The Official (ISC)2 SSCP CBK Reference. Mike Wills

Чтение книги онлайн.

Читать онлайн книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills страница 49

The Official (ISC)2 SSCP CBK Reference - Mike Wills

Скачать книгу

style="font-size:15px;">      Traditionally, the issue of single-factor versus multifactor authentication has been discussed in terms of human end users as access control subjects. With more autonomous and semi-autonomous systems becoming part of our networks——or becoming users of your networks—it's probably time to reconsider this in more general terms. It's time to focus on subjects regardless of whether they are people, robots, IoT devices, or processes, of any level of complexity, as having identities that must be authenticated prior to allowing them to connect to our systems and networks. If our security needs require multifactor authentication for one class or type of entity, we take on great risk for any other class of entity for which we only require single factor authentication.

      Authentication of human user access attempts has traditionally been based on one or more of three authentication factors.

       Type I: Something you know, such as a username or password

       Type II: Something you have, usually a hardware device, a machine-readable identity card, or a smart card or key fob

       Type III: Something you are, such as a physical characteristic that does not change over time

      Two additional factors (not, so far, named Type IV and Type V) have been gaining more widespread use in the marketplace: “something you do” and “somewhere you are,” which relate to specific behavioral patterns associated with you as a subject.

      Regardless of the choice of factors used, at some point your security protocols need to deal with locking a user out from further access attempts (also known as a false rejection error). A user who fails to authenticate properly after a small number of attempts (typically three to five attempts) is locked out and may have to either wait a certain amount of time or contact the systems help desk and request a reset of their access credentials. Although false rejections cause you to spend extra effort to resolve and potentially waste otherwise productive time for your users, they are far less worrisome than false acceptance errors, which occur when an attacker manages to spoof a set of identification and authentication credentials and is accepted by your system and granted access. The frequency with which both of these types of errors occur is an important security diagnostic you should monitor, if not treat as an alarm condition.

      Figure 2.4 shows one statistic you will often see cited in vendor material about biometric devices. The crossover error rate (CER) is the number that results when the device is adjusted to provide equal false acceptance (false positive or Type II) and false rejection (false negative or type 1) error rates in your environment. This is also referred to as an equal error rate (EER). All other things being equal, the device with the lower CER or EER may be demonstrating a greater intrinsic accuracy and yield you less wasted effort spent on false rejects and lower your risk of allowing an intrusion (a false acceptance) to occur. Since most systems see tens of thousands of access attempts per day, it's important and meaningful to look at the rate that these errors occur as indicators of whether you've got your access control system tuned properly.

      In selecting, tuning, and deploying any access control methods, including biometric technologies, it is critical to choose the tolerance for false positive and false negative error rates to meet your risk tolerance. Let's look at some numbers:

       The false rejection rate (FRR) is the ratio of false rejection errors to valid authentications. If 1,000 attempts to authenticate result in two rejections of legitimate users, the FRR is .002, or .2 percent.

       The false acceptance rate (FAR) is the ratio of false acceptance errors to valid authentications. If, in 1,000 attempts to authenticate, two impostors are erroneously allowed in, the FAR is .002, or .2 percent.

       FIGURE 2.4 Crossover error rate

      You can see in this figure that the costs associated with implementing more rigorous access authentication techniques, such as multifactor biometric technologies, do buy you lower false acceptance rates (that is, spending more money moves your operational point to the left on that graph). False rejections cause you to spend extra effort to validate that a legitimate but rejected user should in fact be allowed to have access. If your circumstances and risk appetite suggest that you can tolerate the increased risk by spending less, then, by all means, move toward the right side of the graph and be willing to accept a greater likelihood of an intrusion while minimizing the disruptions to legitimate users (and increased costs of legitimate work).

      Be aware that it is false reasoning to associate a lower cost with the right edge of this graph: You “win” on this trade space only if your systems are never penetrated in ways that inflict great impact via a data breach or ransom attack or that cause other losses. As Bob Lockhart pointed out at https://www.tractica.com/biometrics/in-biometrics-which-error-rate-matters/, most real-world applications of access control have to operate well on the left side of this graph.

      Note, too, that regardless of which type or types of authentication factors your systems use, you also need to support these with administrative, logical, and physical processes for revocation of existing credentials, replacement of credentials that have been lost or stolen, and reissue or revalidation of credentials as part of periodic review of access privileges. This is covered in more depth later in this chapter.

      Let's look at these factors in some depth and each one's strengths and weaknesses when used as a single-factor authentication of a subject claiming to be a legitimate human user on your systems. (You'll learn about device authentication in more detail in Chapter 6, “Network and Communications Security.”)

      Everyone who has used a modern computer system is familiar with the first type of authentication factor, “something you know.” Common forms of this authentication factor include passwords, passphrases, personal identification numbers (PINs), and security questions. Some systems also ask users to authenticate themselves by confirming recent activity on the system, such as the last three transactions on a bank account. All of these forms assume that human memory and willpower can provide a reasonable degree of protection for the chosen type of “secret knowledge” used as the factor.

      Note that the more complex and secure you try to make

Скачать книгу