The Geeks Corner

1. INTRODUCTION: VERIFYING THE USER With access granted and implemented to people who have authorized approval to secure data because of the increasing use of mobile devices and cloud-based solu- tions, criminals have become better at using advanced hacking techniques that continue to grow in complexity and design every year. Verifying user or host identity authenticity requires validation controls to stay ahead of these challenges. This is where identity access manage- ment design is important and user access management controls need to be fortified.
2. IDENTITY ACCESS MANAGEMENT: AUTHENTICATION AND AUTHORIZATION Identity access management begins with the core security entry points a person or process must go through using authentication, authorization, and account provisioning. For user verification purposes, in this chapter we will review authentication and authorization (Fig. 4.1) in more detail.
   Authentication To verify that you are you in the digital computer land- scape, the beginning process of authentication is required (your personal key in the door). Your first-level key of authentication usually consists of a username [your iden- tifier (ID)] and password (the secret information you and the computer system agreed would validate that your digital identity is genuine). Unfortunately it is no longer as simple as employing a username and password because hackers are getting better each year. Other important validations are now required to ensure a secure authentication experience. These validations can vary based on the types of systems you are accessing. Additional authentication techniques that commonly accompany username and password verifications are [1]:
   l Security questionnaires: personal question information you were either required or volunteered to enter into the system while creating the account or during security validations; l Two- or multiple-factor authentication (Fig. 4.2): a device, an interface, biometric security, location

information, or past behavioral responses that give addi- tional security validation to the process; l Secure encryption: when you enter your username, password, or other validation data during authentica- tion, you want to make sure no one is spying on your information transmitted to the system by encrypting or hashing the data entered into data fields.
Password Rule Hardening: Practices It is important to have a strong password policy rule set to preventbruteforceattacksintoyourloginpages.Thesekinds of policies prevent continuous hacking script-bots from attempting multiple key or password combinations into the login portal before a successful one is used and finally found by trial and error (see checklist: “An Agenda for Action for Password Rule Hardening Best Practices”) [1].
An Agenda for Action for Password Rule Hardening Best Practices Complex password requirements include the following key activities (check all tasks completed): _____1. 8e25 characters that require at least one capital letter, one unique character, (!, $, etc.), and one numeric character (0e9); _____2. 30-, 60-, or 90-day password change requirement; _____3. unique password history requirement (the last 10 passwords); _____4. common word restriction policy (such as that your name, user ID, the word “password,” etc., cannot be used or be any part of your password); _____5. Limited password attempts (on many stronger sys- tems, three failed attempts will lock out your ac- count, requiring you to reset your password through controlled validations or requiring you to call or contact technical support to unlock your account once your identity has been thoroughly validated).
The Importance of Secure Socket Layer/ Transport Layer Security The bad guys (hackers) are almost everywhere on the Internet nowadays. They not only attempt to look for holes in security systems but also continuously monitor Internet traffic through scanner devices to pick up clear text trans- missions of usernames, passwords, credit card numbers, or anything they can find to get them through the door of your data and financial systems. Secure socket layer protocol (SSL) and transport layer security (TLS) are the first line of defense when sending this kind of information over the Internet. This process encrypts the information you send into nonsense binary information that is understood and trans- lated correctly only by the host computer after it is decrypted at its target security source location (e.g. the website and web services you are attempting to access). URL designa- tions on your browser such as https:// (it is important to note the “s”) identify that the site to which you are going is currently a trusted channel of communication. Once initial trust information validation is completed, your session stays encrypted over SSL throughout the session. Using this secure process provides protection against hackers eaves- dropping, intercepting, capturing, or changing your secure data during communication transport. Encryption processing can also work on instant messaging (chat communication), faxing, email communication, and applications, and even through phone communication over voice-over-Internet protocol (IP) transmissions. For more detail on how SSL and TLS works, see Chapter 38 for more information.
Authorization Now that your digital identity is authenticated and confirmed, your preconfigured authorized security access will allow you access to the resources for which you are preapproved. Types of authorization structures can be based their role or security group configuration. For internal

