identity and access management – TELEGRID

NIST’s Tougher Approach to Identity Risk

Eric Sharret — Fri, 16 Feb 2018 14:52:53 +0000

According to Verizon’s 2017 Data Breach Investigations Report (DBIR), “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” The National Institute of Standards and Technology (NIST) understands this. This is why, I believe, they are taking a tougher approach to identity risk than to other areas of network security. As proof I would point to the differences between the NIST 800-63 Digital Identity Guidelines and the NIST 800-30 Guide for Conducting Risk Assessments. NIST’s tougher approach to identity risk will require organizations to invest heavily in their Identity and Access Management (IdAM) infrastructures.

I know, I know, everybody loves a post about NIST guidelines. However, we thought this post was necessary due to the interest we received from our white paper detailing the updated NIST 800-63 and the number of views the accompanying video has received on youtube, which broke the record for most views of a non-cat, NIST video.

To give a brief background, the updated NIST 800-63 separates digital identity into Identity Assurance Level (IAL), Authenticator Assurance Level (AAL) and Federated Assurance Level (FAL). Within each Assurance Level, NIST defines 3 risk levels. The higher the level of risk the more restrictions that are placed on the organization (e.g., in-person vetting, multi-factor authentication, Holder of Key, etc.).

The main question that we receive from customers is, “How do I determine which Assurance Level applies to my organization?”

The NIST guidelines provide flow charts to help determine assurance level by judging risk on a scale of low, medium and high. If an organization judges any of the risks to be high (or medium for risk to Personal Safety) the Assurance Level is IAL3, AAL3 or FAL3 resulting in large IdAM changes for the organization.

Click to Subscribe

The problem with judging risk is that it is subjective. If asked to take the risk of financial loss or criminal violation wouldn’t we be risk-averse and select high? To alleviate this issue the guidelines point to NIST 800-30 which was designed to help organizations perform risk assessments in a more analytical manner.

While reviewing the 800-30 guidelines we were struck by a few core differences which we believe highlights NIST’s tougher approach to identity risk.

During a risk assessment NIST 800-30 guides organizations to view all elements of risk including threat, vulnerability and impact. However, NIST 800-63, “asks agencies to look at the potential impacts of a federation failure. In other words, what would occur if an unauthorized user could compromise an assertion?”

The reason this is important is that by focusing on impact without threat and vulnerability, organizations disregard several key points. For instance judging threat includes an assessment of who has the capability to perform the attack and do they have the desire to do so. Additionally judging vulnerability includes an assessment of existing security controls which may prevent the attack. Both threat and vulnerability serve to tamper the impact of an attack. If we only look at impact we will most likely take a tougher approach.

Click to Subscribe

Another example is the number of risk categories. NIST 800-30 recommends 5 risk categories with semi-quantitative values for each (e.g., Very High is 96-100 while High is 80-95). NIST 800-63 only has 3 categories, or 2 for Personal Safety. This reduces granularity and leads to the selection of higher Assurance Levels.

What is the reason for NIST’s tougher approach to identity risk? Perhaps it is that for all of the fear of hackers cracking firewalls, the DBIR proves that the majority of attacks are still due to stolen credentials and privilege misuse. By creating a subjective risk assessment model that skews towards higher Assurance Levels, perhaps NIST is telling organizations that they should invest more heavily in IdAM security. Perhaps organizations should pay attention.

Eric Sharret is Vice President of Business Development at TELEGRID. TELEGRID has unique expertise in secure authentication, PKI, Multi-Factor Authentication (MFA) and secure embedded systems.

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

The post NIST’s Tougher Approach to Identity Risk appeared first on TELEGRID.

Authentication Token Cybersecurity and NIST 800-63-3

Eric Sharret — Thu, 07 Dec 2017 15:29:02 +0000

In June 2017, the National Institute of Standards and Technology (NIST) released its updated Digital Identity Guidelines in Special Publication 800-63-3. The draft of this publication gained a lot of press in 2016 for highlighting the cybersecurity risks when using SMS for multi-factor authentication. While the final version has not had as much focus, the truth is the new guidelines will cause the government, the military and many commercial organizations to re-architect their Identity and Access Management (IdAM) infrastructures and rethink their authentication token distribution methods.

The reason is that NIST 800-63-3 goes farther than its predecessor by covering all aspects of IdAM from initial risk assessment to deployment of federated identity solutions. Whereas NIST 800-63-2 focused almost exclusively on credential type (i.e., soft or hard token), NIST 800-63-3 includes Assurance Levels for Identity Proofing (how the user applied for the token), Authenticator Type (the form of the token) and Federated Architecture (how credentials are passed internally).

Federated Assurance Level (FAL) is by far the most important change since it will have the largest effect on internal networks. The reason NIST is so focused on FAL is that they have seen an increase in cybersecurity attacks that take advantage of how authentication tokens are passed from an Identity Provider to a Service Provider. These attacks include Man-in-the-Middle, Compromised Tokens, and Denial of Service and are not specific to any one standard (e.g., SAML, OAuth, Kerberos, etc.).

Click to Subscribe

To combat these cybersecurity attacks, the NIST guidelines now require that a user present a proof of key ownership in addition to an authentication token. This was instituted for the most secure systems, those that are deemed FAL3, because relying solely on authentication tokens exposes the network. The requirement to present a proof of key ownership is known as Holder of Key.

Holder of Key is not a new concept, however, the only standards based method to implement it is with PKI certificates and mutual TLS authentication. This is an issue for organizations that either do not implement PKI or implement a Break and Inspect tool. Break and Inspect refers to breaking a TLS connection between two parties in order to examine the secure contents of a message. Break and Inspect is necessary because hackers typically hide their malicious activity within TLS traffic. Once a TLS connection is broken, it is impossible to reestablish TLS with mutual authentication between the user and an application without also storing each user’s private key. Storing every user’s private key is a HUGE cybersecurity risk.

Congress passed the Federal Information Security Modernization Act (FISMA) which created a requirement for federal agencies to manage information security based on publications that are developed by NIST. In 2014 the DoD CIO, effectively joining federal agencies, issued Instruction 8510.01 replacing its own risk management process with NIST’s Risk Management Framework. This made NIST’s Special Publication 800-63-3 a requirement of the Federal Government, the military, and most government contractors. So, if you have not heard of NIST 800-63-3 and Holder of Key yet…you will soon.

If you currently implement Federated Identity or Single Sign-On (SSO) and are interested in getting more information on NIST 800-63-3 and Holder of Key, you should download TELEGRID’s white paper on Authentication Token Cybersecurity and NIST 800-63-3 Holder of Key. The white paper provides information on specific authentication token cybersecurity attacks and how to seamlessly implement PKI even if you employ a Break and Inspect tool. TELEGRID’s website also has helpful video tutorials on NIST 800-63-3 to help organizations meet the new Digital Identity Guidelines.

Eric Sharret is Vice President of Business Development at TELEGRID. TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).

The post Authentication Token Cybersecurity and NIST 800-63-3 appeared first on TELEGRID.