Authentication
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> One of the more effective security controls that we
00:00
can implement into networks is strong Authentication.
00:00
The job of authentication is to force
00:00
a user to prove their claimed identity.
00:00
I claim to be administrator.
00:00
You can claim to be anything you want.
00:00
Now, I need you to prove it.
00:00
Traditionally, we've had three ways we
00:00
proved our claim: something I know,
00:00
something I have, and something you are.
00:00
There's also something you do and somewhere you
00:00
are with GPS positioning and tracking.
00:00
We're even extending the ways to prove it.
00:00
The problem with that is any single form
00:00
of authentication can be spoofed.
00:00
We always want to combine more than one factor.
00:00
When we talk about more than one factor,
00:00
I don't mean two somethings you
00:00
have like a driver's license and a passport.
00:00
That's not multi-factor.
00:00
We want to combine at least two types
00:00
of authentication so that way,
00:00
we can have a better standard of proof.
00:00
Multi-factor authentication is best.
00:00
Bullet point here at the bottom.
00:00
Mutual authentication, that's also desirable.
00:00
Not only do I authenticate to you,
00:00
you authenticate back to me.
00:00
For instance, you connect to a banking server.
00:00
We're used to that banking server
00:00
requesting our username and password.
00:00
We have to prove our identity to the banking server.
00:00
We also want that banking server to
00:00
>> prove its identity to
00:00
>> us so that we know it's not a rogue device,
00:00
which is where digital certificates come in.
00:00
Most common is definitely something you know.
00:00
We use passwords.
00:00
Traditionally, we've had password best practices,
00:00
includes ideas like change
00:00
your password on a regular basis,
00:00
use uppercase and lowercase,
00:00
have alphanumeric, non-alphanumeric.
00:00
Not only do you change your password every so
00:00
often but enforcing a password history.
00:00
What's very interesting about this is
00:00
NIST and the gentlemen that
00:00
specifically wrote the NIST standards
00:00
for passwords has essentially come out and said,
00:00
"All those ideas we've had in
00:00
the past really are not accurate today."
00:00
We used to be a very good preventative controls
00:00
your passwords was based on
00:00
the knowledge and tools at the time.
00:00
Right now, the types of attacks
00:00
that attackers are doing upper,
00:00
lowercase, alphanumeric,
00:00
non-alphanumeric, these don't matter anymore because
00:00
their password scanning programs are
00:00
going to try all those combinations.
00:00
What makes passwords harder today is length.
00:00
As you add additional length to your password,
00:00
you add more entropy.
00:00
You make it more difficult for
00:00
>> an attacker to determine.
00:00
>> We really have made passwords very
00:00
difficult for ourselves to remember.
00:00
How many times have you gone to the same site,
00:00
typed a password 3, 4,
00:00
or 5 times, thought you knew what it
00:00
was and turns out it's a password from another site?
00:00
It can be very frustrating.
00:00
What a lot of users do is they
00:00
just write their passwords down,
00:00
which is obviously, that's a security vulnerability.
00:00
What we want is longer passwords,
00:00
not passwords that are hard to remember.
00:00
Something you have. If you can't touch it,
00:00
it's something you have.
00:00
There are also other non-tangible things
00:00
that you would have like a private key,
00:00
digital certificates, or cookies on your system.
00:00
If you log on to a system and it
00:00
says we don't recognize your computer,
00:00
that's because when you set up your account initially,
00:00
that web server put a cookie on
00:00
your system that it looks each time you log in.
00:00
That's one way of verifying
00:00
your identity, with a cookie.
00:00
A lot of times,
00:00
we make this multi-factor authentication as seamless
00:00
as possible because we don't want to
00:00
annoy users and pester them to death,
00:00
but we do want that multi-factor authentication.
00:00
A lot of organizations are using smartphones today.
00:00
You go and log in with the password.
00:00
I'm going to send you a code to your phone.
00:00
The fact that you know
00:00
the code proves to me that you have a phone.
00:00
It's fairly unobtrusive.
00:00
If you have a password on your phone, you get access.
00:00
Other somethings you have.
00:00
We use memory cards for a long time.
00:00
The memory card is a magnetic strip on
00:00
the back of our credit cards without encryption.
00:00
There's just stored information on that strip
00:00
and very easy to siphon off those credit cards,
00:00
very easy to clone a credit card,
00:00
and very easy to copy these.
00:00
What you have in the top illustration is
00:00
a little shim that fits over
00:00
the legitimate credit card reader,
00:00
and you can see it can't even tell
00:00
the difference. Then you swipe your card.
00:00
It's actually being read by the shim,
00:00
as well as being passed along to the reader.
00:00
Very easy to do credit card theft, credit card fraud,
00:00
billions of dollars a
00:00
year are lost with credit card theft.
00:00
A deterrent for that or
00:00
an alternative is to use the PIN and chip system.
00:00
These are smart cards.
00:00
You can tell they're smart cards because they have
00:00
a processor on them.
00:00
The idea is these could
00:00
actually provide three-factor authentication.
00:00
You got the chip, something to have;
00:00
you know the PIN, something you know.
