security and usability from the frontlines of enterprise
play

Security and Usability from the Frontlines of Enterprise IT Jon - PowerPoint PPT Presentation

Jul 05, 2023 •381 likes •785 views

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

  1. Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

  2. Browser SSL Password Encryption warnings schemes usability

  3. IT Security

  4. 40M consumer 153M end user Thousands of credit cards credentials affected orgs (direct) (indirect) (meta)

  5. vs.

  6. Security The Industry X X + Organizations Usability duo.com Corp End Users

  7. The Industry

  8. Complexity Simplicity > Sophistication Usability Advanced Easy This is BAD.

  14. 1. Strong authentication 2. Up-to-date devices 3. Encryption C onfidentiality of data I ntegrity of devices A uthentication of users

  15. Basic security hygiene What we should be doing: What we’re doing instead:

  16. 75% 50% 71% of OS X devices of iOS devices of Android devices out of date out of date out of date Android < 5.5.1, or < 6.0.1 OS X < 10.11.2 iOS < 9.2

  17. 1. User auth-N, auth-Z 2. Device auth-N, auth-Z 3. Transport security Google’s The FTC’s Beyond Corp Start with Security

  18. Organizations

  20. → Dept of Secure Dept of “NO” Enablement

  21. “Social normalization of deviance means that people within the organization become so much accustomed to a deviant behaviour that they don’t consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety.”

  22. “With great power... → … comes great (shared) responsibility”

  24. = ? Better security Does usable IT security have an indirect positive impact for an org’s security posture? Do happy users have a direct positive impact on an org’ s security posture, either at a micro or macro scale?

  25. End Users

  26. “We should prefer security systems that people can readily create accurate mental models for, even if they are strictly less powerful than what the state of the art allows.” -- Chris Palmer

  27. Safety > Security

  29. Safety > Security Safe Behaviors > Technical Protections

  30. “Tokens? Where we're going, we don't need tokens.”

  31. Legacy 2FA Duo Push ● Hardware tokens ● One-tap UX ○ Poor AX, UX ○ Expensive ● Strong transport ● Phone call, SMS security ○ Unreliable, insecure transports ● Asymmetric ● Software tokens crypto ○ Countdown timer stress disorder ○ Symmetric key

  33. Security Usability Compatibility Note: Fulfills requirement of all presentations to have a Zooko Triangle

  34. 2010 2013 2015 2016 Duo Push Twitter Yahoo Google

  35. The Industry Organizations Corp End Users

  36. jono’s secret research agenda ● (S//SI//REL) Does usability and user happiness have a significant direct or indirect impact on IT security posture of an organization? ● (S//SI) At the corporate end user level ○ Are employees less susceptive to compromise or more likely to subvert IT security controls if they are perceived as usable and/or the users have a positive impression of their IT department? ● (S//SI) At an organizational level ○ Do usable security controls and happy users build organizational capital for IT? How much is user happiness or acceptance of security controls worth? How much does rejection of security controls cost an organization? ● (S//SI) At an industry level ○ Are positive models or architectures for IT security more effective or efficient?

  37. Q&A Jon Oberheide CTO, Duo Security jono@duosecurity.com @jonoberheide

  38. References Slide 5: ● https://www.zerodium.com/ios9.html Slide 11: ● http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs Slide 12: ● http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs Slide 13: ● http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs Slide 14: ● Personal communication @ Google Security Summit 2015 Slide 16: ● Aggregate endpoint data from Duo’s service on 2016/01/10 Slide 17: ● https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business ● https://www.usenix.org/conference/lisa13/enterprise-architecture-beyond-perimeter Slide 20: ● http://dilbert.com/strip/2007-11-16 ● Mike Kail

  39. References Slide 21: ● https://en.wikibooks.org/wiki/Professionalism/Diane_Vaughan_and_the_normalization_of_deviance ● https://www.schneier.com/blog/archives/2016/01/it_security_and.html Slide 23: ● Personal communication with Ryan Huber @ Slack Slide 24: ● http://publish.illinois.edu/science-of-security-lablet/science-of-human-circumvention-of-security/ Slide 26: ● https://noncombatant.org/2015/06/09/dubious-thoughts-crypto-usability/ Slide 28: ● http://www.ncbi.nlm.nih.gov/pmc/articles/PMC478945/ Slide 32: ● http://www.rlvision.com/blog/authentication-with-passwords-passphrases-implications-on-usability-and-security/ Slide 33: ● https://en.wikipedia.org/wiki/Zooko%27s_triangle Slide 34: ● https://duo.com/blog/duo-push-the-next-generation-of-two-factor-authentication ● https://blog.twitter.com/2013/login-verification-on-twitter-for-iphone-and-android ● https://help.yahoo.com/kb/SLN25781.html ● http://techcrunch.com/2015/12/22/google-begins-testing-password-free-logins/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical Security Approaches Adam Healy, CISO State of Crypto Asset Security 2016 Market Capitalization NASDAQ 1 ~$7.8 trillion London Stock Exchange 1

291 views • 12 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science &amp; Engineering

419 views • 4 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science &amp; Engineering

