We spoke to Jon Oberheide of Duo Security about IT security, small businesses, and how two-factor authentication could save your enterprise.
Who is most at risk from cyber-attack?
I think it was Wendy Nather from 451 research who first coined the term "security poverty line". If your budget's below a certain amount – however many millions of dollars you need to adequately secure yourself by purchasing security controls or products from security vendors – there are an enormous number of small businesses who fall below that poverty line. Unfortunately they simply can't afford to protect themselves, and small to medium enterprise is increasingly becoming the target of attack.
So are small businesses increasingly being targeted?
Attackers are motivated by the financial gains, and a sane, rational attacker will balance a number of decisions when choosing a target. It's a risk-reward trade-off. If you go after the big guys, you're morel likely to hit the jackpot, but you're also more likely to get caught, and if you do get caught, you're much more likely to get hunted down and prosecuted.
If you go after the smaller businesses, you don't have as big of a pay-off, but it's a much softer target, and there are a much broader number of targets that you can go after. You can do a broad "spray-and-pray" attack rather than something that's more targeted.
How is this changing how companies think about security?
We've seen a little bit of a shift from the traditional IT budget, where you're buying your firewalls for a couple of million dollars, you're buying an intrusion prevention system (IPS), you're buying antivirus, you're buying data loss prevention (DLP) software.
We've seen a lot of the more security-savvy and sophisticated customers adopting more of a lean security practice. They're using their own tools, they're developing their own frameworks, and toolkits that make sense for their organisation. And they're actually talking about it, too – which is interesting.
And are techniques used to fight cybercrime changing too?
Things are definitely changing. Two of our customers, Facebook and Etsy, are two companies whose employees use Duo on a daily basis, to log in to all their internal systems. Right now they're actually looking at the ideology and process around the kill chain, and what points in a hacker's kill chain are most effective to disrupt.
The kill chain is all the steps that the attacker needs to take in order to carry out a successful attack. It's a military term used to describe all the steps you need to authorise an action. If you have a target in your sites, you need to get approval, and there are all these steps you have to take before you can execute that action.
Similarly, when attackers are going after you system or your company, there are a certain number of steps, whether it's reconnaissance, or exploitation or persistence, or lateral movement, credential stuff. There are all these different stages of an attack, and it's not like they're all linear, or an attacker has to perform every one - but if you look at it from that point of view, and you think about what limits an attacker's ability to carry out his attack, and what weaknesses an attacker has that you can exploit, a lot of folks are finding that very effective.
One of the common themes in any attack is credential theft, and the re-use of stolen credentials. Attackers have figured out that it's much easier to follow a user into a system than to directly attack the infrastructure and applications and servers. It's not like applications don't have vulnerabilities, but attackers have realised that users are really the soft underbelly of any enterprise.
So is human error the weakest link in the security chain?
Absolutely. There's a strong element of human error, and you can blame that on bad password choices, or phishing attacks, or all the other ways that credentials are stolen, but at the end of the day, just about 100 per cent of attacks involve stolen credentials. If you can fix that, if you can harden that, you can mitigate or at least have a better chance of mitigating a lot of these attacks.
So how does dual authentication work?
Dual authentication is often something that augments simple password-based logins. A password is a "what you know" approach, but those factors are easily given up by a user. Credentials can be extracted through phishing, or malware, or a keylogger on your system. They're very easy to capture and replay.
The solution is to have a "what you have" factor, and you can also include a "who you are" system, which is where biometrics comes in.
"What you have" has traditionally been a hardware token that you carry around, which spits out random number logins whenever you sign into an account. Each key can only be used once, so even if an attacker captures it somehow, he can't log in using it. That's been around for decades now. RSA secure ID was introduced in the 80s, and it's mind-blowing that people use that same technology today.
So how has Duo Security changed that landscape?
Duo's approach is that we wanted to take a modern approach to dual factor authentication. We've released a cloud-based authentication service, which is currently used by some of the largest financial institutions. The other thing is the adoption of mobile devices. The landscape now is dominated by mobile, with iOS and Android, and some very sophisticated mobile devices that are able to do things that are much more complicated than simply displaying a one-time password. So we have a wide variety of authentication systems.
We support hardware tokens, we support phone-based callback, so you receive a challenge call when you authenticate, and we support passwords received by SMS. But our flagship authentication method is something called Duo Push. After you type in your username and password, you simply receive a push notification on your phone, and you see he full details of your transaction or application, and simply gives you an approve or deny button so you can approve the transaction or report fraud in real time. It's as simple as that.
It's a much more user-friendly, modern authentication process - it's also much more secure since we're leveraging the full capabilities of smartphones, and we're speaking over the data network over a mutually-authenticated channel, and not depending on any kind of telephony infrastructure or anything else.
Jon Oberheide is the cofounder and CEO of security startup Duo Security. He completed a PhD thesis at the University of Michigan, and was named one of Forbes' 30 leading young innovators in the technology space in 2012.
Duo's two-factor authentication system is available for free for businesses with up to 10 users, and the business and enterprise edition are available for $1 and $3 per user per month, respectively.