Friday, November 18, 2022

Multifactor Authentication; An Overview

In recent years, the vast majority of breaches, leading to identity loss, have been through the use of a password to protect resources.  This occurred because, as computing power increased, the ability to guess, test, and exploit weak passwords improved exponentially.   In addition, the sophistication of human based attacks (known as Social Engineering,) has increased.  These two factors have seriously damaged the ability to use a password to protect your resources.

Multifactor Authentication (MFA) provides a mitigation to the flaws in password authentication.  MFA uses two of three independent factors to authenticate an identity.  The three factors are:

1.       Something You Know – This is the role of an old password or PIN.  It is a key known only to you, and provides part of your identity verification.

2.       Something You Have – This might be a Hard or Soft Token, a Cell Phone, a Smart Card, or a one-time use list.  A certificate, sequence number, or connection (physical or logical) provide proof that you are in possession of this factor.

3.       Something You Are – A biometric, depending on the level of security, that identifies you uniquely.  This can be a fingerprint, retinal scan, facial scan, hand print, or even a blood test. 

The process of MFA is pretty straightforward.  You are prompted for two of the factors, and your access is permitted or rejected based on the response.

The models for establishing MFA in an environment range from a subscription model, operated by a third party, to a fully internal model, using strictly local resources. 

Why use multifactor authentication?  On the most basic level it greatly improves your security posture.  Passwords can not be shared, stolen, or brute forced.  The second factor is either complex in its operation, or changes so frequently, that capturing its traffic is of no value, and the token can be invalidated quickly in the event to a compromise.  In short, the use of MFA avoids the primary risks of using a password alone.

Where can MFA be used?   Most computer systems can use MFA.  At the operating system level, it can be integrated for desktop and domain login.  At the application level, it can be easily integrated, either as a part of a single sign-on environment, or at the application level.  In addition, many off the shelf software vendors provide the ability to configure MFA to enhance security.

Following an established process, a reliable vendor can provide the products and services necessary to establish an MFA infrastructure:

·        Analysis and Design, including the gathering of requirements

·         Software and Hardware acquisition

·         Technical integration services

·         Operational services

·         Training and education

·         Review, Audit and Evaluation

Frequently Asked Questions

Why the shift away from passwords?

The improvement in the technology used to “crack” passwords, along with the continued use of common passwords and dictionary words, has made the breaking of password-based systems much easier.  MFA has been in use since the 1980’s, when it was used for secure remote access.  It is an established technology that mitigates the threat of passwords being breached.

What are Tokens?

Tokens can take several forms.  “Hard” tokens are Smart Cards and time or event-based keys (like and RSA fob or a Yubikey.)  These are considered the strongest tokens, since they do not require the placing of software on an external device.  “Soft” tokens include portable digital certificates, software time and event applications (like Google Authenticator,) and network dependent authentication methods  (like out of band email and SMS.)  A third class of token is the “Push” token (like those found in Duo) are also strong authentication methods.

Do I have to have a strong password?

Yes, but one of the benefits of using multifactor is that the password does not need to be as complex, nor does it need to be changed as often.

Can I mix methods of MFA in my shop?

It depends on the solution chosen.  Tools like Duo, RSA and the OpenSource tool OpenOTP can accommodate multiple token types.  Many other commercial or OpenSource MFA systems allow a backup method, in the event a primary key is lost.

What if I lose my token?

Most commercial MFA systems have a central override key in the event that a key is lost, or left home.  Many OpenSource and private systems can be configured to have an alternate key.  It is possible to get yourself locked out of a system if it is incorrectly configured. 

Is it difficult to install and configure MFA?

Most modern software accommodates the use of MFA.  For example, Microsoft AD can be configured to require MFA, and any application using AD for authentication will, in turn, require multifactor authentication.

Can I use MFA in conjunction with Single Sign-On?

Yes!  MFA can be integrated with your identity provider.  Once you receive your validated identity token from your single sign-on system, your identity travels with the strength of being validated by MFA.

Is using a second password, a token number or a biometric alone sufficient?

No.  In all of these cases you are using only one factor, and are significantly more subject to compromise.  In the first case, two passwords are subject to the same threat as a single password.  In the second and third cases, the theft of the device, or the loss of control of a biometric profile renders the protected resource vulnerable.

Why do you not recommend biometrics in secure situations?

For two reasons: First; if the underlying data for a biometric profile is compromised, it can not be changed (i.e. you can not change your fingerprints.) Second; To obtain secure information, the criminals may resort to extreme measure to obtain the biometric.  It is an important rule that you should “never put anything around your neck that is more valuable than your neck.”

 

 

Posted by at No comments:

Monday, December 2, 2019


Chief Information Security Officer as a Service


Whether you are a company seeking to augment your current Information Security function, or you are looking to build an Information Security organization from scratch, the Contract Chief Information Security Officer (CISO) is an option that provides the necessary expertise and structure.  Designed to supplement current information security activities, provide security leadership, and implement architectural structure, the CISO arrives with a full set of tools to perform the task, without the commitment of creating a full-time position.  In fact, the position of CISO can be satisfied by a part-time contract subject matter expert, backed by a team of specialists, to provide a comprehensive security program.

Compliance

One of the immediate needs of any organization is to validate their compliance with identified rules, regulations and practices mandated by their specific industry or regulatory organization.  The contract CISO can provide policy and standards services that are customized to the requirements of the organization.  Ranging from acceptable use to information classification, every organization needs to have its information security policy in place. 

Business Continuity

Years in business teaches us that the unexpected is going to happen.  The contract CISO can Initiate, Coordinate, Document and Test the whole scope of Business Continuity from Continuity of Operations to Disaster Recovery.  These essential processes are often overlooked, but left unconsidered, they can have a devastating impact on your organization.  The service provides subject matter experts at every phase of the Business continuity process to enable smooth, documented, and practiced transition in difficult situations.