00:00
If you sign it on the back and if
00:00
the cashier checks your signature
00:00
on whoever takes the card,
00:00
then you actually have something you know,
00:00
something you have, and something you do
00:00
or something you are just
00:00
depending on the classification,
00:00
how you classify signatures.
00:00
That's not really the way it works
00:00
today because many times,
00:00
cashiers don't check the signature.
00:00
Even if they glance at it,
00:00
they're not really looking for any similarities.
00:00
A lot of times, the vendor systems
00:00
don't have the chip reader enabled.
00:00
When it comes right down to it,
00:00
if that chip reader is disabled,
00:00
then we just swipe our cards in
00:00
the magnetic reader with a magnetic strip again.
00:00
We don't really get all the benefits
00:00
of the chip and PIN system
00:00
because we don't really enforce them
00:00
the way that they should be enforced.
00:00
Now the third category, something you are.
00:00
This used to be considered something you are,
00:00
and the biometrics included
00:00
both physiological and behavioral traits.
00:00
Behavioral traits are how I walk, talk, and type,
00:00
but now they move that to its own category,
00:00
which is something you do.
00:00
Now when we talk about something you are,
00:00
it's just your physiological traits: palm scan,
00:00
thumbprint, iris scan, retina scan.
00:00
Whatever those traits are,
00:00
how well you match to those traits
00:00
determines whether or not you gain access.
00:00
Now somewhere you are.
00:00
Because of GPS trafficking and positioning,
00:00
the fact that I'm in Kelly Handerhan's house
00:00
proves that I'm Kelly Handerhan.
00:00
Again, we still want to combine that with multi-factor,
00:00
other factors for authentication.
00:00
Then there's something you do.
00:00
Like I said, how I perform certain activities.
00:00
Some cell phones don't have
00:00
a PIN to open up the lock screen,
00:00
then you have a swipe pattern in a certain way.
00:00
There are all sorts of little quirks that are unique
00:00
to us and how we walk or sign
00:00
a document or how we type our names
00:00
can be good identifiers of an individual.
00:00
The thing about biometrics
00:00
specifically is we have issues with false positives
00:00
and false negatives or what's really better
00:00
referred to as false acceptance and false rejections.
00:00
Let's say that I've decided to use
00:00
my thumbprint for access to my laptop.
00:00
I've got sensitive information on there,
00:00
so I want to make sure nobody that
00:00
shouldn't get access gets onto my system.
00:00
I provide my thumbprint and I require the match to be
00:00
100 percent accurate before
00:00
letting someone onto the system.
00:00
Well, I'm not going to be 100 percent accurate,
00:00
different pressure, different way I roll my thumb,
00:00
could be scratches or dust on my fingerprints.
00:00
If I require such a high match before
00:00
letting out or letting into the system,
00:00
I'm going to be locked out over and over.
00:00
That's a lot of administrative hassle
00:00
and it's very frustrating.
00:00
I'm tired of being locked out of my own system.
00:00
You know what, anybody with a thumb can get in.
00:00
Well, the problem there is there'll be
00:00
>> false acceptances.
00:00
>> People that shouldn't be allowed
00:00
in are going to be allowed in.
00:00
What you're going to find is that false acceptances
00:00
and false rejections are inversely related.
00:00
As one goes up, the other goes down, and vice versa.
00:00
There will be a point where the two of them meet.
00:00
That point is called the crossover error rate.
00:00
That's how the accuracy of the system is assessed.
00:00
Where the FRR meets the FAR is the CER.
00:00
That's just for those of you that like letters.
00:00
Otherwise, where your false acceptances
00:00
meets your false rejections,
00:00
that's called the crossover error rate,
00:00
and that indicates the sensitivity
00:00
or the accuracy of the system.
00:00
Other things to think about with biometrics is cost.
00:00
Does it warrant a high-end biometrics solution?
00:00
Also, user acceptance.
00:00
Users are not 100 percent
00:00
comfortable with all forms of biometrics.
00:00
Still to this day, if I say,
00:00
"Hey, I got my thumbprint taken yesterday."
00:00
The first question is did you have to go
00:00
downtown? Were you speeding?
00:00
What was going on? We tend to still
00:00
associate being thumbprinted
00:00
or fingerprinted with crimes.
00:00
We feel like they're very intrusive
00:00
into our personal space.
00:00
If the biometrics gets compromised,
00:00
you can't revoke them.
00:00
If my password gets lost or compromised,
00:00
I can revoke that password,
00:00
get issued a new one, and I'm good to go.
00:00
If my thumbprint is compromised,
00:00
not much I can do about that.
00:00
There are other issues like enrollment time.
00:00
Biometrics are the best
00:00
of the single-factor authentication,
00:00
but there are definitely drawbacks to them as well.
00:00
Even if you decide the pros outweigh the drawbacks,
00:00
don't forget it should just be
00:00
implemented as one part of a multi-factor system.
00:00
Of course, our multi-factor systems are going to
00:00
combine more than one type: something you know,
00:00
something you have, something you are,
00:00
something you do, somewhere you are.
00:00
You have to have that because
00:00
any single means of authentication can be spoofed.
Up Next
Similar Content
