#BeCyberSmart: I am not a robot … or a hacker. Principles of Identity Authentication

Here’s the traditional, not so secure way to log in to your bank account: enter your username and that familiar password you probably use for most of your online accounts. Then, you’re in. 

But, if you’re one of the 54% of consumers who, according to TeleSign, use five or fewer passwords for all of their accounts, you could create a “domino effect” that allows hackers to take down multiple accounts just by cracking one password. 

The good news? There’s an easy way to better protect your accounts (which contain a lot of personal information) with multi-factor authentication (MFA). MFA is a security enhancement that allows you to present two or more pieces of evidence — your credentials — when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint).

#BeCyberSmart and use MFA whenever possible, especially when it comes to your most sensitive data — like your primary email, your financial accounts, and your health records. Stopping all online crime is not a realistic goal, but simple steps can massively reduce the likelihood you’ll be the next victim. 

In the third of our #BeCyberSmart video series, McAfee & Taft cybersecurity and privacy attorney Joshua Snavely talks with special guest George ‘Donnie’ Hasseltine, chief security officer at Xenon Partners and
chief executive officer at Packagecloud, about “authentication,” what it means and why it is important for organizations to use. They also discuss what makes two-factor authentication (2FA) and multi-factor authentication (MFA) more effective security compared to the widely used username-password online login that most internet users are most familiar with.

About our guest

George ‘Donnie’ Hasseltine is a cybersecurity professional and Marine Corps combat veteran who currently serves as the chief security officer for Xenon Partners, a tech private equity firm that focuses on Business to Business Software as a Service (SaaS) companies. He also serves as chief executive officer at Packagecloud, a one-stop cloud-based service to store and distribute different software packages in a reliable and scalable way.

Donnie is a retired Marine Corps officer who completed combat deployments to Kosovo, Iraq, and Afghanistan. His Marine Corps assignments included infantry, recruiting, and staff positions, including command of 1st Reconnaissance Battalion.

He currently serves as the information technology sector chief for the Bay Area Chapter of Infragard, a public-private partnership with the FBI to protect critical infrastructure. Additionally, he is a board member of the Marine Reconnaissance Foundation that works to support reconnaissance Marines and their families, and an advisor to the Athena Leadership Project that explores how gender-diverse teams shape national security.

He holds a bachelor’s degree in history from the Virginia Military Institute, a diploma in Strategic Intelligence from the Joint Military Intelligence College, a master’s degree in national security and strategic studies from the Naval War College, and an executive master in cybersecurity from Brown University.

.

Transcript

Joshua Snavely:  Welcome to our series on being cyber smart. As we highlight and celebrate the annual Cybersecurity Awareness Month in October. And we’re glad to have with us today, Donnie Hasseltine, who’s a 22 year veteran of the Marine Corps. Thank you, Donnie, for your service. Retired as Lieutenant Colonel. Now serves as the chief security officer at Xenon Partners, and is also now the chief executive officer at Packagecloud. So just kick it right to you, Donnie. Tell us a little bit about your background, some of your current responsibilities, and how you dove into cybersecurity.

Donnie Hasseltine:  Yeah, Josh. Thanks. I started out I was a longtime veteran of the Marine Corps as you know. Predominantly in the infantry and reconnaissance fields. So somewhat non-technical. And then when I got up to Silicon Valley, I was stationed here on my final duty station, I got very involved in the tech world and startup world and began seeing ways not only to work in the defense innovation space, but also just how the broader software ecosystem and technology ecosystem work. That got me interested in how to learn more about it. One of the ways I went about that was I went to Brown’s cyber security master’s program. And within that, I began kind of doing a shift to career, a career shift to cyber security.

Joshua: Donnie, would you talk a little bit about what authentication is, what it means, why it’s important? And then tell us a little bit about two factor and multi-factor authentication. Another concept we hear all the time.

Donnie: Yeah, sure. To boil it down, authentication is just making sure that an approved person is accessing the resource, right? So if you think about your email, when you log in your email, if you’re using Gmail as an example, Google is going through a process to ensure that you are the person who is accessing the email. The problem is, a machine can’t do that. I mean, in a perfect world, right? It’s we would have something where it’d be in person. Like if I walked in the room and you knew you were meeting Donnie, like Josh, you and I know each other. Like, no one’s gonna walk in and say they’re me. You’d be like, sorry, I get it.

But when you’re trying to boil that down to a computer, being able to recognize certain things, that’s when we kind of go to the username and password, which has been around really for thousands of years. The use of passwords or counter signs in the military realm. So it just figured out a way that you can say, I know who is touching this. And from a security standpoint and log standpoint, when you’re making changes to your network, being able to go back and say, this is the person that made that change. So the non-repudiation aspect is a term you’ll sometimes hear. It’s like, you see a change, I know this person did it, and I’ve authenticated on the level that they can’t lie to me and tell me they didn’t do it. Like, I have unequivocal proof that they did it. So at the most basic level, which everyone’s familiar with, is username and password. But that as we’ve talked about, is not always secure. You can lose them, you can write them down, they can be tracked.

So how do you go to another step to validate that? And that’s where we get into multi-factor authentication. For multi-factor authentication, we’re talking about three things really. Something you know, something you have, and something you are. And the general thought processes is, the more factors are involved, the harder it is to fake. Because if it’s a password or a username, it’s something you know. And you might write that down and someone might steal it, or someone might crack it. But if you combine that with something you have, like a, you know, like a cell phone, then they have to have stolen your password and have possession of your phone. Now, obviously there’s versions of that we could talk about in a second.

The next piece though, is something you are. Like a fingerprint or biometric. So if I say, I’ve gotta use a fingerprint on my phone with a password, now you’re really expanding things out there. So it’s very, very hard for someone to fake. And again, what you’re trying to do for most businesses, you’re just trying to raise that threshold to a level that the malicious actor move to someone who’s easier, right? If they crack your password, they can’t get past multi-factor authentication because they don’t have your phone. They’re like, you know what, maybe I could do that. Maybe I could spoof the SMS, but a lot easier for me to just to move on to someone who’s easier to break into.

And I think the last piece, remember that I mentioned SMS. You know, most people, most multi-factor authentication tends to use the phone and like send you a text. That isn’t super secure anymore because there’s ways you can spoof that. And that’s where we’ve gotten this thing of authenticator apps, which are a little more secure, where, you know, you scan the QR code and you have a randomly generated one-time passcode that goes on there. So when you log in, you’ve got 60 seconds to have another six digit code that would be on that authenticator app. And those are super secure because when you do it, provided you’re using a reputable thing like Google authenticator, or Authy, or something else out there, that is changing. And it’s very, very hard for someone to fake because they not only have to get your application and get your phone, but they also have to understand the seed to fake it. It makes it a lot more challenging.

So when you add something like a biometric fingerprint, a username and password, and an authenticator app altogether, that really makes it fairly secure for almost anybody out there. And that’s my biggest advice I’d have. Get long complex passwords, don’t click links, and use multi-factor authentication. That will knock out 80 to 85% of people that might be coming after you and your business.

Captioning/transcript provided by Rev.

This information is provided for clients and viewers of McAfee & Taft A Professional Corporation. It does not constitute legal advice, and it is not intended to create a lawyer-client relationship. Viewers should not act upon this information without seeking professional counsel.