Case for Strong User Authentication By Mark Lobel, Manager, TRS, PricewaterhouseCoopers

Transcription

1 Case for Strong User Authentication By Mark Lobel, Manager, TRS, PricewaterhouseCoopers In 1994, Citibank learned a ten million dollar lesson in user authentication. A 34-year-old Russian and his accomplices were accused of tapping into Citibank s cash management system and transferring more than ten million dollars to various bank accounts around the world. Did Citibank s systems have security? Yes. Usually these types of funds transfer systems are protected by various passwords. Did these passwords stop the intruders? No. According to published news reports, Citibank did not suspect collusion. This means the hackers were able to find or guess the passwords for the accounts involved. The conclusion from this incident is crystal clear. The passwords used provided access control to the funds transfer system but not strong user authentication. This may be an extreme case, but we authenticate ourselves every day to access things of value. We authenticate using passwords to prove who we are, but how strong is the model? For example, have you seen a password written on a sticky-note and stuck on a computer screen? While there is a need for access control and authentication in our society, we have a special corporate need for strong user authentication. This white paper will describe authentication types, problems, surrounding business controls and methods, the difference between authentication and strong user authentication, why strong user authentication is needed, and ways to use strong user authentication.

2 Table of Contents I. What is Authentication? 3 Passwords 4 Password Weakness 4 Key Stroke Monitoring 4 Social Engineering 4 Brute Force Attacks 4 Network Monitoring 4 Man in the Middle 5 Race 5 II. What is Strong User Authentication? 5 III. Why is Strong User Authentication 5 Needed? Security Methodology 5 User Accountability 5 Corporate Liability 6 Benefits 6 IV. How, When and Where to Use 6 Strong User Authentication? V. Summary 7 About PricewaterhouseCoopers 7 About RSA Security 8 Mark Lobel Manager, TRS PricewaterhouseCoopers L.L.P. Tel Mark.A.Lobel@us.pwcglobal.com RSA Security Inc.

3 I. What is Authentication? Authenticate: To prove or establish as being genuine. From ancient Roman times, asset protection has been a common theme in society for military, personal or economic reasons. Authentication is the concept for allowing use of those resources, be they weapons, bank accounts or trade secrets. Today, companies have many reasons for protecting assets, from legal requirements to guarding shareholder assets and value. Authentication can not exist in a vacuum, it must be part of a security framework. One of the models is called the security pyramid. This model shows the building blocks necessary to create a secure environment. At the bottom are policies and procedures to set security management standards and ways. Next, strong user authentication to control access and give non-repudiation. Authorization allows the proper people to access. Encryption protects data confidentiality and audit confirms process effectiveness. If one of the lower layers of the pyramid is not attained, the successive steps cannot be achieved. For example, if your company does not have a policy and procedure for authorizing users for computer access, control procedures for authorizing users will not work evenly across all areas, and the lack of standards will make audit hard or impossible. There are four security control objectives that address the security framework: Authentication To prove identity and allow access to assets. Confidentiality Restricting data access to the people authorized to see it. Non-repudiation Conclusively tracing an action to an individual. Specifically, user authentication describes three methods: Something you have This can include a key to a door or a token card. Something you know Passwords fall into this category. Something you are This area includes biometric authentication such as fingerprints, voiceprints or retinal scans. Individually, any one of the three concepts have problems. Something you have can be stolen. Something you know can be guessed, shared or lost to other methods. Something you are is the strongest, but generally the most costly and still vulnerable to attack. Based on these single-factor authentication problems, the next step is two-factor authentication. Combining two methods defines two-factor authentication. For example, ATM teller machines use a combination of a plastic card (something you have) and a four-digit PIN number (something you know). Any one type of authentication may authorize access but using two types moves towards the control concept of nonrepudiation. Not only can you prove your identity, and gain access to a resource, but you cannot deny accessing the resource at a later time. Integrity Ensure that data was changed by the authorized person. Audit Encyrption Authorization Strong Authentication Policies and Procedures RSA Security Inc. 3

