I know, I know, everybody loves a post about NIST guidelines. However, we thought this post was necessary due to the interest we received from our white paper detailing the updated NIST 800-63 and the number of views the accompanying video has received on youtube, which broke the record for most views of a non-cat, NIST video.

To give a brief background, the updated NIST 800-63 separates digital identity into Identity Assurance Level (IAL), Authenticator Assurance Level (AAL) and Federated Assurance Level (FAL). Within each Assurance Level, NIST defines 3 risk levels. The higher the level of risk the more restrictions that are placed on the organization (e.g., in-person vetting, multi-factor authentication, Holder of Key, etc.).

The main question that we receive from customers is, “How do I determine which Assurance Level applies to my organization?”

The NIST guidelines provide flow charts to help determine assurance level by judging risk on a scale of low, medium and high. If an organization judges any of the risks to be high (or medium for risk to Personal Safety) the Assurance Level is IAL3, AAL3 or FAL3 resulting in large IdAM changes for the organization.

Click to Subscribe

The problem with judging risk is that it is subjective. If asked to take the risk of financial loss or criminal violation wouldn’t we be risk-averse and select high? To alleviate this issue the guidelines point to NIST 800-30 which was designed to help organizations perform risk assessments in a more analytical manner.

While reviewing the 800-30 guidelines we were struck by a few core differences which we believe highlights NIST’s tougher approach to identity risk.

During a risk assessment NIST 800-30 guides organizations to view all elements of risk including threat, vulnerability and impact. However, NIST 800-63, “asks agencies to look at the potential impacts of a federation failure. In other words, what would occur if an unauthorized user could compromise an assertion?”

The reason this is important is that by focusing on impact without threat and vulnerability, organizations disregard several key points. For instance judging threat includes an assessment of who has the capability to perform the attack and do they have the desire to do so. Additionally judging vulnerability includes an assessment of existing security controls which may prevent the attack. Both threat and vulnerability serve to tamper the impact of an attack. If we only look at impact we will most likely take a tougher approach.

Click to Subscribe

Another example is the number of risk categories. NIST 800-30 recommends 5 risk categories with semi-quantitative values for each (e.g., Very High is 96-100 while High is 80-95). NIST 800-63 only has 3 categories, or 2 for Personal Safety. This reduces granularity and leads to the selection of higher Assurance Levels.

What is the reason for NIST’s tougher approach to identity risk? Perhaps it is that for all of the fear of hackers cracking firewalls, the DBIR proves that the majority of attacks are still due to stolen credentials and privilege misuse. By creating a subjective risk assessment model that skews towards higher Assurance Levels, perhaps NIST is telling organizations that they should invest more heavily in IdAM security. Perhaps organizations should pay attention.

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure authentication, PKI, Multi-Factor Authentication (MFA) and secure embedded systems.

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post NIST’s Tougher Approach to Identity Risk appeared first on TELEGRID.

The post Authentication Token Cybersecurity and NIST 800-63-3 appeared first on TELEGRID.

AAA servers like AD and Radius servers are the central point for all access requests.  Anytime a user wishes to access an application, server, etc. their credentials are sent to a AAA server to determine whether they are legitimate (authentication) and are allowed access (authorization).  Depending on their configuration, the AAA server will also log access (accounting) although this is more commonly performed in commercial mobile networks.

Since the AAA server communicates with multiple applications and devices, across multiple security domains, it has become a prime target for botnet and denial of service (DoS) attacks.  Hackers and cybersecurity researchers have begun to take notice.  Let’s look at three examples.
 

Click to Subscribe

 
First, IBM X-Force Research recently identified a banking trojan virus, Qakbot, that locked out thousands of AD users.  Qakbot is financial malware and is typically used to drain online bank accounts.  This was the first time researchers have seen it used as a DoS attack by preventing users from accessing applications and devices.

Second, researcher Guido Vranken used fuzzing, where malformed data is injected into a software application, to expose several vulnerabilities in FreeRadius, the most popular open source RADIUS server.  As Security Week pointed out, “The list of vulnerabilities includes memory leak, out-of-bounds read, memory exhaustion, buffer overflow and other issues that can be exploited to remotely execute arbitrary code or cause a DoS condition.”  Luckily the open source community was quick to address the vulnerabilities.

Third, at this year’s Black Hat conference, Threat Intelligence engineers gave a talk about a method to turn the AD Domain Controller into a botnet’s command and control server.  As they pointed out, the AAA architecture, where disparate computers take access instructions from a central controller, closely mimics that of a botnet.  If malware were installed it could take advantage of existing AD commands and user attributes to transfer information between infected clients and out of the network.  If there was only one AD domain controller for the entire network, this would allow data transfer between security domains.

