security and usability from the frontlines of enterprise
play

Security and Usability from the Frontlines of Enterprise IT Jon - PowerPoint PPT Presentation

Jul 05, 2023 •381 likes •785 views

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

  1. Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

  2. Browser SSL Password Encryption warnings schemes usability

  3. IT Security

  4. 40M consumer 153M end user Thousands of credit cards credentials affected orgs (direct) (indirect) (meta)

  5. vs.

  6. Security The Industry X X + Organizations Usability duo.com Corp End Users

  7. The Industry

  8. Complexity Simplicity > Sophistication Usability Advanced Easy This is BAD.

  14. 1. Strong authentication 2. Up-to-date devices 3. Encryption C onfidentiality of data I ntegrity of devices A uthentication of users

  15. Basic security hygiene What we should be doing: What we’re doing instead:

  16. 75% 50% 71% of OS X devices of iOS devices of Android devices out of date out of date out of date Android < 5.5.1, or < 6.0.1 OS X < 10.11.2 iOS < 9.2

  17. 1. User auth-N, auth-Z 2. Device auth-N, auth-Z 3. Transport security Google’s The FTC’s Beyond Corp Start with Security

  18. Organizations

  20. → Dept of Secure Dept of “NO” Enablement

  21. “Social normalization of deviance means that people within the organization become so much accustomed to a deviant behaviour that they don’t consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety.”

  22. “With great power... → … comes great (shared) responsibility”

  24. = ? Better security Does usable IT security have an indirect positive impact for an org’s security posture? Do happy users have a direct positive impact on an org’ s security posture, either at a micro or macro scale?

  25. End Users

  26. “We should prefer security systems that people can readily create accurate mental models for, even if they are strictly less powerful than what the state of the art allows.” -- Chris Palmer

  27. Safety > Security

  29. Safety > Security Safe Behaviors > Technical Protections

  30. “Tokens? Where we're going, we don't need tokens.”

  31. Legacy 2FA Duo Push ● Hardware tokens ● One-tap UX ○ Poor AX, UX ○ Expensive ● Strong transport ● Phone call, SMS security ○ Unreliable, insecure transports ● Asymmetric ● Software tokens crypto ○ Countdown timer stress disorder ○ Symmetric key

  33. Security Usability Compatibility Note: Fulfills requirement of all presentations to have a Zooko Triangle

  34. 2010 2013 2015 2016 Duo Push Twitter Yahoo Google

  35. The Industry Organizations Corp End Users

  36. jono’s secret research agenda ● (S//SI//REL) Does usability and user happiness have a significant direct or indirect impact on IT security posture of an organization? ● (S//SI) At the corporate end user level ○ Are employees less susceptive to compromise or more likely to subvert IT security controls if they are perceived as usable and/or the users have a positive impression of their IT department? ● (S//SI) At an organizational level ○ Do usable security controls and happy users build organizational capital for IT? How much is user happiness or acceptance of security controls worth? How much does rejection of security controls cost an organization? ● (S//SI) At an industry level ○ Are positive models or architectures for IT security more effective or efficient?

  37. Q&A Jon Oberheide CTO, Duo Security jono@duosecurity.com @jonoberheide

  38. References Slide 5: ● https://www.zerodium.com/ios9.html Slide 11: ● http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs Slide 12: ● http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs Slide 13: ● http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs Slide 14: ● Personal communication @ Google Security Summit 2015 Slide 16: ● Aggregate endpoint data from Duo’s service on 2016/01/10 Slide 17: ● https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business ● https://www.usenix.org/conference/lisa13/enterprise-architecture-beyond-perimeter Slide 20: ● http://dilbert.com/strip/2007-11-16 ● Mike Kail

  39. References Slide 21: ● https://en.wikibooks.org/wiki/Professionalism/Diane_Vaughan_and_the_normalization_of_deviance ● https://www.schneier.com/blog/archives/2016/01/it_security_and.html Slide 23: ● Personal communication with Ryan Huber @ Slack Slide 24: ● http://publish.illinois.edu/science-of-security-lablet/science-of-human-circumvention-of-security/ Slide 26: ● https://noncombatant.org/2015/06/09/dubious-thoughts-crypto-usability/ Slide 28: ● http://www.ncbi.nlm.nih.gov/pmc/articles/PMC478945/ Slide 32: ● http://www.rlvision.com/blog/authentication-with-passwords-passphrases-implications-on-usability-and-security/ Slide 33: ● https://en.wikipedia.org/wiki/Zooko%27s_triangle Slide 34: ● https://duo.com/blog/duo-push-the-next-generation-of-two-factor-authentication ● https://blog.twitter.com/2013/login-verification-on-twitter-for-iphone-and-android ● https://help.yahoo.com/kb/SLN25781.html ● http://techcrunch.com/2015/12/22/google-begins-testing-password-free-logins/

