Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Passwords don't work multifactor controls do!
1. Restricting
Authenticating
Tracking
User Access?
Time Is Not
On Our Side!
Page 1 of 6
The 2015 worst password list was published recently(1). The list is only one confir-
mation that leaving password controls to the end user is not secure. Verizon’s 2015
Data Breach Investigations Report(2) revealed that most breaches resulted from
harvested credentials. And recently, a former executive for the Cardinals pleaded
guilty to accessing the Astros’ player database and email system(3). He gained access
by learning the account and password from an employee who turned in their laptop.
This type of breach has become much too commonplace.
If you haven’t already, it’s time to take action and migrate to multifactor authentica-
tion. There is a sound ROI for the investment, and VIMRO is extremely committed
to helping our clients migrate to multifactor authentication in 2016!
Why Password Don’t Work
There is no shortage of case stories presenting a strong case and confirmed ROI
for moving to multifactor controls. Here are a few examples:
• In addition to the Verizon 2015 Data Breach Investigations Report we referenced
above, Wired published an article about the breaches of 2015(4). Most of the year’s
largest hacks involved weak authentication. Multifactor controls would drastically
reduce or eliminate this threat. (see reference #6)
• When the VIMRO Cyber Security Team conducts penetration tests, we almost
always gain access to our clients’ systems via captured credentials. There are so
many attack vectors to obtain passwords! Multifactor controls would considerably
reduce or eradicate the following vulnerabilities:
o Through social engineering, in which a workforce member sends us their
passwords, tells us their passwords, or enters their passwords into a simulat
ed cybercriminal fake web site;
or
o By intercepting them when conducting man-in-the-middle attacks (in
which an attacker secretly relays, often altering, the communication between
two parties who believe they are directly communicating with each other);
or
o By gaining access to the password database/file when breaching a weakly
configured or patched system, and then cracking the records with a pass
word-cracking application, such as L0phtCrack, OphtCrack, RainbowCrack,
Cain and Abel, John the Ripper, etc.
12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191
Passwords Don’t Work: Multifactor Controls Are the Answer
Learn how to demonstrate ROI
There is a sound
ROI for the
investment of
Multifactor Controls