Security Education

Most people will do the right thing, once they know what the right thing is.  The Contract CISO can provide information security education services, by live or online instruction.  Both general security training, and industry specific education is available through the CISO team.   Annual security training, event specific training, and specialized information handling training is available.

Security Analysis

In information technology, what you don’t know can hurt you!  The contract CISO can design, implement and analyze vulnerability testing, as well as regular scanning and monitoring.  This can be carried forward into risk analysis, penetration testing, phishing scans, and other tests; both internal and external.  The CISO can then make use of this information to recommend infrastructure, process, training, or policy changes.

Audit Response

Depending on industry and regulatory environment, audit findings are an inevitable part of doing business.  The CISO can craft responses to auditors, establish plans of action and milestones (POAM,) and develop mitigation plans to satisfy findings.  Audit pre-work is used to prevent “finding surprises” and minimize the impacts of findings on the organization.

Business Processes and Architecture

Information that is well managed is easier to secure.  The extensive experience of the contract CISO and the team of experts can provide assistance in Change and Problem Management, Design Review and, Software Standards.  Other business functions can be included with appropriate expertise availability.  Processes for equipment issuance and inventory, software control, and privilege management are within scope of service.  These can be applied in both the tactical and in the strategic planning phases.

Executive Training

In time, many organizations will benefit from their own CISO and local Information Security Officers.  The contract CISO team will train permanent staff to satisfy the requirements of the organization for Information Security.

General “Traditional” Information Security

The team approach to the contract CISO provides opportunities for the evaluation, implementation and operation of tradition security controls, including:
·         Firewalls
·         Host security software
·         Identity Management
·         Network segmentation
·         Anti-virus
·         Defense in Depth implementations
·         IDS/IPS
This is just a brief list of the tools that can be brought to bear by the CISO.

Process of Acquisition

Every organization has unique needs, but common practices include the establishment of a policy base, training and analysis.  The presence of an experienced and certified CISO helps to speed and improve the implementation of a security program.  To this end, the CISO service can be purchased by the hour (minimum 40 hours,) or for up to 5 years.  Work can be performed on-site, or remotely, depending on the organizations needs and culture.
This purchasing model enables a business to purchase as much or as little CISO time as they need, from as little as 4 hours a week, to full time.
Posted by at No comments:

Defining Trust

The casual use of trust creates challenges of understanding when trying to create a federated environment.  For the purpose of this document it is necessary to strictly define trust.  Trust is a mutual understanding consisting of three parts:
1.       A defined and scoped behavior that is mutually understood and measurable,
2.       A means by which both parties can verify the performance of the behavior, and
3.       Defined consequences for the familiar to perform the behavior in accordance with the previously established metrics.
These simple parameters define how organizations can establish relationships that enable the transfer of identity information in full confidence that the identity presented has been adequately vetted and authenticated.  The word “adequate” is used to indicate that the presented information is within the bounds of the established trust.  Depending upon the trust, and the requirements of the relying party, “adequate” may vary from trust agreement to trust agreement.  Each trust agreement, therefore, establishes a baseline.

The Trust Agreement

The trust agreement is a legal document outlining the terms and conditions by which both parties to the trust are bound.  Generally, these terms include the defined baseline for vetting users, conditions for the users’ removal from the environment, and the methods by which a user can authenticate.  All of these, and any other elements that are included, are assigned metrics that are reported to all parties on a pre-determined interval for review.  Spot checking is also included (if desired) in the trust agreement.  If the metrics are not met, the negative consequences are enacted.  These may include loss of access, diminished functionality, and/or financial penalties that have been agreed to in the trust.  The trust may also include positive consequences for exceeding the assigned metrics.

Technical Trust

Once the legal trust is established, it is necessary to technically enforce the agreements, and provide both verification and non-repudiation of access.  This is done via the technical mechanism of digital certificate exchange. The parties in the trust exchange certificates and the SAML[1] requests are all signed from the identity provider to the service provider, and then returned to the service provider signed with the service provider’s key.  This provides a bidirectional basis of trust for the transfer of the identity information.  Please note that each identity assertion is signed, not just the “tunnel”.  An example of the flow of data from the initial access request to the return of the authorized resource is found in Figure 1.
 
Figure 1 : Example of a TLS secured SAML authentication request

Conformance

To adequately conform to the technical trust, both the service and identity provider must be able to properly present and accept signed assertions, and be able to decrypt them in adherence to the X.509[2] standard for digital certificates. Both parties must also agree to, and comply with, the configuration of optional meta-data elements of the SAML assertion. 
What the Trust Does Not Cover
One of the defining purposes of the trust is to create clear delineation between the responsibilities of the identity provider and the service provider.  The authorization of identified individuals to resources of the service provider is solely the service provider’s responsibility.  The provisioning of identity, the issuance of credentials and the identity lifecycle of individuals is solely the responsibility of the identity provider.  The only contact of these items for both providers with the trust is in meeting the established metrics. 
Dissolution or Revision of the Trust
Should circumstances require that the trust be dissolved or revised, the technical elements of the trust must be revised and tested in advance to enable a smooth transition to the new trust.  Under no circumstances should there be more than one trust agreement in place for a single technical connection.

[1]  All references to SAML refer to SAML 2.0 as defined in http://docs.oasis-open.org/security/saml/v2.0/

[2]  Defined in RFC 4158
  • Add to Phrasebook
    • No word lists for English -> English...
    • Create a new word list...
  • Copy
Posted by at No comments:
Subscribe to: Comments (Atom)