For the moment many of these attacks can be prevented by patching, monitoring and constructing proper network architectures.  However, as the hacker community continues to turn its attention to AAA it is only a matter of time before widespread zero day Active Directory cyber attacks are unleashed.

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Active Directory Cyber Attacks appeared first on TELEGRID.

I believe that in order to answer this question properly we must make three comparisons:

1. The average loss for a home burglary versus the average loss for an identity theft
2. The probability of a home burglary versus the probability of an identity theft
3. The cost of a home security system versus the cost of identity theft protection

In its report on Crime in the United States, the FBI found that in 2014 the average dollar loss per burglary offense was $2,251.  This is higher than the average dollar loss for identity theft over the same time frame which was $1,343 according to the Department of Justice.

Click to Subscribe

However, when considering the number of occurrences, identity theft is far more likely than a burglary.  The DoJ reported 17.6 million cases of identity theft, or 7% of all US residents above the age of 16, in 2014.  This was 10 times more than the 1.7 million burglaries that were reported over the same time period by the FBI.

In terms of cost it is difficult to gauge exact figures based on the multitude of offerings for both home security systems and identity theft protection.  However, it seems that identity theft protection is the same or less per month than a home security system.

I understand that a home security system also provides the intangible value of personal protection and that there is no value that you can put on peace of mind.  However, I could counter that the majority of burglaries happen between the hours of 10AM and 3PM, when the homeowner is not home, and therefore personal protection has no inherent value.

So, should I protect my possessions or my identity? Based on this very simple statistical comparison it seems that, if I had to choose, I should protect my digital identity before I protect my physical possessions.  What would you pay to protect?

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure authentication, PKI and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Should I protect my possessions or my identity? appeared first on TELEGRID.

It all started as a harmless exchange between like-minded adults.  It was something I had experienced many times before either at work or in the privacy of my own home.  Normally I would not even have paid attention to it but it was what happened next that scared me.

I was at my desk when an email arrived with the familiar title, “Eric, please add me to your LinkedIn network”.  I normally ignore LinkedIn requests from people I don’t know but this one was different.  Alex was an executive at an oil & gas company.  He had a complete profile and a picture of him riding a bicycle.  I do not know how he found me but I assumed he had read one of my amazing blog posts ;).  Since he was in the oil & gas industry and my company sells cybersecurity and wireless mesh networking tools to utilities I decided to click Accept.

The next night Alex sent me a message thanking me for accepting his request and telling me about an amazing opportunity to sell his company’s jet fuel.  Turns out he needed help in the US and the job would pay extremely well for only 5 hours of work per week.  Within the message was a link to a job offer and another link to an overview of his company.  Now “this ain’t my first rodeo” so I reported the message as LinkedIn Phishing and blocked Alex.  (On second thought I should have had the white hat hackers in my company reply with a link to lock his computer.)

The exchange left me wondering, are companies doing enough to protect against LinkedIn Phishing?

Companies train their employees to ignore phishing emails and deploy sandboxes to protect networks.  Companies also put in protections against Facebook Phishing, normally by blocking access since Facebook is not considered a work application.  However, LinkedIn is not email and it is not Facebook, it is a great tool that professionals use to expand their networks.  For this reason companies do not have LinkedIn Phishing protections but rather encourage their employees to connect with as many people as possible.

So what can companies do?

Since this came over the LinkedIn messaging system it is unlikely that it would have been caught by a spam filter, and, even if it was, an employee could still access the message from the LinkedIn website. This means that in order to prevent LinkedIn Phishing a company would have to block all of LinkedIn.  Additionally, this was not a bulk email phishing attempt that could be tracked, but rather a concerted spear phishing effort by someone who connected one day and then came back the next day to phish.  LinkedIn could solve this problem, and I am sure they are working on it, but until then the only solution seems to be employee training.

Or, I could be completely wrong, Alex is real, and I just missed the opportunity to get into the fast growing jet fuel market.

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure authentication, PKI and Multi-Factor Authentication (MFA).

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post LinkedIn Phishing – Are your employees safe? appeared first on TELEGRID.

Stop “Over Exaggerating” to Scare Your Customers

In most organizations cybersecurity sales’ rule #1 is to scare potential customers. Salespeople “over exaggerate” by telling customers the barbarian hordes are at their gates and if the customer does not buy the solution today then they will lose hundreds of millions of dollars. Then salespeople back up their claims with impressive statistics like 110% of people were compromised by the exact problem that our solution resolves. As Homer Simpson once said “you can come up with statistics to prove anything. Forty percent of all people know that”.

