Implement training and education procedures. Administrator training and education on authentication systems are key because these systems are fundamental to the security infrastructure.
Consider user needs such as recovery from lost password, token, or a locked-out account from excessive failed logins.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Develop training and education plan for administration of authentication sy stems.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Operations
Specify policies and procedures for operations staff so that they can support a user having difficulties with any of the three core authentication functions.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Define tools available to operations for isolating authentication problems to specific system components.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Incident Response
Define the steps and technology needed for the incident team to access who/what/when/how logging information.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Describe policies, procedures, and technology for rapid authentication credential
disablement of an individual, group, or device (e.g., server or router).
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
OPERATIONS
Design a system that makes operations safe, consistent, traceable, and recoverable. No doubt about it, authentication systems are very policy- and procedure-intensive. Thus, operations groups need an authentication system that allows them to realistically enforce the orga- nization’s authentication-related policies and procedures. This means having an easy way to reset authentication credentials if a user forgets his or her password, securely backing up systems, and having a realistic means of recovery should things go wrong.
INCIDENT RESPONSE
Know who, what, when, and how. The authentication system’s logging capabilities, as discussed in Chapter 2, are fundamental to incident response. The incident response team needs to know who authenticated to what and when. Logging systems should include a record of time (this is also discussed in the Secure Time security element in Chapter 4), IP/network addresses used during authentication, number of failed attempts, and systems for which access was attempted.
Be able to disable immediately. The incident response team must be able to quickly and easily request immediate disablement of authentication for any individual or, if applicable, group(s) of individuals. This should include administrator access for any administration accounts used at all levels of the security stack.
Business
Use Worksheet 3.8 here.
BUSINESSPEOPLE: EMPLOYEES
Group employees in a way that makes sense for your organization, such as by business unit and job function. Determine if there are unique authentication requirements for each of these groups. For example, you may choose to monitor authentication logs more closely for employees having access to higher-impact applications.
Review your security impact analysis to identify individuals in the most sensitive positions. In nearly all cases, system administrators fall into this realm because of their power within the context of the security stack implementation.
Consider convenience. Keep in mind that all people are affected by the convenience (ease of use) of the more advanced authentication credential mechanisms you choose to include in your plan (such as a biometric). If the mechanism is convenient, you’ll achieve buy-in; if it isn’t as conve- nient, you need to focus on selling the business benefits of the solution.
BUSINESSPEOPLE: CUSTOMERS
Define who, how, and when customers will be authenticated. Consider your impact analysis as it relates to any failures in customer authentica- tion. Here’s an excellent example of the damaging effect of not having a strong customer authentication plan including training, policies, and procedures: While testing security relating to the hosting service of an Internet service provider (ISP), the third largest at the time, I simply called on the phone and said, “I’m from company XYZ (a customer of the ISP), and I’d like to have the Web site service canceled.” The customer service rep did not ask for any identification other than what is publicly available from the WhoIs record for the site (the record maintained by companies such as VeriSign). The customer service representative sim- ply took the information I gave, immediately agreed to disable the Web site, and then actually did it. The point here is that this customer service agent shouldn’t have been able to instruct anyone to disable the Web site without first authenticating to whom they were talking.
BUSINESSPEOPLE: OWNERS
Consider the viewpoint of the owners, to include stockholders or other stakeholders, on the authentication process. For example, authenti- cating individuals authorized to issue press releases for the organization (such as those relating to financial condition) can be quite important from their perspective. Bogus press releases have been issued on behalf of several organizations, causing significant loss.
BUSINESSPEOPLE: SUPPLIERS
Consider all forms of shared access. Your suppliers may also need to be authenticated by your systems. In some cases, you may allow them full or partial access to security stack elements. Define all scenarios applica- ble to your organization, and address them in your plan.
BUSINESSPEOPLE: PARTNERS
Determine how you will authenticate the individuals that fall under the rubric “partner.” Companies form partnerships with companies and
government organizations routinely. How do you authenticate these various individuals you are dealing with? How do you even know, for example, that the IRS auditor in your accounting office really works for the IRS and isn’t an agent for a competitor or a foreign government? Or what about those people working for an “investment group” interested in buying your company? Are they real, or are they just trying to pump you for information? As far as “real” partners are concerned, in the course of doing business, we may authenticate them at part or all of the security stack. Define how this is accomplished within your security architecture.