Thank you very much for having me here. I think I look pretty much like on the, on the picture there. So today I wanna talk about two topics. First topic is we are living in a world where the old security Parum are no longer valid. So the Parum of the defender and the castle, where we are trying to build high walls and protect our identities, protect our assets with this Parum is failing. We see HES of the NSA. We see HES of Facebook, Google, whatever we have seen. And so we have to shift our way of thinking from we can't be hacked into, we have to assume that we are hacked every day.
Every time if we stay under all Parum it will cause us a lot of problems. And why is that?
So that, so, because we live today in the interconnected world, you have your systems connected to cloud services.
You have people as working as outsourcers, you have your data in different data centers. You have consultants working at your company. So you can't assume that the system is safe because the attackers may be checking your systems through your windows or through your suppliers. So we really need to shift our thinking into assume breach model, where we assume that everything can be hacked.
So I'm not saying that we should stop defending ourself with firewalls and that stuff, but I'm saying that we have to use a yeah, more, let's say full approach. There is a, there is a NIST framework from N the cybersecurity framework. It's a very good framework. In my opinion, it has some angles. Like you have to defend yourself, but more importantly, you have to be able to detect attackers. So you have kind of detecting mechanisms. And if you are able to detect their attackers, then you have to react.
So it will not help you. If you are able to detect a attacker and not reacting to it.
And the thought pillar would be that you have some recovery abilities, because if an attack happened to your systems, you maybe detected them. Then your start was reacting to it. You have to come to a way where you assume that your systems are safe. So you have a kind of safe recovery. Cause if you mention you have an attacker in your systems for half a year, and that's the average that we have today, till people are detecting attackers, then you don't know how, what has the attacker done with your data?
Have you, he altered that and all that stuff.
So identity and access management, just to, to have a proper definition here. What I mean with it?
I mean, with it, identity management, which mean giving people kind of identity, I mean, with out indication. So making sure that people only can be themself and not someone else and authorization, meaning giving people the right access to the right assets. That's at least my definition of M and for me, it's a processes, governance and technology. It's not technology like we are doing it very often in it.
So in it, as well as insecurity, we often think that technology is solving our problems. If we keep that understanding, we are only buying technology, but we are not solving our real problems. So really you have to think about your, your processes and governance as well.
So to, to start with the passport topic, which unfortunately is a topic that is yeah, making us headaches since 20 years.
If you think about your password or your passwords that you have, and most of the people use the same password on five to 15 systems, they use the same password at at least the average.
If you think about your password now, and let assume it's a eight digit password, and probably some of you still will be using eight digit passwords or eight character passwords, does your passport container uppercase for smaller cases, two digits, uppercase five smaller cases, two digits, uppercase three smaller cases, four digits. And if not, combine that with the explanation mark at the end, how many of you are finding themself? There?
One is saying, he doesn't know if you find himself. So on average, half of you should have at least one passport that would match that pattern.
And the reason for that is we all are assuming we have this kind of awesome algorithm in our head, how we are creating passwords. Yeah, they are smiling. Yeah.
We, we all work on human brain, one zero, that's a problem. And so every one of us thinks he has a clever way of how he is generating passports. But at the end, the pattern that are resulting are most likely to be one of that. And the problem of that, if we only imagine a space of eight character long passwords, then the real possibilities to generate eight character long password is 7.7 ions.
That's a number with 64 zeros just to have imagination. And we are reducing that space towards a number of hundred of millions. So that's a, that's one problem.
And that's explanation why brute force attacks on passwords are so easy. So there are, if you, if you, if we do that as a little of exercise, let's imagine your attacker and you can hack passwords with the brute forcing mechanism who are, or your right, your own password stuff, whatever you do. And you only have 10 tries per account. 10 tries because some of the companies are using 10 tries as a kind of rate limit mechanisms. So let's assume you have 10 tries to attack an account. How many accounts will you get? Roughly estimation?
You, you can't be wrong. So you get 1% with 10 tries. On average, you get 1% of all accounts that the company has. And one doesn't seems to be that high. But if you imagine you have a corporate with 10,000 user in it, 50,000 users, you get 1000 accounts.
And in, within this 1000 accounts, there probably will be a sales guy. So you get access to their CRM. There probably will be an admin. So you get administer, have success probably there as a researcher. So you get access to their researching data. So that really is a problem. And if you combine that with research of the Chinese, so the Chinese developed a really awesome tool. It's called targets and targets is a tool that's not for general brute forcing it's for targeted attacks. So I want to attack him.
So I give his name into the tool and the tool work very Twitter, Instagram, Facebook, LinkedIn, seeing whatever exists and will generate a dictionary that is tied to him. And with that, they are increasing the possibilities to brute force your account to 73%,
73% to, to compromises user account. And if he is a security guy, the likelihood still is 34%. And the cool thing about hacking people via their password is you are evading any security technology because you are coming in with the valid user, with the wallet password. So you are evading intrusion detection systems.
You are evading anything that exists. And that's really, really cool. And that's the reason why hacking with passwords becoming so popular, cause you evade anything that exists. So just to, to give you an imagination. So if people got hacked, that's bad, we know that all. So it costs you money. It costs your reputation and all that stuff. But the really interesting factors, not about how much it costs you, because maybe it costs you real money. Maybe it doesn't cost you anything.
