I was recently asked this question…
I’m working on a project right now where my team wants to substitute passwords and usernames for biometric authentication. I have expressed my multiple concerns for the security of such a system, but the idea has now come up that we could use a system with at least 2 factors of biometric authentication, such as facial and voice recognition. While such a system is definitely better than one form of biometric authentication only, I still believe it is more insecure than using passwords. And even if it were not, I believe it is concerning from a privacy standpoint and makes our database a prime target for hackers.
To which I replied… When evaluating any authentication solution you should consider the FAR, FRR, and CER.
FAR = False Acceptance Rate or when someone who is not an authorized user is granted access.
FRR = False Reject Rate or when a authorized user is rejected.
CER = Crossover Error Rate which is the point at which the FAR and FRR meet.
You want your FAR and FRR to both be very low. If your FAR was 1 in every 100 unique authorizations; meaning that one time in every 100 authorizations an unauthorized person was granted access, that would be 1%. Is that acceptable given the number of people using the system?
You should try to account in your design for a FAR event (unauthorized user with access) and have some other protection in place; so that leads to a MFA (multi factor authorization) scheme.
FRR is what will truly frustrate your authorized users because they will be turned away and unable to access the system. That drives up the cost of operating the system since some additional person will have to be standing by to allow the rejected but authorized person access.
The CER or crossover rate is a way of detecting if either the FAR or the FRR is low. If either is a low number it will result in a lower CER. If you want to make sure that unauthorized users DO NOT have access and that your authorized users are not being turned away; you want to maximize your CER.
The Traffic Light Protocol (TLP) takes something that most people know and applies it to a new problem. In this case the simple concept of roadway traffic lights applied to information sharing. As defined by FIRST, an organization formed by cyber first responders; the Traffic Light Protocol is “a set of designations used to ensure that sensitive information is shared with the appropriate audience”.
According to the TLP when sharing information between two parties (a source and a recipient) the traffic light colors instruct the party receiving the information (the recipient) what the party sending the information expects regarding how the information will be used.
The key to understanding TLP is its simplicity. Traffic lights or signals are something used and seen by drivers and passengers on roadways around the world.
It’s important that each person in an organization handling information understand and use TLP all the time and the same way. Successful implementation of TLP in an organization is when everyone uses the protocol to process information the same way.
While most roadway traffic signals have either two or three lights; the protocol defines 4 conditions.
TLP:Red – information classified as RED when the party sharing the information intends that it will not be disclosed. The use of this information should be restricted to participants only. I tell people that when information classified as TLP:Red is shared with you; that information should stay with you.
TLP:Amber – Information classified as AMBER is intended for limited disclosure. That means you should only share this information with people in your organization. If you work for a company in the Information Security department when you receive information classified as TLP:Amber you can share it with others in your Information security department. Some organizations stretch this to be interpreted as within the company. Specific company policies and procedures should clarify this.
TLP:Green – Information classified as GREEN is also limited disclosure, however disclosure should be limited to the community; people in your organization and other organizations whom you regularly work with. Like TLP:Amber your organizations policies and procedures should define the community.
TLP:White – Information classified as TLP:White “carries minimal or no foreseeable risk of misuse” and can be shared broadly. It’s important to note that information classified as TLP:White is still subject to other organizational information classification (such as Secret, Top Secret , or NoForn and copyrights should be observed.
The Internet is changing yet again. One of my predictions for 2018 is that everyone will witness a migration from corporate or private data centers to the ‘Cloud’, or Internet hosted data centers. There have been tremendous advances made in both securing the Cloud and sharing with the broader technical community how to secure the Cloud.
Some important reading material about Cloud security includes:
Amazon’s Shared Responsibility Security Model,
Azure’s Security Center, and
Google’s Application Layer Transport Security.
I just finished the course ‘International Cyber Conflicts’ at Coursera. The course was developed and led by professors Sanjay Goel and Kevin Williams from the State University of New York at Albany. This was a five week course that consisted of recorded presentations with inline questions; discussion forums; and end of week quizzes.
The presentations and readings for this course were good. After several readings referred to Cybersecurity and Cyberwar by Singer and Friedman; I elected to buy the book. I had been able to obtain the book through my local library on an inter library loan. After the second reading I really enjoyed the book and purchased it via Amazon.
