Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | deirdre-arnold |
View: | 236 times |
Download: | 1 times |
Andy Smith MSc FBCS CEng CITP FSyI M.Inst.ISP
Andy Smith MSc FBCS CEng CITP FSyI M.Inst.ISP
AIS InfoSec Ltd
©2011 AIS InfoSec Ltd Slide 2
Me in 60 Seconds
• Started working with the Internet in 1986• Developing websites and installing firewalls 1992• Member of the IISP and CLAS• Chartered Fellow of the BCS (Member SCoE)• Fellow of the Security Institute• Bachelors and Masters in Computer Science• Masters in Information Security
from Royal Holloway via Distance Learning• Collect qualifications: Andy Smith MSc CEng FBCS FSyI CITP
CISA CISM CISSP MCSE CLAS ITPC SMIEEE M.Inst.ISP
• Next a PhD ?
©2010 AIS InfoSec Ltd Slide 3
The next hour
Aims
Knowledge Transfer
Interactive – Ask questions
Agenda
What is Identity?
Establishing Identity
Identity Management
©2010 AIS InfoSec Ltd Slide 4
The Questions?
What is Identity?Who are you – Identity Registration?
Ford Prefect problem
Are you really who you claim to be?Verification / AuthenticationSidney Bristow problem
How can I establish an identity and verify it easily?How can I be sure you are you?
©2010 AIS InfoSec Ltd Slide 5
Identity - Fundamentals
3 Main sets of dataThose intrinsic to you when you are born
Those assigned to you by others
Those you get as you interact with the world
Establishing identity looks at all of these in 3 steps:
Physical Person
ImmutableAttributes
AttributeContext
WiderIdentity
RecordedBiographics
Links
BiographicalFootprint
IdentityServices
Entitlements
SocialInteractions
History
IdentityCredentials
AssignedAttributes
RelatedAttributes
Biometrics
Date ofBirth
Biologicalparents
Genderat birth
Name(s)
Nationality
Parents
RecordedDoB
Persona’s
Address(es)
Qualifications
Titles
Relationships
Skills Signature
Health
Gender
Religion
Memberships
ReferenceNumbers
Place ofBirth
GovernmentInteractions
©2010 AIS InfoSec Ltd Slide 6
Establishment - Existence
Is the asserted identity real?
Can all of the claims be corroborated? Are there anomalies?
What is the strength of the corroboration?
A biographical check of the identity across various data sets
Is there a footprint of use in society?
Is there a historical record of use?
Is there evidence the identity is still current?Unique ID Creation Events Exist
Attributes Can Be Corroborated
Claimed Events Can Be Corroborated
There Are No Unresolved Anomalies
No Evidence of Death / Non-use
Identity Used Recently and Regularly
The Claimed Identity Exists
Evidence it Exists in Society
Evidence it Exists in History
©2010 AIS InfoSec Ltd Slide 7
Establishment - Provenance
Is this really your Identity?
Can provenance be established?
Detailed knowledge of the identity
Original documents
Interview if appropriate
Resolve any anomaliesPerson Matches Biometrics
Person Has Original Documents
Person Knows The History Intimately
Identity Not Been Claimed Before
Claimed Gender/Ethnicity/Origin fits
Claimant Attributes Consistent With ID
Claimant Owns This Identity
Provenance Can Be Confirmed
Identity Matches Profile
©2010 AIS InfoSec Ltd Slide 8
Establishment - UniquenessIs this your primary identity?
Is it your only identity – is it unique?
Are there any other personas linked to the identity e.g. stage name
The person is then locked into the identity using:Biometrics – Photograph, Fingerprints and signature
Credentials – ID Card, Driving Licence, Passport, etc.
Look at a real case - Me
Biographic Attributes Recorded
Biometrics Recorded
Credentials Issued
Identity Lifecycle Managed
Claimed Persona’s Link to This ID
Claimant Does not Appear to have other Identities
Identity Recorded and linked to individual
Identity Immutably Linked With Claimant
Identity is Unique
©2010 AIS InfoSec Ltd Slide 9
A quick look at ME?