The interesting part is that your competitions or your competitors are able to buy user accounts to your system with really less money. So on average, they are paying $8 per user account. So imagine you have this really nice company and you have all your security systems that are pretty much useless. If you don't do proper patch management and all that stuff that it is telling that they are doing. But in reality, they are patching every three months and all that stuff.
So people are getting access to your systems with $8 on average and yeah, you are spending thousands of euros to acquire customers. And so you really should think about how you can ensure that you are not paying $2,000 per customer and your competitions is buying them with $8 per account. So that's pretty much what I want to say about this slide. So there's a solution for the password dilemma since years it's called two-factor identification. So it's nothing new, but the problem is that it's not really adopting so fast.
And the reason for that is people are still thinking, this is two factor identification. It's all about as hardware tokens, which I forget at home and all that stuff.
Yeah. But in reality, that's, that's not the case. So they are still hardware tokens, and they still have their, let's say valid proof point where you need them because hardware tokens are the most secure kind of tokens. But in reality, there exist a lot other kind of tokens, which you can use.
And so Google a indicator is one example of how smartphone, technology or smartphones have made it very easy to carry the token with you. So there are different tokens for different scenarios and then modern systems like the system we have for anyone else has probably allows you to combine tokens and not only use these tokens to protect yourself, you can't use them to protect your customers. So in these days where cloud applications are so common, you should use them to protect your customers as well, because it doesn't want the someone as messing with your customer data.
And especially with push tokens where you only get a notification and saying, yes, I want to log in. That's really no longer a case where people have a kind of usability problems because they get a notification on their smartphone saying, Hey, Emil, you want to log into Salesforce? Yes or no. And you click on yes, that's it done? So there exist different tokens for different scenarios, which you can use. And combine, I'm not saying that you should use two factor identification on every system. So probably that's a way to secure your, your account.
But at least for the accounts where you say there are sensitive data or data that really hurts me, you should use it cause it's no longer costing anything. And it's no longer its kind of usability problems that you get. So in my opinion, the password problem is solved. We are still too lazy to, to do it in broad scale, but a lot of customers are companies have shift toward it. So Google or Facebook, they are all using two factor identification for their own employees and Google. For example, they were able to reduce phishing attack to 0%. It's no longer workable. Why?
Because if an attacker was able to fish someone as Google, he has still not managed to steal the hardware token that they are using. They are using kind of USB Donalds. And without them, you can't do anything.
Could you comment about the difference between them? I see that you assigned low security to SMS authentication, but high security to the QR, to the
Yeah.
And why is that?
SMS is a broken technology. So even NIST, for example is no longer recommending them in Germany. SMS is still okay in the us it's it's hacked.
So the encryption that they are using on the SMS protocol is let's say very weak and you can kind of spoof a cell tower. And then the phones are logging in into us cell tower, cell SMSs. It's still a good thing for mass enrollment because people maybe do not have smartphones for example, and you only have their phone number, they haven't to install anything. The QR token separates the device. So since you have to scan something, you need two devices. So it's a kind of device separation mechanisms and there are some QR tokens.
So I here only can, can talk about ours are using public private key encryption. So they are displaying something in the QR code, but that's kind of encrypted with the public key of the smartphone. So that's decrypted then locally. So anyhow passwords, in my opinion are solved with the kind of two factor identification and with the rise of geometric systems, face recognition and all that stuff, we are maybe able in the future to turn them really away.
So we will use a kind of face recognition in combination with something we own kind of USB Donald or smartphone or anything else, which leads us to the next big problem that we see
The problem of granting users, the right, right. And who knows what that is? That's a bridge in Scotland. It was the first let's say railway bridge, which trains were crossing. It was a kind of one railway. So one train is going this direction and then another train goes, so it was 1879. And it was the first bridge that we are damaged due to bad weather condition. Stormy train was crossing.
And since the train with us wide and the storm was coming, the bridge collapsed and about 80 people died and it was the first and only bridge that ever got destroyed because of weather condition. And the thing is in kind of a physical word, we are applying safety measurements.
We have this kind of regulation. I haven't seen any bridge that collapsed during the weather condition since then, but in it, we are doing the same insanity year over year, and we are praying for technology to solve our problems. That's what we are doing.
And if we take a look at big corporations, and I know that because I have conducted a lot of audits when I was CSO back in my last company and I had the big lecture at the university for computer forensics and hacking. So we have taken a look at a lot of stuff. So most big corporates, I'm not saying all, but a lot of them are using technology as a kind of justifying that they're doing what they are doing. And the real effectiveness of the security solutions that are in place is zero. They are using them to transfer electronic power into heat.
That's the kind of stuff they are doing because they have IDs systems, which nobody's looking at because they are generating too many alarms. They have huge firewalls, which are ineffective because yeah, we need this any to any rule, to stuff to work. And we are doing all that stuff of, we are not patching. We are only applying patches that we know we need, who is only applying patches that he needs.
Okay. No one awesome applying patches that you only need. The answer is you need them all. First of all, you don't know what is in the patch.
