9 hours 49 minutes
one of the more effective security controls that we can implement into networks is strong authentication.
The job of authentication is to force a user to prove their claimed identity.
I claim to be administrator. You can claim to be anything you want. Now I need you to prove it.
Traditionally, we've had three ways. We proved our claim, something I know, something I have and something you are.
There's also something you do and somewhere you are with GPS positioning and tracking or even extending the ways to prove it.
The problem with that is any single form of authentication can be spoofed.
We always want to combine more than one factor.
When we talk about more than one factor, I don't mean to some things you have, like a driver's license and a passport. That's not multifactor.
We want to combine at least two types of authentication. That way we can have a better standard of proof.
Multifactor authentication is best
bullet point here at the bottom mutual authentication
that's also desirable.
Not only do I authenticate to you, you are. Then take it back to me.
For instance, you connect to a banking server.
We're used to that banking server requesting our user name and password. Right. We have to prove our identity. The banking server.
We also want that baking survey to prove its idea. Need to us so that we know it's not a rogue device, which is where digital certificates come in.
Most common is definitely something, you know, we use passwords. Traditionally, we've had password Best practices includes ideas like Change your password on a regular basis, Use uppercase and lowercase. Have alpha numeric non alpha numeric. Not only do you change your password every so often but enforcing a password history
What's very interesting about this is N I S t. And the gentleman that specifically wrote the n I s t standards for passwords has essentially come out and said, You know, all those ideas we've had in the past really are not accurate today
We used to be a very good preventative controls her passwords was based on the knowledge and tools of the time.
Right now, the types of attacks that Attackers are doing upper lower case off the numeric non alpha numeric. These don't matter anymore because their passwords scanning programs are going to try all those combinations
What makes passwords harder. Today's length. As you add additional length to your password, you add more entropy.
You make it more difficult for an attacker to determine.
We really have made passwords very difficult for ourselves to remember. How many times have you gone to the same site? Type the password 34 or five times? Thought you knew what it was. And turns out it's a password from another site. It can be very frustrating.
What a lot of users do is they just write their passwords down, which is obviously, that's a security vulnerability.
What we want is longer passwords, not passwords that are hard to remember.
Something you have. If you can't touch it, it's just something you have.
There are also other non tangible and things that you would have like a private key, digital certificates or cookies on your system. If you log into a system and it says we don't recognize your computer, that's because when you set up your account initially, that Web server put a cookie on your system that it looks each time you log in.
That's one way of verifying your identity with the cookie.
A lot of times we make this multifactor authentication as seamless as possible because we don't want to annoy users and pester them to death.
But we do want that multifactor authentication.
A lot of organizations are using smartphones today, right? You go and log in with a password, going to send you a code to your phone.
The fact that you know the code proves to me that you have a phone. It's fairly unobtrusive. If you have a password on your phone, you get access.
Other some things you have use memory cards for a long time.
The memory card is a magnetic strip on the back of our credit cards. Without encryption,
it was just stored information on that strip and very, very easy to siphon off those credit cards. Very easy to clone a credit card and very easy to copy these.
What you have in the top illustration is a little shim that fits over the legitimate credit card reader, and you can see I can't even tell the difference.
Then the super card. And it's actually being read by the Shem as well as being passed along to the reader
very, very easy to do. Credit card theft credit card fraud billions of dollars a year lost with credit card theft.
A deterrent for that or an alternative is to use the pin and chip system.
These are smart cards. You can tell they're smart cards because they have a processor on them. The idea is, these could actually provide three factor authentication.
You've got the chip. Something to have. You know, the pen something, you know, if you stand on the back and if the cashier checks your signature on whoever takes the card, then you actually have something. You know, something you have and something you do or something. You are just depending on the classification, how you classify signatures.
That's not really the way it works today, because many times cashiers don't check the signature. Even if they glance at it, they're not really looking for any similarities.
A lot of times, the vendor systems don't have the chip reader enabled when it comes right down to it. If that chip reader is enabled or I'm sorry is disabled, then we just swipe our cars in the magnetic reader with the magnetic strip again.
We don't really get all the benefits of the chip and PIN system because we don't really a force them the way they should be enforced.
Now, the third category something you are.
This used to be considered something you are, and the biometrics included both physiological and behavioral traits. Behavioral traits are how I walk, talk and type.
But now they move that to its own category, which is something you do now. When we talk about something, you are. It's just your physiological traits. Palm Scan thumbprint, iris scan, retina scan Whatever those traits are, how well you match those traits determines whether or not you gain access.
Now some where you are because of GPS trafficking and positioning. The fact that I'm in Kelly Hander hands house proves that I'm Kelly Hanrahan
again. We still want to combine that with multifactor other factors for authentication.
Then there's something you do. Like I said, how I perform certain activities.
Some cell phones don't have a pen to open up the lock screen.
Then you have a swipe pattern. In a certain way,
there are all sorts of little quirks that are unique to us and how we walk or sign a document, or how we type our names can be good. Identify years of an individual.
The thing about biometrics specifically is we have issues with false positives and false negatives, or what's really better referring to as false acceptance and false rejections.
Let's say that I've decided to use my thumb print for access to my laptop. I've got sensitive information on there, so I want to make sure nobody that shouldn't get access gets under my system.
I provide my thumbprint, and I require. The match should be 100% accurate before letting someone onto the system.
Well, I'm not going to be 100% accurate, Right? Different pressure. Different way I roll. My thumb could be scratches or dust on my fingerprints.
If I require such a high match before letting out or letting into the system, I'm going to be locked out over and over. That's a lot of administrative hassle, and it's very frustrating.
All right, I'm tired of being locked out of my own system. You know what anybody with the thumb can get in? Well, the problem there is there will be false acceptance is right. People that shouldn't be allowed in are going to be allowed in
what you're going to find is that false acceptances and false rejections are inversely related. As one goes up, the other goes down and vice versa. There will be a point where the two of them meet. That point is called the crossover error rate. That is the accuracy. Or that's how the accuracy of the system is assessed.
Where the F r R meets the F a. R is the C E r.
That's just for those of you that, like letters, otherwise we're your false acceptances needs your false rejections. That's called the crossover error rate, and that indicates that sensitivity or the accuracy of the system.
Other things to think about with biometrics is caused. Does it warrant a high end biometric solution?
Also, user acceptance users are not 100% comfortable with all forms of biometrics. Still, to this day, if I say Hey, I got my thumbprint taken yesterday. First question is, Did you have to go downtown where he's speeding? What was going on? We tend to still associate being thumb printed or fingerprinted with crimes.
We feel like they're very intrusive into our personal space.
The biometrics gets compromised. You can't revoke them if my password gets lost or compromised. I can revoke that password. Get issued a new one and I'm good to go. If my thumbprint is compromised, Not much I can do about that.
There are other issues like enrollment time.
Biometrics are the best of the single factor authentication. But there are definitely job RECs to them as well. Even if you decide the pros outweigh the drawbacks, don't forget. It should just be implemented as one part of a multi factor system.
Of course, our multi factory systems are going to combine more than one. Type something. You know something? You have something. You are something you do somewhere you are. You have to have that because any single means of authentication can be smoothed.