219 views • 5 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a wholesale distribution business providing complete range of Electronic Security Systems Kamlesh 093232 51184 Adit Enterprise Adit Enterprise Adit

619 views • 29 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Electronic voting System security of electronic voting Stephen McCamant Exercise sets 2

424 views • 10 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

544 views • 22 slides
Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security Good user experience design and good security cannot exist without each other Everyone deserves to be secure without being experts We need to

1.34k views • 112 slides
Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M. Martin Aaron G. Cass March 3, 2018 Introduction 01 Human Computer Interface Security (HCIsec) 02 Password Problem 03 Graphical User

633 views • 31 slides
Top 10 Lessons I Learned from the Frontlines of the ACIN

Top 10 Lessons I Learned from the Frontlines of the ACIN

Top 10 Lessons I Learned from the Frontlines of the ACIN Incubator Lou Bucelli CEO LimeBox Networks LLC Formerly, Entrepreneur-in-Residence ACIN

591 views • 16 slides
Do gma 1 Deliverables from usability professionals must be highly usable Reports,

Do gma 1 Deliverables from usability professionals must be highly usable Reports,

Myths about usability testing Copies of Slides U X Day Graz 2013 F ive use rs will find 85% o f the usability pro ble ms Rolf Molich - and o the r myths abo ut DialogDesign usability te sting Do gma 1 Deliverables from

659 views • 18 slides
1 Usability - Usage - Security Workflow RESTful interface 2 What is AHE - Virtualises

1 Usability - Usage - Security Workflow RESTful interface 2 What is AHE - Virtualises

1 Usability - Usage - Security Workflow RESTful interface 2 What is AHE - Virtualises Application on the computational resource - Show components diagram 3 A number of constraints were placed on the design of AHE to ensure it met our

444 views • 32 slides
ATM Algorithm on the BBOB 2009 Noiseless Function Testbed Benjamin Bodner Brown University

ATM Algorithm on the BBOB 2009 Noiseless Function Testbed Benjamin Bodner Brown University

Benchmarking The ATM Algorithm on the BBOB 2009 Noiseless Function Testbed Benjamin Bodner Brown University Providence, RI, USA BBOB Workshop GECCO 2019 Prague 4/1/2020 Benchmarking the ATM Algorithm on the BBOB 2009 Noiseless Function

421 views • 29 slides
Information Architecture and Games Patricia Evans Overview IA in Video Games Menus

Information Architecture and Games Patricia Evans Overview IA in Video Games Menus

Information Architecture and Games Patricia Evans Overview IA in Video Games Menus Loading Screens Tab Screens Questions? References IA in Video Games Gaming is an escape from reality User Interface Needs to

656 views • 17 slides
Teaching InChI to Chemistry Students Tina Qin Chemistry Librarian at Harvard University

Teaching InChI to Chemistry Students Tina Qin Chemistry Librarian at Harvard University

Teaching InChI to Chemistry Students Tina Qin Chemistry Librarian at Harvard University Tina_qin@harvard.edu Instructors perspective Students perspective Challenges Target audience Lack of awareness of and interest in for InChI

274 views • 8 slides
HL7 Immunization User Group Monthly Meeting April 11, 2019 2:00 PM ET Agenda Welcome

HL7 Immunization User Group Monthly Meeting April 11, 2019 2:00 PM ET Agenda Welcome

HL7 Immunization User Group Monthly Meeting April 11, 2019 2:00 PM ET Agenda Welcome Poll: Which perspective do you primarily identify yourself with? Updates SISC Reminder! Sign up for AART Clinics at the AIRA National

275 views • 8 slides
Spherical Harmonic Lighting Petras Sukys, Simon Ivarsson Chalmers University of Technology 2013

Spherical Harmonic Lighting Petras Sukys, Simon Ivarsson Chalmers University of Technology 2013

Spherical Harmonic Lighting Petras Sukys, Simon Ivarsson Chalmers University of Technology 2013 Hello world Recap on maths Spherical Harmonics SH at work Some demos/examples Recap on maths Almighty lighting equation Recap

439 views • 26 slides
LaTeX Introduction to Latex Jimmy Broomfield University of Minnesota , November 7, 2016 1 / 22

LaTeX Introduction to Latex Jimmy Broomfield University of Minnesota , November 7, 2016 1 / 22

THIS IS AN INTRODUCTION TO LaTeX Introduction to Latex Jimmy Broomfield University of Minnesota , November 7, 2016 1 / 22 Jimmy Broomfield Introduction to LaTeX 1/22 Outline Introduction Installation Getting Started Basic

737 views • 42 slides
Technology Presenta0on April 11, 2012 Why did we choose

Technology Presenta0on April 11, 2012 Why did we choose

Technology Presenta0on April 11, 2012 Why did we choose Apple? Where are the current laptops? How is the technology being used? Pricing

394 views • 37 slides
Technology Presenta0on April 11, 2012 History of Technology

Technology Presenta0on April 11, 2012 History of Technology

Technology Presenta0on April 11, 2012 History of Technology Why did we choose Apple? Where are the current laptops? How is the technology

419 views • 38 slides

More recommend