There are a lot of silent patches where the manufacturer of the software is fixing security box that he discovered or were not publicly disclosed. And the second thing is the manufacturer is assuming that you have applied the previous patches in his testing. So the likelihood for patch to crashes are much higher if you are not on related version, but anyhow, not patching means like you have a general hole in your system. So if we take the example of, let's say Dal, this kind of content management system like WordPress in 2015, they announced in a press release.
Hey guys, sorry we have here. The security issue. If you have not applied the security patch within eight hours, please throw your system away.
And by the way, if you're logging in and you see that your system is patched and you weren't guy that patched a system, please throw your system away as well. Why was that?
So, because within eight hours, the people were able to RO a bot kind of warm that infected every D pile system on the internet and compromised it. And that was back to 2015, a friend of mine as a professor at a security university. And they are able to scan the whole IP four address room within four minutes, within four minutes, you scan every IP four address.
And if you combine that with databases, they know very well in each moment, which systems are affected in the internet for vulnerability, which means if you only patch your systems once a month or once a quarter, you have this big hole in your it infrastructure and this web application firewalls that you have and your IPS systems and all that stuff will not help you anything because evading them is not so difficult as you might think it is. And so all people got hacked.
That's the only thing that the slide is saying, and most of them got hacked because either they are not using proper security on their accounts and passwords are the reason. One
Why corporates get hacked. So it's according to data, Verizon breach report 81% or because they were not applying latest patches. So it's very easy. And if we wear kind of bridges or elevator or anything like that, regulation already would have forbidden that. So every company then would patch within a day or stuff like that. But unfortunately that's not the situation.
Duration hackers do not longer hack because it make fun or they want to prove something. No they're hacking because it's a kind of economy. People are making money by hacking systems that's easy. And the worldwide cyber crime has extended the worldwide drug market in 2008 or 10. So with cyber crime, people were making more money that the worldwide drug market and in the most of the time they don't get caught. So it's economics. So we will see a lot more hacks in, in the future.
And so what we see is if you apply two factor identification, and if you patch your systems, probably then you have done a lot. So the next challenge
Would be then giving people the right access rights, because your trainee is going from one department to another department and getting access rights. And nobody is taking them away. If you are big corporations with many assets, people are not knowing why people having which access rights, what they are doing.
I come, I join as developer. I say, Hey, I need his access rights. And maybe he has 15,000 special rights. So I get them well. And then he's coming and saying, yeah, I need to work with Emir. I need the same rights. And so he's getting my rights and his rights and nobody is knowing what is happening. So in my opinion, identity and access management is the next big challenge that we will have and good identity and access management for me is a kind of thing that helps and supports the business in reducing risk and compliance issues.
But the more important stuff is enable business to really should enable business. It should decrease the problems that we have with technology and providing people with the necessary skills and the necessary right they need, and it should be cost efficiency. So it shouldn't be that, that high, what we see today is the same, what we are seeing in security. So people are buying technology and hoping that it will solve their problems. So people haven't solved the basics. So they're not able to walk and they are trying to run.
And this results and huge processes, which nobody understands, nobody knows why a person has access, right? So you have this active directory group with 50,000 people in it. And nobody knows why this person is in that group. Provisioning and deprovisioning of user accesses often is not automated or partially automated. You have multiple sources of truths.
Meaning people are in active directory. People are in SAP. People are in identity management and all that stuff leading to low compliance. That's important for the regulated sector like finance sector, high risks.
But the more important thing is people are using shadow it activity. They're using systems that your it department has not under control because granting access rights is too complicated or it's taking too long and it's leading to high costs. So we have seen that corporates are using 50 to 150 people are only in the domain of identity and access management. So typical examples are one role in your M conducts of 50 it roles, access requests can take one year. The re-certification issue that you have in, in finance sectors is reduced to two. I know this guy, yes. I know this guy. Okay.
Then the rights hopefully would be right. If you change any it technology like switching from SharePoint to confluence, you have to remodel the it roles. That's a problem. Toxic combinations. Can't be really forbidden across application Porwal.
And so we found out in three years research that the problem is really that the model that we are using to describe why people have access is wrong. So the kind of stuff, how we do access management is wrong because the model is wrong. We are only changing the tool from Excel to vendor B and C.
And the problem is the way how we model, why a user has access, right. Really is wrong. And if you change the model, how you describe why a user has access rights and how it becomes a very easy task. So it's really about the kind of finding a right model and then all the problems no longer increasing exponentially, because today, if you increase people, increase it assets or all that stuff. Your M complexity is increasing in a exponential way, but with a different kind of model, different kind of thought model, you solve that problem.
And since I'm running out of time, who's really interested in how that can work and is working. Can have a talk later. So good. E M will increase your transparency. So you have the rationality, why a person has access rights embedded in the model itself. It increase scalability. It increase flexibility, automation and all that stuff. So don't lie to yourself, fix the root case of all your issues. Patchier critical systems, user central log management, use user access governance solutions and use MFA solutions. And then you normally should be very protected.
So thank you very much for your attention. And I wish you pleasant Johnny here. Good conference. Good time.