4 Passwords Passwords are the most common type of computer system authentication. Most multi-user systems in the past relied on password authentication to control access to processor time and to segregate users for charge-back. Today, the main use of passwords is for access control to data. There are two types of passwords: Reusable a string of letters and numbers used many times for system access. One-time a string of letters and numbers used for system access and always changing. Almost all flavors of UNIX, Windows NT/2000, and other multiuser operating systems come with a reusable password process by default. Depending on the value protected, a reusable password may be adequate. However, as technology progresses, reusable passwords have become very weak and attacks have been built for one-time passwords as well. Password Weakness Each type of password has unique problems to address. Reusable passwords have reached the end of their life cycle for critical business uses and one-time passwords need additional controls to remain effective. Reusable passwords are vulnerable to many attacks, including keystroke monitoring, social engineering, brute force attacks and network monitoring. Key Stroke Monitoring Key stroke monitoring can be done a few ways. One is to run a program to monitor keys pressed on a keyboard and storing the results in a file for later observation. A number of popular Trojan horse programs, such as Back Office and Net Bus offer this functionality. Even though the password does not echo to the screen, this is not needed for an attack to occur. A much more difficult, yet possible attack is to monitor the emissions from the screen. This attack is used when physical and logical access to the computer is not possible. Social Engineering Social engineering is manipulating people for information. This includes the attacker posing as a member of a firm s help desk, calling an executive s assistant, and asking for their (or the executive s) password to fix a computer problem. Also, this type includes shoulder surfing which is just as it sounds a person will casually watch another person s fingers as they enter their password to steal the letters and numbers. Brute Force Attacks Brute force attacks, sometimes called dictionary attacks, fall into two categories: internal or external. Internal means a user accesses a system in an authorized or unauthorized fashion. Once the user gains access to a command prompt, they can copy the encrypted passwords and run a crack program to guess the passwords. The crack program takes a text file of words and uses the same encryption algorithm as the operating system to encrypt each word in the text file. The program compares the encrypted words from the dictionary to the ones copied from the system and when they match, you know the password. For those with more time, these programs can also try all combinations of letters, numbers, and special characters (hence the name Brute Force ). This method is so old, the crack program used for UNIX systems is up to version five! Newer is the Lophat Crack program that does the same process for Windows NT. Slower, but still possible is an external brute force attack. Manually, or using a tool, you guess passwords one at a time until you are able to gain access. Network Monitoring Network monitoring (also known as sniffing ) is the most critical concern with reusable passwords. Most networks today are Ethernet based. On Ethernet networks, all messages sent from one machine to another are read by all systems on the network, but only processed by the intended recipient. However, the network cards of any of the computers on the network can be put into promiscuous mode where they read and log all messages that reach the computer. Utilities to perform this include the Sniffer from Network Associated and the Network Monitor released by Microsoft. Using these tools, any user on the network can record all the traffic to automatically collect the network passwords. Once collected, they can be used for unauthorized access. One example of this was a penetration exercise PricewaterhouseCoopers did for a client. Our goal was to see what an outsider could access by asking to use the phone in the conference room. Once in, we were able to connect and monitor the network for a fifteen minute period. When done, we had collected ten user passwords to internal systems including one administrative password! Monitoring can be done by any user on an Ethernet network with Windows NT 4.0/2000 and the Network Monitoring tool. The cost of this attack has gone from thousands of dollars for a custom hardware and software device to almost nothing for an illegal copy of the software. This is the main reason why reusable passwords have reached the end of their life cycle. One-time passwords are a variation of the standard reusable password. The difference, as the name explains, is that a different code (set of letters or numbers) is used each time the user attempts to access data. This is accomplished by generating a list of passwords and going down the list, or using a token authentication card with a number that regularly changes in step with a process on the server. While one-time passwords are not vulnerable to the above attacks, they still have weaknesses that take much more skill to exploit. These include man-in-the-middle attacks and race attacks. RSA Security Inc. 4

