Hi, I'd like to take you on a journey to explain you how LastPass is embracing the Passwordless future. But before I actually do that, I want to make as relevant as possible, how important it is that everyone embraces the Passwordless future. My name is Pedro Martins. I'm a lead solution architect for LastPass. I have over 20 years of sec of experience in security, and I've been working with last past four, over seven years. So there's essentially three questions that I would like to answer today. And when we look at cybersecurity and when you look at threat actors, does your CV really matter?
Is one of the questions that I would like to answer. And that's from both the perspective of the attacker and also the defenders. The second question that I would like to answer is, do millions in security investments matter?
And then last but not least, has the latest technology made us any safer? So before I answer the first question, I would like to take you on a journey back in history. I would like to take you to 1996, and for those of you that were alive and, and were watching movies back then, the first movie I would like to talk is really Space Jam. It was released in 1996.
It was about a basketball player helping some cartoons play a game with aliens and to save the future of earth. And really, I think we can all identify a little bit with, with fighting aliens almost because we, we really don't, don't understand or don't realize the threats that, that are on the other side or who we are fighting. But I mean, all we can do is like the cartoons did, is do our best.
The second movie is transporting. It's also released in 1996, and it was one of my favorite movies.
I like to always frame it in the con in the context of cybersecurity because in transporting there's a group of friends, there's mischief, there's, there's, there's, there's friends stealing from friends, there's the illusion.
So it's really a, a a little bit about the related to cybersecurity in the way that I relate it is, you know, there's all the mischief and the people that are closer to you might be the people that ul ultimately use your logins or use your details for something ous and the la then last but not least, the Tom Cruise Mission Impossible, the first, an original movie of Tom Cruise. And we can all feel a little bit like Tom Cruise when we're fighting threat actors nowadays. And ultimately we wanna make everyone secure, but we can all admit that that mission is impossible.
It was also in 19 96, 20 years ago today that a nerdy little kid launched one of the first phishing campaigns that I've seen in via email in Portugal against one of the ISPs at the time.
And what, what was the, the intent of of that, of that nerdy little kid was to really get the passwords and, and logins that users were, or the people were using to access the internet back then used to dial to the internet using what we call dial up modem that does all these strange sounds and used to pay by minutes and used to pay not only the phone line, but used also used to pay the, the minutes of the internet access.
So because this, an early little kid really liked online gaming, one of the things that he wanted is to, for himself and to share with the community username and passwords to access the internet so that they could be gaming basically 24 hours nonstop without having to pay for it. So he felt like a little bit of a, a robin hood because he did, you did use the, the, the, the accounts that had too many minutes. But ultimately, as you can imagine that this, this, this was very relevant to the IP the internet service provider.
They, they warned the users of the phishing attempt and a phishing attack. And ultimately he was also discovered.
So when you, when you think about an attack, a phishing campaign, there's a few basics that you need to consider that, well, the threat actors consider when they're launching this kind of attack. So they usually use publicly available information for targeting. Say they either go to LinkedIn or they go to Facebook or they go to any other social media or even Google or even the company website and they gather intel about the company that they're going attack.
But they usually use publicly available information for targeting, for initial targeting if they don't have already a known database of of, of, of that company.
They also use an incident to create a sense of urgency. So usually when you get, when you get a phishing campaign or you have spear phishing attack, there's usually a a something that creates that sense of urgency. It's either a transfer that needs to be completed or you, you don't, you don't, you, you will lose access to your account.
Or in the case of the, the latest cryptocurrency scams is you received 1000 Bitcoins and you need to log to unlock those bitcoins. And ultimately that's what what creates the sense of urgency. There's a call to action. So like I said before, you either have to log in or you have to action, or you have to press a button or you have to call a number or reply a text. Something that really the user needs to do to be able to validate information. So what they do is they use that call to action to then validate information.
So either thinking you're logging into PayPal, but you're not logging into PayPal, you're actually logging to a a, a clone site. And so they do this almost automatically. In the old days you used to gather them, gather the credentials, and then validate them. But nowadays these methods to validate information straight away to make sure the user is inputting the right information. And if not to give feedback to the user, you input the wrong password as an example, and then the exfiltration of the data. That can happen immediately or can happen all through time.
It really depends on the type of attack. But that's ultimately what what threat actors want with this kind of attack is to exfiltrate some kind of data or have some kind of compensation monetary compensation straight away or do something like that.
So I mean, if you look at a 16-year-old kid, 1996, does the CV really matter? Now if you Nordic kid could, could gather a couple of email addresses and, and send emails, phishing emails to the users without any technical expertise. And even in phishing attacks that we see today, they're quite basic.
So they don't really need any, any great level of expertise to to, to do this attack. So the CV doesn't really matter. What matters is having the available information, creating the sense of urgency and helping a little bit of social engineering skills. Obviously it's, it's always, it's always advantages, but, but it doesn't really matter the cv, the millions in security investments matter. And that's the next question.
And also, has the latest technology made us any safer?
So I mean, this is just a up uptrend curve and we can all say that, you know, the the, this cybersecurity tax in, in, in the nineties, there'd be one year or one every, every six months. Now it's basically two or three every week that there's cybersecurity attacks, there's data breaches, there's security incidents that are co constantly being reported in media. And there's a lot more than, it's not really reported because it's not even relevant or it's a small company.
