Monday, June 11, 2018

Identification, Authentication, Authorization, and Accountability

The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such.


Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity.

From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information.


So now you have entered your username, what do you enter next? The password. This is what authentication is about. Here you authenticate or prove yourself that you are the person whom you are claiming to be. Authentication can be done through various mechanisms. Let’s understand these types.

There are commonly 3 ways of authenticating: something you know, something you have and something you are. 

Something You Know: Here the authentication happens with your knowledge or what you know. This can be a PIN, password, key, pet’s name etc. This is the most common authentication implemented today. This is also one of the cheapest authentication mechanisms.

Something You Have: Here the authentication happens with ownership, i.e. something you have or own. An access id card, credit card, RSA token, security badge are all examples of things you can own and authenticate yourself with. In case this badge is stolen or lost, this could be an issue in those cases.

Something You Are: Here the authentication happens with YOU (characteristic). Your physical attribute is used to authenticate you. Characteristics such as fingerprints, voice print, iris scan, palm print etc. are examples of characteristics or biometrics. An issue with this can be you can never change your characteristics if someone gets hold of your biometrics, unlike a password which can be changed.

Dual factor Authentication / Multifactor Authentication – If more than one factor of authentication is used, it is called as multi-factor authentication. Dual means 2, hence 2 factors will be used. Example – PIN + Access ID card (Something you know + Something you have) is an example of dual factor authentication. Consider a top-secret research organization, where a person has to showcase his access ID card, then enter a PIN and then get his IRIS scanned to get access, this means that the organization has deployed multi-factor authentication.


A lot of times, many people get confused with authentication and authorization. To many, it seems simple, if I’m authenticated, I’m authorized to do anything. Once the subject provides its credentials and is properly identified, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. Consider your mail, where you log in and provide your credentials. You will be able to compose a mail, delete a mail and do certain changes which you are authorized to do. Can you make changes to the messaging server? No, since you are not authorized to do so. Hence successful authentication does not guarantee authorization. Successful authentication only proves that your credentials exist in the system and you have successfully proved the identity you were claiming. However, to make any changes, you need authorization. The system may check these privileges through an access control matrix or a rule-based solution through you would be authorized to make the changes.


The final piece in the puzzle is about accountability. Imagine where a user has been given certain privileges to work. What happens when he/she decides to misuse those privileges? If the audit logs are available, then you’ll be able to investigate and make the subject who has misused those privileges accountable on the basis of those logs. The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded. Auditing capabilities ensure users are accountable for their actions, verify that the security policies are enforced, and can be used as investigation tools.

If all the 4 pieces work, then the access management is complete. Although there are multiple aspects to access management, the 4 pillars need to be equally strong, else it will affect the foundation of identity and access management.

What are your thoughts on this?

Saturday, May 26, 2018

Security Risk Assessment in The Internet of Things

Internet of Things henceforth referred to as IoT in the article refers to all the devices connected to the internet which “talk” to each other. This means if your washing machine is connected to the Internet and it talks to a cloud server giving its health information to the company’s server, it would qualify as IoT device.So, Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together.
The IoT is one of the most talked about technologies nowadays. Every company is working on its implementation and introduction into our daily lives. Given the increasing number of cyber-attacks, it makes sense to identify the risks faced by the deployment of this technology. The traditional method of doing a risk assessment involves identifying assets, their weaknesses, threats which they may face and potential danger in case of exploitation. On identification of these risk, they are prioritized and countermeasures are adopted to treat this risks.

These traditional approaches are based on certain assumptions, the primary one being that the dynamism is extremely low. When you identify the assets, this would be one-time activity and these assets won’t change much in a risk assessment period of say 6 months at the least. What if the number of assets and the risk associated with them was to change every minute or day? Clearly, the risk assessment methodologies such as NIST SP 800-30, OCTAVE, FRAP etc are not equipped to handle the complexity which IoT presents us. 

In this blog post, we will try to understand the current methods of risk assessment, their shortcomings in their application to complex systems such as IoT and propose certain methods to handle the issues at hand.

In the earlier blog post on Risk Management, we learned about risk management being defined as:
A process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level.

If we apply the same definition in the IoT environment, the overall concept of risk management remains the same. Wouldn’t it? In principle, yes. However, let us understand the practical challenges here. Risk Assessment is an integral part of Risk Management. Risk assessment has certain methodologies through which we can assess the risk(s) faced by the organization. If we apply, NIST SP 800-30, we need to identify the assets ( IT only), the vulnerabilities, the threats faced and then the calculation of risk and proposing countermeasures to treat the risk and then monitor the complete system. 

Let’s take another one. Facilitated Risk Analysis Approach (FRAP) is focused on identifying the systems that really need assessing to reduce time and costs. It analyses one system, application or a business at a time. Data is gathered and threats to the business operations are prioritized based on their criticality. Since it is a qualitative approach, you ask experts to gather around and discuss the risks which this particular assets, system or application would face.

If you observe these methodologies, you would appreciate the fact that they are focused on identifying critical assets and the harm that may occur to them or the threats faced by a particular asset or an application. This means you follow the asset-based approach or a threat based approach when you use these methodologies.

Clearly, the approach taken by these methodologies apply best to a static system. When the complexity and dynamism in the system changes every minute, such risk assessment methodologies will not stand the test of time. Risk is a complex word in itself. It is a probabilistic measure of a threat exploiting a vulnerability. When threats and vulnerabilities change on a continuous basis, the calculation (quantitative) or identification (qualitative) of risks faced becomes an enormous challenge.