5 Man-in-the-Middle A man-in-the-middle attack is just as it sounds. An attacker places a computer between the user and the system using a one-time password. In some way, the user must capture the packets as they pass over the wire, resending them as their own. The user needs control over the network and a high degree of skill to perform this attack. Race In a race attack, a user monitors the numbers and letters as they pass over the network. But, just before the last digit, the attacker sends ten login requests to beat the real user and try all the remaining combinations in an attempt to take over the login process. This attack can only be used with certain protocols as some systems do not pass data byte-by-byte. Again, this attack demands a large amount of luck, time and skill to exploit. In response to this problem, security vendors have taken measures to compensate by using encryption or by putting logic into their products to address and defend against these types of attacks. Still, a one-time password is one-factor authentication, and not what we define as strong user authentication. II. What Is Strong User Authentication? We define strong user authentication as using two of the above methods. For example, something you know and something you have can be a hardware token and a PIN number. This method has two advantages. First, it is resistant to all the reusable and most one-time password attacks. Second, it can be a method of non-repudiation. There are many types of strong user authentication in use today. These include smart cards, challenge-response, hardware tokens and biometric authentication, all combined with PINs or passwords. These solutions can give a great deal of comfort, but the costs must be considered. III. Why is Strong User Authentication Needed? Authentication usually consists of something you know. We have shown those methods vulnerable to attack. Many vendors will discuss the adequacy of password protection alone to authenticate users. As shown, some of the attacks (especially on reusable passwords) can occur at little-to-no cost and without detection. If there is no way to determine a password has been compromised, it is tough to determine the true security of your data. This is the reason to use a strong user authentication process to protect the data and systems. The need for strong user authentication has many parts and benefits. Strong user authentication is one of the building blocks of a security methodology. It also forces user accountability. Finally, it plays a role in the fiduciary responsibilities of many organizations. The benefits vary from liability protection to audit comfort. Security Methodology In building a security design, one layer rests on another. The security pyramid must rest on a base of policies and procedures. Next, user authentication is a critical building block for the entire pyramid. Without the underlying assumption of strong user authentication, the remaining layers of authorization, use of encryption and audit become invalid. With strong user authentication, you know that the user is authorized, that confidentiality is maintained (with encryption) by passing the information to the proper user, and that the audit trail is keeping the actions of the one known person. User Accountability User accountability has many sides. One view is that companies will know which user performed which action. The other is the user perspective. Strong authentication can cause two results. First, the user would need to go to a greater length to share information with another user, such as sharing a RSA SecurID card and the associated PIN number. The side effect of this action is the original user is not able to access the system while the other person uses the strong user authentication method. Second, while a password can be captured in transit, allowing the user deniability, strong user authentication would force the user to be responsible for the actions of any user of the card and PIN. Even if they did not perform the action, it can be proven that the individual was the guardian for the method, hopefully making them very reluctant to share. There is no perfect scheme, but this is one way to make a clear statement to the user as to their level of accountability for the data they are allowed to access. One example of this method s strength is shown daily in the use of automated teller machines (ATMs). People, like companies, need to protect their data. Their data (bank account) is protected by a strong user authentication method:, a bank card, and a PIN number. Even though the password (PIN number) is a reusable one, cryptography is used over the PIN as a compensating control. Also, a controlled network is used to transmit the data. How many consumers would use ATMs if only a reusable password scheme allowed access to their accounts? Consumers rely on, and gain comfort from, a strong user authentication method to protect their sensitive data. Also, banks can hold users accountable for controlling their cards and PIN numbers. The combination of two authentication factors is what allows the users and the banks to hold each other accountable for the data protected. Companies should consider this example significant for their data as well. RSA Security Inc. 5

6 Corporate Liability Liability has many angles and slants, but two critical ones are protection of assets and downstream liability. Many companies rely on a strong system of internal controls to prevent and detect fraud. It has been proven in court that a company can be negligent for not putting a system of internal controls in place. Internal controls address the protection of shareholder assets. Strong user authentication is one part of a system of controls that can be highlighted as one example of strong controls. Downstream liability is a recent concept with some large implications. The most common example is that a computer connected to the Internet gets broken into. This computer is then used as a jumping-off point for another attack that causes a large loss to a third party. The third party cannot only sue the perpetrator of the act, but also any other parties involved in the loss. This includes the company s computer that was used as the jumping-off point for the attack. The average hacker may not have deep pockets to sue to recoup the losses. However, the intermediary company might have deep pockets, and be guilty of not controlling their systems. In this example, strong user authentication is a preventive control. Benefits Strong user authentication has at least two positive benefits. Strong user authentication helps blunt any breach described above, giving management comfort and allowing a restful night s sleep for corporate officers and MIS directors. Next, one of the most overlooked aspects of security is not stopping unauthorized users from performing unauthorized acts, but stopping authorized users from performing unintentional acts. By stopping a user accidentally getting to others resources, strong user authentication can either stop the problem before it starts, or allow the system administrator to trace the problem to a user and correct them so the mistake does not reoccur. IV. How, When and Where to Use Strong User Authentication There are many security products on the market today. Some address only one part of the security pyramid while others address multiple parts. With so many choices, people get confused about what is accomplished with each technology. Some of the most popular solutions for confidentiality and authentication include: Reusable and One-time Passwords single factor authentication SSL data encryption for confidentiality RADIUS/TACACS authentication, authorization, and accounting system PAP/CHAP machine or process authentication but not user authentication Digital Signatures (without smart cards) digital keys, but protected by single-factor authentication password Virtual Private Networking (session encryption) data encryption for confidentiality Firewalls used to limit access, and tends to use singlefactor authentication Single Sign -On password-based and possibly less secure than multiple passwords Kerberos encryption for confidentiality but still a one factor authentication method None of these provide strong user authentication. To repeat, strong user authentication consists of at least two methods of identifying a user to prove their identity. All the above provide other functions such as confidentiality (Kerberos or SSL) or integrity (Digital Signature), but will not strongly authenticate a user. If you are using any of the more advanced products listed above to protect data and systems, you should seriously consider using them in combination with strong user authentication. One way to decide is based on the cost (dollars or public embarrassment) associated with unauthorized access to data. It may not pay to have a strong user authentication tool to control access to low risk data. But without it, you may very well end up on the front page of The New York Times or suffer a large financial loss then, you will want to use strong user authentication for your company. One last point. In this paper, we have described strong user authentication as of mid-1999 but due to the pace of change, this definition will continue to change as well. Any strong user authentication tool must continue to evolve with the demands of new techniques and threats. RSA Security Inc. 6