Recommend

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical Security Approaches Adam Healy, CISO State of Crypto Asset Security 2016 Market Capitalization NASDAQ 1 ~$7.8 trillion London Stock Exchange 1

291 views • 12 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science &amp; Engineering

419 views • 4 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science &amp; Engineering

219 views • 5 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a wholesale distribution business providing complete range of Electronic Security Systems Kamlesh 093232 51184 Adit Enterprise Adit Enterprise Adit

619 views • 29 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Electronic voting System security of electronic voting Stephen McCamant Exercise sets 2

424 views • 10 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

544 views • 22 slides
Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security Good user experience design and good security cannot exist without each other Everyone deserves to be secure without being experts We need to

1.34k views • 112 slides
Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M. Martin Aaron G. Cass March 3, 2018 Introduction 01 Human Computer Interface Security (HCIsec) 02 Password Problem 03 Graphical User

633 views • 31 slides
Top 10 Lessons I Learned from the Frontlines of the ACIN

Top 10 Lessons I Learned from the Frontlines of the ACIN

Top 10 Lessons I Learned from the Frontlines of the ACIN Incubator Lou Bucelli CEO LimeBox Networks LLC Formerly, Entrepreneur-in-Residence ACIN

591 views • 16 slides
Do gma 1 Deliverables from usability professionals must be highly usable Reports,

Do gma 1 Deliverables from usability professionals must be highly usable Reports,

Myths about usability testing Copies of Slides U X Day Graz 2013 F ive use rs will find 85% o f the usability pro ble ms Rolf Molich - and o the r myths abo ut DialogDesign usability te sting Do gma 1 Deliverables from

659 views • 18 slides
1 Usability - Usage - Security Workflow RESTful interface 2 What is AHE - Virtualises

1 Usability - Usage - Security Workflow RESTful interface 2 What is AHE - Virtualises

1 Usability - Usage - Security Workflow RESTful interface 2 What is AHE - Virtualises Application on the computational resource - Show components diagram 3 A number of constraints were placed on the design of AHE to ensure it met our

444 views • 32 slides
Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security

Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security

Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security Announcements intermission Day 23: Usability and security Stephen McCamant Usability and security University of Minnesota, Computer Science &amp;

391 views • 8 slides
From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO AT&amp;T eamoroso@att.com Page 1 Sandbags Piled in Front of AT&amp;T Building 12/15/41 Page 2 Original Perimeter Objective (Circa 1995)

946 views • 61 slides
The Usability, Security, and Privacy Limits of Blockchain J I B E . C O M P A N Y Codiax 2019

The Usability, Security, and Privacy Limits of Blockchain J I B E . C O M P A N Y Codiax 2019

The Usability, Security, and Privacy Limits of Blockchain J I B E . C O M P A N Y Codiax 2019 Hello! Im Joris van Rooij Software Architect at Jibe.Company From Eindhoven, the Netherlands J I B E . C O M P A N Y I like...

1.72k views • 144 slides
Developer Centered Security MOHAMMAD TAHAEI , KAMI VANIEA, NAOMI SAPHRA

Developer Centered Security MOHAMMAD TAHAEI , KAMI VANIEA, NAOMI SAPHRA

Technology Usability Lab in Privacy and Security Developer Centered Security MOHAMMAD TAHAEI , KAMI VANIEA, NAOMI SAPHRA {FIRSTNAME.LASTNAME}@ED.AC.UK End users requirement of usability is starting to be acknowledged as a serious market

490 views • 23 slides
Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi Google, Inc. Rochester Institute of Technology kak@google.com rlaz@cs.rit.edu Symposium on Usable Privacy and Security (SOUPS) 2009 July 15th-17th,

272 views • 26 slides
CSCI E-170 L13: Aligning Security and Usability Simson L. Garfinkel Center for Research on

CSCI E-170 L13: Aligning Security and Usability Simson L. Garfinkel Center for Research on

CSCI E-170 L13: Aligning Security and Usability Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1 Administrivia Final Project Presentation Schedules are on the website. HW4 2 Tonight we will look at

520 views • 35 slides
Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security

Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security

Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security Tor and usability combined lecture Usability and security Stephen McCamant University of Minnesota, Computer Science &amp; Engineering Usable

964 views • 9 slides
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP

Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP

Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those processes Security is

577 views • 34 slides

More recommend