?Andrew Ian SmithAndrew SmithAndy SmithAndrewAndyA I SmithA SmithSmiffySmittyDaddyUncle AndyMr Smith
Who can corroborate I am me?
Can anyone be sure?
Google search:Andy Smith ~24,700,000Andrew Smith ~36,000,000
CLAS ~700 members2 Andrew Smith’s
School ~2000 students6 Andrew Smith’s
©2010 AIS InfoSec Ltd Slide 10
Linda Knows ME
©2010 AIS InfoSec Ltd Slide 11
Fred Knows ME
©2010 AIS InfoSec Ltd Slide 12
Mum Knows ME
©2010 AIS InfoSec Ltd Slide 13
Athena Knows ME
©2010 AIS InfoSec Ltd Slide 14
Friends Know ME
©2010 AIS InfoSec Ltd Slide 15
Infact lots of people Know ME
©2010 AIS InfoSec Ltd Slide 16
Establishing my identity – People
Family, friends, colleagues, can corroborate my existence
A good start, but what else?
©2010 AIS InfoSec Ltd Slide 17
Establishing my identity – Records
©2010 AIS InfoSec Ltd Slide 18
Establishing my identity – School
©2010 AIS InfoSec Ltd Slide 19
Establishing my identity – Government
©2010 AIS InfoSec Ltd Slide 20
Establishing my identity – Career
©2010 AIS InfoSec Ltd Slide 21
Establishing my identity – Finances
©2010 AIS InfoSec Ltd Slide 22
Establishing my identity – Organisations
©2010 AIS InfoSec Ltd Slide 23
Establishing my identity – Health
©2010 AIS InfoSec Ltd Slide 24
Establishing my identity – Qualifications
©2010 AIS InfoSec Ltd Slide 25
Establishing my identity – Pubic profile
©2010 AIS InfoSec Ltd Slide 26
Establishing my identity – Online profile
©2010 AIS InfoSec Ltd Slide 27
Establishing my identity – Me
1970 1980 1990 2000 2010 2020
=
©2010 AIS InfoSec Ltd Slide 28
High Assurance Link
Linked to
Linked With
PersonIdentity
Credentials
Now we know who I am - with some assuranceID has to be immutably linked to physical person
©2010 AIS InfoSec Ltd Slide 29
So what is Identity? My view
An Identity is who the person is perceived to be by othersThat the bit of wet carbon and associated attributes
Is known by others and has interacted with society Established a biographical footprint in time Consistently used the same personas (maybe more than one)
Has a set of personas that remain consistent
Its all the attributes and relationships that a person has and how they interplay with each other throughout their life
Root Identity Person Personas
©2010 AIS InfoSec Ltd Slide 30
Assured IdentityAssurance = level of confidence obtained while establishing the identity
Sliding scale ranging from illegal immigrant with no papers to royalty with centuries of heritage Link to the identity can be locked in using various credentials
Can then be reconfirmed at a later date using those credentials
Biometrics
Multi-modal Biometrics
PIN
Visual Verification
Shared Knowledge
Iden
tity
Ass
uran
ce R
atin
g
Shared Secrets
Strength of binding
?0%
100%
Confidence + Index Credential X 2nd Factor Credential = Assurance level
UserID
©2010 AIS InfoSec Ltd Slide 31
Summary - Identity Assurance
Identity Assurance (IdA) covers the provenance and integrity of the identity including its on-going maintenance.
It gives you a measure of confidence:That the provenance of the identity has been established as far as practicable
That the identity is complete and the integrity of the information cannot be degraded
That the asserted attributes are verified accurate as far as practicable
That any change of circumstances to attributes are corroborated or validated before being changed
That the confirmed identity is linked to the person with high assurance credentials (biometrics); and
That the individual and any personas (also known as” identities”) they may have are bound to that unique root identity.
©2010 AIS InfoSec Ltd Slide 32
Summary - Identity Management
Identity Management (IdM) covers the whole lifecycle of an identity from initial enrolment into the IDMS through to archiving.