7 V. Summary Corporations worldwide rely on data stored digitally. As access paths to that data expand, the need for an overall security methodology increases greatly. Old authentication methods will no longer suffice due to their basic weaknesses as well as the growing sophistication of the tools and people attempting unauthorized access. Today, strong user authentication that uses at least two methods of identifying an individual is critical to maintaining control over access to data. Many different solutions exist, but you must be confident of their ability. Not only must they work today, but they must work tomorrow, as well. Are your systems secure? Consider sitting down and sketching a quick risk analysis where is your critical data stored? Do those systems use strong user authentication? Could you prove what happened if a break-in occurred? These are the questions to ask. Many people assume that their systems are secure because they are using a product such as a firewall. This is a false sense of security. Strong user authentication, in combination with the other technologies, can help you create user accountability, confidentiality and a reliable audit trail. Without any part of the pyramid, the entire structure falls. Is your data really protected? About PricewaterhouseCoopers L.L.P. PricewaterhouseCoopers ( is the world s leading professional services organization. Drawing on the knowledge and skills of 155,000 people in 150 countries, we help our clients solve complex business problems and measurably enhance their ability to build value, manage risk and improve performance. PricewaterhouseCoopers provides a full range of business advisory services to leading global, national and local companies and to public institutions. These services include audit, accounting and tax advice; management, information technology and human resource consulting; financial advisory services including mergers & acquisitions, business recovery, project finance and litigation support; business process outsourcing services; and legal services through a global network of affiliated law firms. PwC has continued to be a leader in the area of recognizing and evaluating risks and threats to information and systems since the early stages of information technology development. PwC pioneered an original approach to auditing computerbased systems, which included the study and evaluation of controls over the security of information. In 1988, the firm established a national practice dedicated to servicing our clients needs in addressing security over one of their most important resources technology generated and resident information. Technology Risk Services (TRS) is comprised of Resource Protection (RP), e-business, and Telecom & Network Services. PwC s TRS information security professionals are recognized leaders in the fields of information technology, telecommunication, logical and physical security, and auditing. We are experienced in reviewing, analyzing, developing and implementing security and control solutions. We specialize in tailoring an engagement and a program to meet our clients needs, whether they require a broad management view or demand a highly focused technical perspective. Services offered by the TRS practice are focused on Security, e- Business, and Telecommunication and network services. These include: Security Product Implementation Services; Threat and Vulnerability Assessment Services; Security Strategy Services; Enterprise Security; Architecture Services; Security Assurance Services; Training Services; Electronic Business Services; Telecom Revenue Assurance Services; Telecom Billing Systems and Functional Review Services; Telecom Networks and Functional Review Services; Strategic Telecom Projects and Investments Appraisal Services. For more information on our services, contact our TRS hotline at or visit our Web site at PricewaterhouseCoopers refers to the US firm of PricewaterhouseCoopers L.L.P. and other members of the worldwide PricewaterhouseCoopers organization. RSA Security Inc. 7

8 About RSA Security Inc. RSA Security Inc., the most trusted name in e-security, is focused on strong authentication, encryption and public key management systems that help organizations conduct e-business with confidence. RSA Security has the unrivaled technical experience and proven leadership to address the changing security needs of e-business and to bring trust to today s online economy. Today, there are more than 5 million users of RSA SecurID user authentication systems, and more than 450 million copies of RSA BSAFE encryption technologies installed worldwide. The Company s RSA Keon family of interoperable, standards-based PKI products help organizations manage digital certificates to ensure authenticated, private and legally binding electronic communications and transactions. RSA Security can be reached at info@rsasecurity.com and PricewaterhouseCoopers L.L.P. All rights reserved. Reprinted with permission. SecurID, ACE/Server and BSAFE are registered trademarks and RSA and Keon are trademarks of RSA Security Inc. All other trademarks are the property of their respective owners. CSUA-WP-0200