An IoT device is not much of a complete system in itself. It needs the help of many parts to fully function and be usable. It is like a part of the body which is useless without the complete body. In extremely simple terms, an IoT system would be made up of at least 3 components – application, cloud environment and Thing environment. All these would communicate with each other using application programming interfaces. The following article explains this in detail -

Thursday, May 24, 2018

Risk Analysis Approaches

Which color do you like? Choose one – Red, Amber or Green. Let’s try another one – How much would you like your company’s risk to cost – 10,000 $, 20,000 $ or 50,000? Choose one again. Confused? Don’t be. After all, risk analysis is about analyzing risk either in terms of color or a heat map or numbers.

The two approaches to risk analysis are Quantitative & Qualitative. Let’s understand them.

Quanti – tative Approach

This break will help you remember that this approach is related to numbers. Quanti refers to numbers here. We assign monetary and numeric values to all aspects of risk analysis. If you revisit the topic of Risk Assessment, we identified that there are multiple parameters to be taken care of while calculating risk. Hence, in this approach, we assign monetary values to each aspect so that at the end we can quantify or measure what is the value of the risk in dollar terms. 

Let’s understand this through a simple example – 

There is a building which has a cost of 100,000$. There is no fire suppression system installed in the building. In case of a fire, the building may be damaged and will suffer a loss of 25000$ that is, around 25%.  Over past experiences, it has been seen that the fire may occur once in every 5 years. 

This information above has been gathered as a part of risk assessment. Clearly, you can observe that every aspect has been assigned a value. The asset value (cost of building) has been derived at 100,000$. The loss has also been quantified.  This is what Quantitative Analysis is all about. 

Numbers are incomplete without some formulas.  So here comes the formula:

Asset Value * Exposure Factor = Single Loss Expectancy

Asset Value – What is the value of the asset? You have to include (at the risk assessment) all sorts of cost here to make up the asset value such as cost to develop this asset, cost to maintain it, cost to replace it, money spent on it to make it usable, the value of the asset to owners etc. Here the building value has been identified as 100,000$ which is inclusive of all such costs.

Exposure Factor – What is the exposure if the threat materializes? What percentage of the asset value would be destroyed in case of realization of the threat? Here the building is affected by the fire and that would be destroyed by around 25%. This value is the exposure factor.

Single Loss Expectancy - Actual Loss in case of realization of a threat. Notice the word expectancy here. We are expecting that this would be the loss in case of actual fire.

In our example, if we wish to calculate the SLE, it would be like this –

AV – 100,000$

EF – 25% or ¼ or 0.25

Hence, SLE = 100,000 *0.25 = 25,000$.

Therefore, the company would suffer a loss of 25,000$ from a fire.

Wait, the movie has not finished yet. Notice the last line in the scenario above. Past experiences have shown the occurrence of a fire once every 5 years.  What does this mean and how does it fit here?

Every business needs to make such assessments over a year. If a fire occurs once every 5 years, this means the damage due to the loss would be over a period of 5 years, that is, 25,000$ spread over a period of 5 years. This implies that the company can choose to spend 5,000$ every year to cover any losses arising out of this situation.

This leads us to another formula.

Single Loss Expectancy * Annualized rate of occurrence = Annual Loss Expectancy

Annualized Rate of Occurrence – This value represents the estimated frequency with which a specific threat would occur over a period of 1 year. 

Here the ARO would be 1/5 or 0.2.

Hence, the annual loss which the company may face is 25,000$ * 0.2 = 5,000$.

This value would help the company take a decision over the controls it would like to implement and what money would it can spend. 

Risk Assessment Methodology

Having understood Risk Management & Risk Assessment in earlier blog posts, it is time for us to understand the various methodologies of risk assessment. The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional, it is important for us to know the best approach for our organization and its needs.

The first one is a considered a U.S. federal government standard called as the NIST, SP 800-30. 

It lays out the following steps:
• System characterization
• Threat identification
• Vulnerability identification    
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendations
• Results documentation

The NIST risk management methodology is mainly focused on: 
a) computer systems.
b) IT security issues. 

2. FRAP (Facilitated Risk Analysis Process)

Qualitative methodology 
Focus only on the systems that really need to be assessed. 
• Helps to reduce costs and time spent in risk assessment.
• Risk assessment steps are only carried out on the item(s) that needs it the most. 
• It is to be used to analyze one system, application, or business process at a time. 
• Data is gathered and threats to business operations are prioritized based on their criticality. 
• The risk assessment team documents the controls that need to be put in place to reduce the identified risks along with action plans for control implementation efforts.
• This methodology does not support the idea of calculating probability or likelihood.
• The criticalities of the risks are determined by the team members' understanding of business processes.
• The goal is to keep the scope of the assessment small and the assessment processes simple to allow for efficiency and cost-effectiveness.

3. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 

• Based on the idea that the people working in the environments best understand what is needed and what kind of risks they are facing. 
• The individuals who make up the risk assessment team go through rounds of facilitated workshops. 
• The facilitator helps the team members understand the risk methodology and how to apply it to the vulnerabilities and threats identified within their specific business units. 
• Scope of an OCTAVE assessment is usually very wide compared to the more focused approach of FRAP.
• Where FRAP would be used to assess a system or application, OCTAVE would be used to assess all systems, applications, and business processes within the organization.

4. ISO/IEC 27005 

• is an international standard for how risk management should be carried out in the framework of an information security management system (ISMS). 
• Deals with IT and the softer security issues (documentation, personnel security, training, etc.) 

5. Failure Modes and Effect Analysis (FMEA)

• is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
• commonly used in product development and operational environments. 
• The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break.