I would say the only downside to this course like others that I have viewed is that the discussion forums were not really that good. The discussion forums themselves merged comments from previous offerings of the course (from about a year ago). I can appreciate why the instructors did this ; in an attempt to seed the discussion forums and get more people contributing. I didn’t think that worked. and then as with many Coursera offerings some people just don’t understand or seek to contribute to the discussions. Tighter moderation might help there.
I enjoyed the course and would recommend it to anyone interested in cyber security. The cost for the course was free unless you request a completion certificate.
I recently came across two very good articles about USB forensics.
The Hitchhiker’s Guide to USB Forensics was published at the Cyberforensicator site by Oleg Skulkin and Igor Mikhaylov. It is a very well thought out an written description of how to find out by operating system analysis what files have been copied to a USB device. They used a Windows 10 virtual machine and the Oxygen Forensics AXIOM tool to conduct a basic analysis. They are locating evidence about what files have been copied or moved.
I was looking for references to how to investigate just the USB drive itself. I found the SANS Computer Forensic Guide to profiling USB Thumbdrives on Win7, Vista, and XP. This is a blog post by Rob Lee dated September of 2009. This was more in line with what I was looking for given I that one found the USB device and wanted to start treating it as evidence. Rob had written about the differences between analyzing USB thumb drives and drive enclosures. There was much good info in both posts.
Many would consider me an Internet Old Timer. I used ‘The Internet’; then ARPAnet back in the days when I worked as a Software Engineer for a US defense contractor. Securing communications and having confidence in message integrity; both in the identity of the sender and in the integrity in the content have always been important if not vital to communications over the Internet. I was struck by this blog post in part because I have heard of Filippo’s work but most of all because I completely agree with his message.
It wasn’t just me. The folks at Wired have noticed that some web sites are not really very password manager friendly.
I travel fairly often. Lots of that travel is for work but I do get around on personal business and to get away. One of my go to sites for travel is Hilton dot com. I’ve been a Hilton customer for a long time. I like their hotels. I think they treat me well where ever I go. This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.
When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser. This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.
The annoying thing is that Hilton has added a check to see if you are a robot. It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached. I found the test usually involves matching text to pictures. The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).
If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails. Once that fail happens I have to complete the form and the robot test manually and then submit.
It is mildly annoying but I’m still spending lots of time at Hilton properties.
ars technica has a great article that explains recently published Apple guidelines regarding what customer data the company will provide to law enforcement. Reviewing and understanding Apple’s position is important as the companies consumer devices such as the iPhone, the iPad, and Mac computers running OS/X readily provide users the capability to use both local and cloud storage for data.
The guidelines that are referenced in the ars article were posted by Apple under the heading “Legal Process Guidelines for U.S. Law Enforcement” and were released on May 7th, 2014.
If you are near New York City and interested in cyber security and criminal justice I suggest attending the seminars at the Center for Private Security and Safety at John Jay College in Manhattan. I attended seminars on cybersecurity and cyber espionage. The presenters that I saw are faculty from the college. I found the seminars to be very well prepared and presented. The technical level of the seminars seems targeted at an undergraduate upper class person (Junior or senior) but all questions both more and less technical in nature were answered.
Trying to secure the Internet and all it’s users, content, and services is a difficult job. The Internet is a global resource that supports many different cultures and languages. The purpose of the various Internet web sites that appear on the Internet vary from commercial sites selling products and services to informational sites about many more topics that most people need or care to know about. There are a myriad of operating systems and applications used to produce and access those sites. As if Advanced Persistent Threats (APT) were not bad (or scary) enough there is now a new term used to describe the attacks that security personnel are trying to secure all these operating systems and applications from. Welcome Targeted Persistent Attacks (TPA)!
The first read where I came across TPA was over at Tech Republic. During an interview with the Research Vice President at NSS Labs they report:
“The truth of the matter is that an APT is sometimes made up of known exploits/vulnerabilities that are not that Advanced; so the term APT doesn’t define the action correctly. TPA highlights that the actor is going after a specific target such as company X or an entire industry sector like financial services, and will be persistent in attacking the target”
Uhh? So the reason we need a new category of product is because some malware writer slacked off and didn’t use the latest, most advanced exploit or vulnerability and instead used something that Microsoft already addressed a couple of Tuesday’s ago?
To be fair this blog post that also appeared at NSS labs makes a better case for the new term (TPA that was). What NSS Labs seems to be talking about here is threat or breach detection. Of course, there is also a TPA focused Breach Detection Systems (BDS) product buyers guide.