January 11, 2015

Thoughts about electronic authentication after NIST 800-63-1 review

   This guideline is devoted to the problem of electronic authentication in federal IT system. For my current job this recommendations are not obligatory, but I found some tricky details in this standard. I also use it to structure information connected with this vital infosec problem.
   The standard consists of 6 major sections. The first one is called "E-Authentication Model", where you can find detailed description of  authentication process and architectural model. This scheme is used almost in all authentication protocols such as Kerberos, 802.1x and etc. Additionally you can find some words about who participate in authentication process, what types of tokens and credentials are widely used. Below all these topics will be described and explained.
   The next sections is about registration and issuance processes. After short introduction there are threats and mitigation strategies. As for me I find these two parts of every section valuable, because I can use it in security policy or as a part of threat modeling.Every section finishes with tables about assurance level and what should be done to fulfill the requirements.
   Section about tokens is a good place to find out some unusual authentication schemes with single and multi-factor tokens. Threats, mitigation strategies and tables with assurance level are at the end of the section.
   In token and credential management section I find good enumeration of CSP responsibilities. This list is written in general words, but you can implement these responsibilities in every system where token and credential management are presented. Can you guess what information you can find at the end of the section? Right, threats, mitigation activities and tables...
   Section about authentication process mainly focuses on defense against man-in-the-middle attacks. Almost all mitigation activities are based on using TLS and strong cryptography.
   Nowadays SSO is very popular because of convenience and security (of course, it should be properly developed and implemented). Without assertion process this technology will be useless. Assertion section in standard is well written, 2 models are described (direct and indirect), also there are examples of assertion types. You know what you can find at the end of the section...
   In conclusion, from my point of view, this guideline has lack of technical information and may be authors next time will try to give more practical recommendations about mitigation strategies. But nevertheless this standard is a good sources to systematize your knowledge.

January 5, 2015

Review on Usable Security Course by Maryland University on coursera.org

   During one of the autumn evenings I found an email from Coursera about  Specialization program. For me I found interesting specialization in Cybersecurity. If I'm not mistaken in Maryland University there is one of the biggest Security Operation Centers in US. The specialization contains 4 courses: Usable Security, Software Security, Cryptography, Hardware Security. All courses have their own dates to start, so you can enter a course. If you want verified certificate or you'd like to finish Cybersecurity specialization you should follow signature track and pay 49$ for each course. 
   Signature Track is a way that you can confirm your identity. You should type some text, so they can verify you. Also they took your photo and asked to send your government id with photo. This scheme is implemented in such way: you complete quizz and then they took your typo and photo. Of course, this is not the way to clearly identify you, there are a lot of ways to overcome it. But as for me, the main reason is to get knowledge, not to achieve certificates.
   Let's come back to our courses. I started with Usable Secuity. When I first read the syllabus, I thought: "Oh, piece of cake... What is the reason to give such kind of material?" I worked in the field of security for almost 4 years, not so much, but enough to understand some key principles. You assess risks, find suitable security measures, implement them and also include this in your information security policy. Of course, your users are a part of this process, but you educate them and control what they are doing. But this course gave me some info to think about...
   Course included 5 key themes: design principles, measuring and evaluating usability, authentication, web browsing and privacy. The material was not technical, so you could not find any descriptions of secure authentication schemes and etc. During week 1 human computer interaction and ways of measuring usability was described in details. Week 2 was about design and ways how to perform it. Week 3 gave key concepts how to evaluate system design (controlled experiments, A\B testing and etc). Week 4 provided me with solid guidelines for usable security. Week 5 revealed usable authentication theme. I was surprised when professor started to check current browser https certificate validation on professor of biology, who was not so familiar with computer security at all. He was a little bit shocked when he saw warning. When she became to show him how to accept risk and got access to site... For him it was a rocket science... As for me, he is smart person, but he is not living in the field of computer security, so all these things and tricks are not convenient for him.
Week 6 was about usable privacy. Professor gave good list about how to make terms and agreements clear to users. Then final exam and course was finished.
I got certificate with verification link on it.
   For me this course was very useful. Now I tried to think and act like a user or ask user to do something, because the only way to develop a secure system by design is to develop it convenient and clear for users and administrators.