So it's not even relevant to be reported, but there's a lot more than today attacks today than there ever was.
You would think that technology and and us included would not be the intrusion, would not be, would not, not, there wouldn't be so frequent intrusions in the technology sector. But the truth is that it's number 1, 21 0.6% of technology companies suffer some kind of intrusion and then followed obviously by financial healthcare because of the, the data that they hold and, and the damage that they can do with that kind of, with that kind of data.
But there's a big gap there for technology. So does the technology has really made us any safer?
Yes, I, I believe so. I believe it, it has closed some, some, some, some attack vectors, but ultimately the millions that we invest in technology are not making us any safer.
And then you have here some, some, some details in terms of the average cost of the data breach. And you all see this, this metrics flying around the internet, it is at all time high in 2023, even in 20 to four keeps rising because of the, you know, the, the data regulations, the amount of data that people hold and, and also the damage that it has to their reputation to the brand.
Because nowadays everything is very visible and 51% of organizations are planning to increase security investments as a result, as as a result of the breach. And that's what happens after, after a security incident. Usually companies invest more in security.
The key point here is that people and passwords is, is an expanding entry point for the compromised credential crisis, what we call, and it's still number one threat. So credentials, usernames and logins.
And if you go back to the story that I told you in the, in the beginning for, for the phishing attack, what was the, the nerdy kids main intent was really to get usernames and passwords. They is still the same. Compromise Credential crisis is still the number one threat. 80% of data breaches are the result of Compromise login credentials. And we had two very high profile security in incident lately that that really show that credentials are still the main, the main concern and the main entry point for threat actors.
Password safety really sits in the hands of employees and of people in general. So nine out of 10 know they have a password pro problem. 51% of the people rely on memory to remember passwords. And I don't have to tell you why that's a bad idea because ultimately our memory is not the best, the best resource to, to store a multitude of alphanumeric passwords. And if you are, if you're capable of doing so, well done, but guess what? Your password is only, is only safe until you store and until you use that password somewhere. So secret is only a secret when one person knows it.
When two people, when two people or two resources knows it, it no longer a secret and two out of three reuse passwords over and over because we all go through the same experience When we are at work and we choose a very good Azure password or active directory password, then we end up reusing that password in our personal lives because we think that's a good idea. Ultimately, this human behavior leads to risk
Or habits are all too common in every, in every part there's a lag of password protection, this poor password hygiene linked complexity because people need to remember them.
There's a lack of password protection across all devices. There, there needs to be a certain level of portability between devices. So you save on a Google password manager and then you save it on your phone and you save on key chain. So there's really a lack of passwords protection across all devices unless you save it over and over again, of course. And then sharing sensitive information in text and emails is still happening. People's share passwords in slacks and in emails and in WhatsApps and, and everything.
So there needs to be a, a secure way of sharing and then sharing passwords with others, both internally and externally. There needs to be a secure way to do that.
This requires a a, a shift what we call pervasive passwordless protection and passwordless within practice because do we believe the passwords are gonna go from one day to the other away?
No, we don't believe that. But there, there needs to be a shift into passwordless protection. There needs to be organizations increasingly investing money and resources and we see more and more systems to support PAs keys. There's a shift and there's a pressure from Fido Alliance as well to, to shift into passwordless. And I think we are in a point in history right now where we can, we have the technology to make that shift and in, you know, it's, it's in our finger, in fingertips, in our, in our, in our pockets with our phones and our mobile devices that support this kind of technology.
So I think we are in a, in a turning moment in, in history where it can actually start getting rid of passwords.
And I think that's five steps to passwordless. So it needs to be easy to adopt, it needs to be integrated, it needs to be user focused. So tools only is only valid until it's used by the users. There's no point in investing money in millions of dollars in a security tool that then is not used. And there needs to be a measurement so that you justify the investment and there needs to be visibility so that you know where to focus on.
So how, how does it work in the last pass world? So we, we provide a convenient experience to the users. So it needs to be convenience and be easy to access. And then we provide also the visibility to, to the admins. And that can be also integrated with SI solution or to your, with your, with your, with your current processes so that it doesn't add any overhead to your IT and admin management.
And you need to score and measure because the, the, the way that you score and measure all through time will, will dictate the successful implementation of password manager and the change of password policies or not. So why last password? Pervasive passwordless protection? 'cause it's built for business really.
It's, it's a, it's a solution that's been built for business used by 100,000 over, over a hundred thousand businesses worldwide. Millions of users is embraced by it. It's a tool that that that, that it usually is very comfortable in and it's embraced by it also because it reduces the, the repetitive task of having to do password resets and not having to worry about Excel sheets stored somewhere with passwords and logins. And it's really left by our, by our users and by your users.
And, and, and don't take, don't take my word for it and go online and we have a lot of references on our website that that show and demonstrate the words that we get from the users.
And, and ultimately I hope this, this, this recording was useful for you to understand why we need to make the, the, the shift passwordless why LastPass is investing so much and password manager investing so much.
And the final lines is investing so much in, in, in Passwordless because ultimately if I can leave with one core message is really we need to get rid of passwords today and, and you should adopt the password managers to to, to allow you to do that transition and, and hopefully you'll be able to choose last pass. And thank you for your time and I appreciate your attention today. I.
