Usernames and passwords. They’ve been around a long time. They work, sorta. They work better with a password manager that helps you make strong passwords unique to each of your logins.
But usernames and passwords have many problems. You could easily watch someone type their password in a coffee shop. I was on a commercial flight not long ago, and an executive from a MAJOR bank logged into their system in the row in front of me holding their smartphone at eye level for the whole plane to see.
“2 factor” is a concept that has been around for a long time, and is much more straightforward than the marketing fluff may make it seem. The idea is to add a second method of authentication to your existing login. So in the case of a username and password login system, having something physical that you also have to authenticate with as another layer of security. Sometimes the second factor can be who you are. Your fingerprint is an example.
While not foolproof, adding more layers does make unauthorized access to your accounts more difficult.
And that’s a foundation of security: make it more expensive to steal than the information is worth.
It’s very common to see text messages be used as a second-factor authentication, but we highly recommend at least an Authenticator app like LastPass, or Google Authenticator. If you really want to step up your game, a physical device like a Yubikey is an excellent and affordable choice.
In our research adding hardware 2-factor authentication dramatically reduces the chance of employees being phished.
Inside baseball (metaphor) : It usually refers to a detail-oriented approach to the minutiae of a subject, which in turn requires such a specific knowledge about what is being discussed that the nuances are not understood or appreciated by outsiders.
Security professionals are a detail-oriented bunch. It goes with the territory, but as the person making the financial decisions, it’s important to know the high-level concepts when they are making a case for why you should spend more money on security.
This brings us to Red Teams and Blue Teams.
It’s pretty simple. These are the basics. There are nuances and not every strategy follows these concepts exactly.
An external team that tries to infiltrate, Phish, and tests your security program. Sometimes referred to as penetration testing, but that’s a more specific set of tasks. The red team may use social engineering, network attacks, vulnerability attacks and the like to defeat your security. It’s important to note that this isn’t just merely testing how strong the wall is you’ve built. Often your security is weakest inside that wall you’ve spent so much time building.
The (often) internal security team that defends against the Red Team. But also the real attackers. Depending on the organization, this may be a separate team from your regular security team or made up of some of those members. The primary goal of this is to assume you’re ALWAYS being attacked and defend against this by refining security processes.
Remember that security doesn’t mean just building a bigger wall. Security is a process that needs constant attention and starts from the inside out.