network company-based operating systems such as Microsoft Windows PC operating systems, Active Direc- tory domains are used with the security database and are managed by system support engineers for company network access to an organization’s shared services (file shares, databases, printers, applications, etc.).
The Importance of Directory Services Once a session is successfully authenticated, controlled authorization is required to identify the preapproved level of authority of permission of access for this user or process. This control process can use two security type techniques; role-based or security groupebased: 1. Role-based security access: This methodology process focuses on granting appropriate system and data access to users based on their predefined business or organiza- tional role in the system. 2. Security groupebased access: This can be a unique approach of group designations that normally does not focus on role-based functions but still must adhere to a structured and validated approach to access based on the security control audit requirement. A user or computer process would use this type of security setting. Directory services (Fig. 4.3) de fine the naming man- agement tree configurations of access by using resources known as objects; these can be devices ranging from networking systems to printing systems, server systems, file shares, user accounts, security groups, phone devices, and many more physical or configured systems that reside on the computer’s network. This layer of settings is needed to ensure the security structure for the entire infrastructure’s framework that surrounds and binds together a computer

workgroup or enterprise. One of the leading and most used directory services in the industry is the Microsoft Active Directory Services systems. This solution uses domain ar- chitecture to manage all of its computer namespaces, users, and system entitlement needs. The X.500 Directory Service standard [3] is the foundation for almost all directory serviceebased solutions used in the industry today. Lightweight Directory Access Protocol (LDAP) is an in- dustry open-standard process that Directory Services uses heavily to manage distribution management control over Directory Service object database structures.

3. SYNTHETIC OR REAL USER LOGGING Itisagrowingchallengetoverifythatauseronacomputerisa “real person” during the login session and it requires checks, validations, and security techniques beyond using just SSL encryption. In addition to complex passwords and security questionnaires, devices such as a mobile phone will use two- factor technologies to provide additional authenticity to the verification process. Leveraging the advantages of two- or multiple-factor authentication methodologies provides a much stronger identification process during the user’s com- puter session by remote isolation through a completely different technology approach. This makes it much more difficultforhackersto findandbreakintobecausetheactivity is separate from the main channel session of attack. These additional solutions might come in the form of: l mobile phone applications or text response notifications l universal serial bus sticks, bank cards, or time-based generated key display devices l pin-required login application program interfaces l image verification through Completely Automated Pub- lic Turing Test to Tell Computers and Humans Apart (CAPTCHA) l biometric technology such as: l voice recognition l fingerprint scanning l eye iris scanning l facial recognition l typing pattern matching
   Completely Automated Public Turing Test to Tell Computers and Humans Apart You may have seen CAPTCHA during a password or ac- count creation process in which a randomly distorted image appears with numbers or letters, and the information page will ask you to identify the characters or numbers you see in the image. This process helps validate your identity with human observation and interaction. Most hackers deal with volume hacks and do not have time to perform physical image recognition required for the user account that usesFIGURE

and stores private or personal information such as your Social Security card, your mother’s maiden name, or any unique and private-centric information [4].

4. VERIFYING A USER IN CLOUD ENVIRONMENTS Internet solutions now rely on cloud-based infrastructure solutions to manage business and organizations (Fig. 4.4). For security purposes, identity access management solu- tions have become extremely important because multiple system locations must manage digital user identities over vast landscapes of data centers and network end points to manage a user’s security account information successfully. Working in the cloud for identity management requires federated structures to work with identity service providers. When working with multiple service providers, the feder- ated identity management model must be used so that it is reliable and can scale well with the current business or organization’s growth capacity and still be secure. Systems for such large designs working over multiple data points across the Internet can leverage solutions such as Oracle Identity Management using the Oracle Internet Directory Services platform. Common conceptual, technical repre- sentations for user cloud security design are [2]: l The principal (known as the “subject”): who requires this access? l The entitlement (the access framework): the definition of rules and permissions granted to the principal subject (aka the user ID) to route an object request to restricted systems
   l The data source (known as the “objects”): an object can be a database, data source, or other access targets granted to the principal subject to use. When verifying a user account in cloud environments, it is important to have a framework in place that immediately transports encrypted digital user identity information to approved and predefined entitlement definitions that will route users to their data information systems no matter which cloud-based data center they enter over the Internet. Cloud frameworks can have multiple data centers all over the globe and must have the identity access management highway roadmap in place so that secure access can be granted efficiently and safely throughout the Internet where these solutions are provided. By using a centralized cloud identity service provider model, you effectively create identity management as a service [3]. Protocol standards such as Security Assertion Markup Language (SAML) and Open Standard of Authorization are the digital identity transport coding streams needed to deliver these authenti- cation validations safely [5]. Strong security model architectures using SAML rely on directory services such as LDAP and Microsoft Active Directory. For digital user accounts (principal subjects) to work seamlessly across multiple cloud providers over the Internet, a user management security model must be implemented using strong and reliable design concepts that follow [2]: l user account life cycle provisioning and deprovisioning work flows l rules-based access controls