The truth is that your customer knows the statistics and they understand the risks. Don’t sell to customers by fear mongering but rather by inspiring. Just last week a customer referred to TELEGRID’s Privileged Access Management tool as “elegant”. That is what you want to hear.

Show your customer how easy your solution is to install, how it will make their day-to-day job easier and most importantly how it will promote network best practices. Considering how many attacks are from an employee doing something they shouldn’t, network best practices are extremely important.

Click to Subscribe

Your Bathroom is as Important as Your Point of Sale System

When selling a cybersecurity tool salespeople should consider the impact of integrating it into a network. For instance enabling two-factor authentication requires the install of an agent on every application or host device. This forces customers to make difficult decisions about what should and should not be secured.

The first applications to be secured are always those that handle Personally Identifiable Information (PII). These applications are important but so are the “non-critical” applications. How would your organization fair if it was the victim of a ransomware attack on its inventory database or client relationship management system. Salespeople should consider these gaps and help customers to resolve them.

Taking it back to Ryan Lochte’s alleged incident, I bet that gas station owner in Brazil sent all of his credit card data securely and that his cash register had a lock on it. He even paid to have security guards protect the premises 24/7. What he could not afford to protect was his bathroom and we all know how that ended. Ok that might be a stretch but you get my point.

In my last post I discussed how we need to rethink cybersecurity tools from a security AND network performance standpoint. I think we also need to rethink how we sell cybersecurity tools.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Ryan Lochte and Cybersecurity Sales appeared first on TELEGRID.

“WHAT ABOUT LATENCY?”

Three simple but powerful words that show where cybersecurity has started to go wrong.  How can you put every packet in its own tunnel without massively affecting network performance?  Does user experience even matter anymore?

Click to Subscribe

Is it just me or are new cybersecurity products just rehashes of old cybersecurity products?  We have gone from 128 bit encryption to 256 bit encryption.  We have gone from endpoint protection to advanced endpoint encryption.  We have gone from firewalls to next generation firewalls.  We have gone from deep packet inspection to deeper packet inspection to deepest packet inspection.  It is the same thing Hollywood did when they remade the greatest films of our generation like Ghostbusters and Vacation.

Do vendors stop and think about the effect they are having on network performance?  Indeed a Cisco survey found that 71% of Chief Executives think that cybersecurity slows down the pace of commerce.  So how are vendors improving cybersecurity without affecting latency?  The answer seems to be more blade servers, faster processors, and ASICs.  This may work but it also translates into higher costs for the customer.  Are cybersecurity vendors starting to price themselves out of the market?

We need to rethink cybersecurity.  We need to start designing solutions based on both network protection AND network performance.  We need to look at our network from a holistic standpoint and identify existing tools that we can use for cybersecurity.  Let’s call it Cybersecurity 3.0!  (I know we skipped 2.0 but I was at a social media talk last week and the speaker used the term Web 3.0 so cybersecurity needs to catch up.)

In the next few weeks TELEGRID will be launching the first Cybersecurity 3.0 product which promises to turn the field of authentication on its head.  If you are not on it already then Join Our Mailing List so you do not miss the release.  In the meantime if you are looking for a secure authentication tool give me a call at 973-994-4440 and I will give you a sneak peek.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Why is Cybersecurity So Slow? appeared first on TELEGRID.

Last month the Department of Defense Chief Information Officer Terry Halvorsen made a bold call for the replacement of Common Access Cards within the next two years.  Common Access Cards, or CACs, are credit-card-sized smartcards used to provide Two-Factor Authentication (2FA) to DoD networks.  This method of access requires two out of three of the following items:

• Something the user knows
• Something the user has
• Something the user is

A CAC – “something a user has” – in conjunction with a PIN – “something a user knows” – provides the required 2FA.  The issue Mr. Halvorsen has with CACs is that they do not work well in a tactical environment.  As he said, “It’s really hard to issue CAC cards … when people are dropping mortar shells on you and you need to get in your systems.”

So what will we use instead of CACs?  Mr. Halvorsen mentions Biometrics as part of the solution.  Biometrics, or “something the user is”, includes physical characteristics like fingerprints or behavioral characteristics like how many times a user misspells Halvorsen in a blog post (purely hypothetical).  I discussed some of the security concerns surrounding Biometrics in a previous post but the biggest issue seems to be with public key cryptography.  In public key cryptography the user maintains a secured private key and shares a public key with the world.  The private key is stored on the CAC and is unlocked with a PIN as part of the DoD Public Key Infrastructure (PKI).