It includes the governance, processes, data, technology and standards concerned with:
Application to register an identity
Authenticating the identity and its claimed attributes
Establishing ownership and provenance of the identity
Enrolling that identity into the IDMS and linking it to the individual
Maintaining that identity and its attributes
Ensuring integrity of the information and improving its assurance
Providing credentials & services to authenticate that identity to third parties
Minimising theft or misuse of an identity and
Managing identity restitution and redress
©2010 AIS InfoSec Ltd Slide 33
Authentication - Where are the threats fromMainly from people
Muppets
Pranksters (siblings etc)
Inadvertency (error, stupidity)
Opportunists / Journalists
Malicious people (e.g. revenge)
Militants & Terrorists
Criminals
Serious & Organised Crime
Foreign Intelligence Services
Also beyond reasonable controlForce majeure (e.g. Major incident, Natural disaster)
Automated, untargeted attacks (e.g. Malicious code)
Various Goals e.g. ID Theft, Fraud, Disruption
©2010 AIS InfoSec Ltd Slide 34
Threats – People & Process
HumansHuman Error / Accidents / Stupidity
Social Engineering / Phishing
Technophobia
Apathy / Complacency
CredentialsEasily guessed or written down
Forgotten credentials (support overhead)
Lack of assuranceNo supervision or oversight
No trusted infrastructure
No proof of actions (non-repudiation)
e.g. Writing PIN on card
1324
©2010 AIS InfoSec Ltd Slide 35
Threats - Technology
Computer basedViruses & Malicious mobile code (Java, ActiveX)
Keyboard loggers (software & hardware)
Replacement / Trojan software
SSL libraries that log all encrypted data
Hijacking computer (remote control)
CommunicationsNetwork sniffers / probes / recorders
Listening in (scanners, phone taps)
Redirection (fake web sites)
Email / file captureScanner for listening towireless phoneconversations
©2010 AIS InfoSec Ltd Slide 36
Threats - Computers
Malicious Mobile Code
Trojans
Loggers
User
Application ( IE / Firefox )
Operating System (Windows / Linux / MacOS)
Hardware Abstraction Layer (HAL)
SmartCardDriver (USB)
Keyboard / mouse
Network Driver
Internet
API’s (CAPI / BioAPI / …)
Display
Web Portal
Gateway
Gateway
Credential CaptureKeystroke loggingScreen Scraping
Hash modificationInsertion/modification of data
Fraudulent transaction creation & signing
Activity loggingInformation gathering
Appending infoReplay attacks
Remote controlled actionsComputer
Reader
©2010 AIS InfoSec Ltd Slide 37
Vulnerabilities often exploited
Computer basedOffice documents via email
Pdf documents via email
Web browsers via compromised web servers
Web browsers via email or other mobile code routes
Operating system vulnerabilities via malicious code
Exception handling routine weaknesses
HumansSocial Engineering and Psychological manipulation
Apathy, Complacency, Stupidity (e.g. phishing)
Greed (bribery and corruption of insiders)
Dumpster Diving (rubbish trawling)
©2010 AIS InfoSec Ltd Slide 38
Risks
Keyboard logging and screen scraping of credentials
Getting paper documents from bins or post
Copying credentials during F2F and creating counterfeitsInsurance/mortgage/loan/passport application forms
Online purchases giving credit card details
Showing your passport in some countries
Information can be used to:Apply for bank account or credit cards
Transfer of funds from a bank
Order goods or services
Adopt the identity of someone who has emigrated or recently died
Adopt the identity of someone who does not understand computers
Commit a serious crime in another persons identity
©2010 AIS InfoSec Ltd Slide 39
Conclusion
• Identity is who the person is perceived to be by others
• Its all the attributes & relationships that a person has & how they interplay with each other throughout their life
• Identity is now more important than ever and is critical to successful InfoSec – Access Control depends on it
• Biggest issues are Identity Theft and Fraud
• It is now much easier to steal or misuse another persons identity - Protect your personal information
• Human Error still the biggest issue in InfoSec
-- Watch for Muppets
[email protected]@aisinfosec.com