l resource-based controls l single sign-on architecture l encrypted authentication routing l trusted cloudehost providers l identity proxy mediation systems

5. VERIFYING HOSTS To verify a host, we must define what a host is. When planning and designing security infrastructures, a computer host is the system server that delivers services, which can range from databases to web services, printer queues, file shares, authentication security services, and other multiple- user computer functions required to manage a business or organization’s data information management needs. Thus, if you are logging into a workstation or website, you are logging into a host server that is distributing and managing user account access to appropriate server re- sources. How can we be sure the host you are accessing is real and authentic? Unless you have a controlled applica- tion as your access portal tool set, you will most likely be using web services over the Internet through your browser to access your computer systems. If you are logging into a system through your web browser, it is important to note
   whether SSL encryption is engaged while you are entering your private security username and password. Fortunately, all of the leading industry browsers such as Chrome, Safari, and Microsoft Internet Explorer display an indicator that you are on a trusted and secured hosting site. Examples of these indicators on your browser can be [4]:
   l a golden or displayed lock key icon l the URL link starting with “https://” l an eye icon indicating an open session l your username or identity fields showing up as asterisk characters, representing that their content data fields are being hashed. (Important: Verify the first three points noted here before submitting trusted passwords. Hashed fieldscanbemimickedonfraudulentsites.Cautionshould always be taken before submitting your login request.)
6. VERIFYING HOST DOMAIN NAME SYSTEM AND INTERNET PROTOCOL INFORMATION To ensure that a host identity is valid and registered accurately on the Internet (Fig. 4.5), you can go to an

Internet database authority site such as https://www. internic.net/whois.html. The Whois database will display the administration account information, web administrator account information, and last creation and modification registration information. This will allow a security man- ager, system administrator, or tech-savvy user to verify the authenticity of the site by domain name (yahoo.com, etc.), IP address, or name server information [3].

7. SUMMARY Let us look at the security actions and best practices that users should always take to ensure host validity: 1. Email links: Avoid clicking on links from untrustworthy or spammed email content sent to your email account. These links can lead you to a fraudulent or bogus site used to capture your username, password, or personally identifiable information that can be immediately exploited by a hacker to gain access to your systems. 2. Password laziness: The problem with having access to multiple web services and applications is that unless they reside on a company’s internal single sign-on sys- tem, multiple usernames and passwords are required for management. People will tend to employ the same user- name and password over many systems. Hackers know and promote this, so it is easier for them just to grab a single username and password you most frequently use, and gain access to all of your finances and personal in- formation over valid Internet host services you use every day, such as email, banks, social media sites, and more. Change your passwords frequently and avoid using the same username and password over multiple website services. 3. Malware toolbar redirects: Ensure that your computer has the latest antivirus and malware protection, so that you are not fooled into going to a fake website on your browser. A common practice for hackers is to entice you into innocently installing a toolbar plugin containing malware into your browser that can not only capture and send personal data to the hacker but also can also secretly redirect your URL link inquiries in the browser to malicious bogus websites. These fake sites will capture your data without your knowing it until it is too late. For example, avoid IP address links like: http://197.1.5.253/login.html. 4. Always update operating systems and virus protection: Make sure your operating system has the latest security patches and antivirus application and data feeds to cover all of the bases needed to avoid hacker system overrides to your system. Setting these local protection solutions to automated updating is essential to ensure you are not intentionally redirected to a hacker’s fraudulent environment.

Finally, let us move on to the real interactive part of this chapter: review questions/exercises, hands-on projects, case projects, and an optional team case project. Answers and/or solutions by chapter can be found in Appendix K.

---

Published @ September 29, 2021 5:42 am