Click to Subscribe

If there is no more CAC, does that mean there is no more private key?  We can derive passwords from Biometrics, for instance fingerprints have enough entropy for the equivalent strength of a 13 character password, but it is not public key cryptography.  If there is no more public key cryptography how can the DoD maintain its PKI?

I believe this highlights a very interesting debate on the difference between authentication and encryption.  If we look back at the earliest days of authentication, passwords were often sent in the clear (e.g., Password Authentication Protocol (PAP)).  It was assumed that the channel would be encrypted and all information, including passwords, would be encrypted by the channel.  Authentication was merely used for authorization and accounting.  It was not until we moved from point-to-point networks to the Internet that we combined authentication and encryption in PKI.  Is Mr. Halvorsen telling us that we no longer need PKI?

I do not believe this is the case because at a luncheon following the CAC elimination comment Mr. Halvorsen made a point of recognizing the need for PKI.  As he said, “I want to make it clear, when we replace the CAC card, it will be public-key infrastructure.”   Mr. Halvorsen suggested using Derived Credentials in conjunction with Biometrics to simplify authentication and maintain PKI.  Derived Credentials is a software-based version of the CAC contained in an electronic device such as a smartphone.  In that architecture Biometrics would unlock the electronic device while a user’s certificate and associated private key would be stored in the Derived Credentials.

Derived Credentials is intriguing because it heralds the ability to Bring Your Own Device (BYOD).  The only issue is current policy (i.e., NIST 800-157) which requires that credentials issued at Level of Assurance (LOA) 4 be kept in a hardware cryptographic module that has been validated to FIP 140-2 Level 2.  This means you may need a special hardware solution which is an issue for BYOD.

The moral of the story is that the DoD is now committed to changing how users authenticate themselves and that we should expect to see big changes in the next few years.  This will make it difficult for the Government to purchase devices or applications that have a fixed authentication mechanism.  Perhaps this is the reason we are seeing so much interest in applications that allow a flexible authentication mechanism, like TELEGRID’s SMRTe.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Does the death of the CAC mean the death of PKI? appeared first on TELEGRID.

The DoD has been searching for other methods of ensuring two-factor authentication including Derived Credentials but smartphones’ use of software encryption precludes the use of Derived Credentials with certain types of information (NIST 800-157).  There has also been research at organizations including DARPA into alternate forms of authentication like the way a user walks or the way they type on a keypad (i.e., Behavioral Biometrics).  These technologies are still being tested and the method of securely transmitting the information to a smartphone (e.g., Bluetooth) has not yet been determined.

But what about standard Biometric authentication, like fingerprint recognition, which was just highlighted in President Obama’s Cybersecurity National Action Plan, and is already included in many smartphones?  Indeed, I recently reviewed a solicitation that included a requirement for user authentication via an Apple device’s Touch ID.  As with every security related solicitation TELEGRID engineers cross referenced the requirements against the Security Technical Implementation Guides (STIGs).  In this case we found that Apple’s Touch ID cannot be used and must be disabled because, according to the Apple iOS 9 Interim STIG, “Many mobile devices now permit a user to unlock the user’s device by presenting a fingerprint to an embedded fingerprint reader….they are significant potential vulnerabilities to DoD information and information systems. Disabling them mitigates the risk of their use.”
 

Click to Subscribe

 
We all know fingerprints can be “lifted” (we have all seen CSI) but I always thought it was an extremely difficult task considering that fingerprints can easily be smudged and iOS has security features in place to prevent multiple incorrect attempts.  But, then I found this article from 2014 about a security conference where a hacker named Starbug displayed copies of German Defense Minister Ursula von der Leyen’s fingerprint.  The reason the name Starbug might ring a bell is that he was also the person who hacked the Touch ID within 24 hours of its release.  The amazing thing about this effort was that the hacker copied the fingerprint from high resolution photographs of the Defense Minister.  Starbug did not even need to be near the Defense Minister to copy her fingerprints.

Now we understand the investment in Behavioral Biometrics and the potential they have for securing two-factor authentication.  Until they are approved, however, I will continue to use my wedding anniversary date as my password because, if I can’t remember it, what are the chances of a hacker stealing it?

Interesting side note: I came across this court case when I was doing research for this post.  I did not know how to include it but thought it was worth a mention.  In 2014 a Virginia court found that the police can force you to surrender your fingerprints in order to unlock your phone.  According to Judge Frucci, a fingerprint is physical and therefore is like your DNA, which must be provided, as opposed to a memorized password pin which does not have to be provided since it falls under your Fifth Amendment right to avoid self-incrimination.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Assured Identity – Giving Apps the Finger appeared first on TELEGRID.