assess.

In the target phase, an attacker will do reconnaissance to get more information about their target by scanning company data, finding information on social media sites like LinkedIn, and searching for public records. In one example, he said you could find information about the security of a building online, since the building permit files are public. Another approach an attacker may take is the mass attack approach, where they randomly target everyone in the company.

Ira referenced the RSA breach of 2011 in which the attacker targeted their human resources department, sending them a spreadsheet that appeared to be from Monster.com, the job search website. According to an analysis on RSA’s blog, their attacker sent two different phishing emails to two groups of employees that were not typically considered high-profile targets. The email subject line was “2011 Recruitment Plan.”

One of the employees went into their junk mail folder and opened the attached Excel file, which contained a zero-day exploit that installed a backdoor via an Adobe Flash vulnerability. The attackers then moved laterally within the network to compromise other machines and eventually steal company/customer data.

Each type of attack has its own unique kill chain. The phishing kill chain includes a number of steps in which either technology or a user has an essential role in either stopping or enabling the attack. The primary way to stop the success of phishing attacks is to make sure your employees are following your company’s governance/process in certain situations.

For example, there should be an explicit process outlined for how to pay an invoice, and employees should never sidestep the process in order to expedite a request, even it appears to come from their CEO.

One layer of technology that can plays a part in the phishing kill chain is the pre-mail filter. Another is your mail server - it should be able to detect phishing messages. The client mail application should also provide another layer of filters and ways to quarantine suspected spam and phishing messages. The mail filter should warn a user that is attempting to open an email in their spam folder. Finally, the average user shouldn’t be allowed to download or execute Internet programs onto their machine.

Users are key - they’re “human intrusion detection systems,” the eyes and ears of your security program that can tell you where attacks come from. Ira also recommended using multi-factor authentication (MFA) and single sign-on (SSO) to prevent phishing attacks. Launching an internal phishing simulation campaign can also help you measure your risk, and get insight into your users and devices logging into your applications.

Check out the rest of our RSAC 2017 coverage.

<![CDATA[RSAC 2017: The Value in Vendor Consolidation]]> https://duo.com/blog/rsac-2017-the-value-in-vendor-consolidation https://duo.com/blog/rsac-2017-the-value-in-vendor-consolidation Wed, 22 Feb 2017 09:00:00 -0500

In addition to the theme of securing a new perimeter-less IT model, another message I heard repeatedly in several keynotes at the 2017 RSA Conference was urging simplification and consolidation of security solutions and vendors.

In past years at RSAC, I’d heard the message that the information security industry wasn’t doing enough, and we needed more threat intel, more big data, more anything to help people protect themselves. This year, I heard that we need to be a bit smarter with what we do have, and start paring down to effect real change with security that works.

Planning for Chaos

RSA Chief Technology Officer (CTO) Dr. Zulfikar Ramzan opened Tuesday’s keynote address explaining that security isn’t just a technology problem; it’s a business problem.

RSA RSAC 2017 Keynote

One of his recommendations for businesses is to simplify what they can control. He quoted a customer he knew that had 84 different security vendors - how can you justify the return on that type of investment? By consolidating your vendors; that is, doubling down on vendors that work well and ditching everyone else, you can contain chaos at your organization.

The Coming Disruption in Security

Palo Alto Networks CEO and Chairman Mark McLaughlin gave a keynote on Wednesday morning about encouraging security innovation and the true measure of success in infosec. According to him, we’ll know when we’ve arrived as an industry when security is easy to use.

There’s not a lot of value in just consolidating vendors, but it’s ideal if you were actually more secure if you did that. With the high abundance of different security vendors in the market, we need to figure out how to deal with the growing associated complexity, consumption and costs. It’s really all about how security is delivered and consumed.

Delivering Effective Security Outcomes

VP Cisco Security Business Group David Ulevitch emphasized the need for more integrated and automated security solutions, stating that while we have the tools, we’re not using them to their full potential today.

The automation problem can be traced back to the siloed nature of the information security industry today that encourages people to adopt millions of security products. Companies may have up to 50 different siloed solutions that are bolted on and don’t talk to each other.

APIs, according to David, are a cop-out, as they shift the burden to customers. The infosec industry today needs integrations in order to drive security to be out of the box. One way to do that is to leverage the cloud for integrations, and as a way of delivering security policies by analyzing data and enforcing policies quickly. The cloud is not just another IT surface we need to protect - it can be used to drive security automation.

Check out the keynote speakers and videos on the RSAC 2017 website (click on the session titles to view the videos).

Simplifying Security With Duo Beyond

At Duo, we also believe simplification and consolidation is key to driving security effectiveness. Our latest product release, Duo Beyond, is a major indicator of those principles.

We combine verifying the identities of your users with ensuring the security health of their devices before granting them access to certain applications - the main pillars of our Trusted Access platform. By using Duo’s secure single sign-on (SSO), you can give your users secure remote access to certain cloud and on-premises applications without using a VPN.

With Duo’s Trusted Endpoints, you can easily identify and create policies for corporate-owned vs. personal devices accessing your applications by using Duo’s easy PKI to deploy device certificates, eliminating the need to manage your infrastructure.

Learn more in our Duo Beyond blog or by reading more about Trusted Access.