Auth*: Dispelling the Myths

Transcript

1. AUTH* DISPELLING THE MYTHS @enygma - True North PHP 2013

   Saturday, November 9, 2013

2. Saturday, November 9, 2013

3. AUTHENTICATION Saturday, November 9, 2013

4. ...the act of confirming the truth of an attribute of

   a datum or entity [and] often involves verifying the validity of at least one form of identification. AUTHENTICATION source: wikipedia Saturday, November 9, 2013

5. Confirming identity A satisfactory “yes” or “no” Impossible...in theory What

   about anonymous? no, not *that* Anonymous... AND... Saturday, November 9, 2013

6. TYPES Username/password Two-factor OpenID Connect Biometrics Security Question Saturday, November

   9, 2013

7. AUTHORIZATION Saturday, November 9, 2013

8. ...is the function of specifying access rights to resources, which

   is related to information security and computer security in general and access control in particular. AUTHORIZATION source: wikipedia Saturday, November 9, 2013

9. Principle of Least Privilege Coarse vs fine-grained Think “rule” not

   “role” AND... Saturday, November 9, 2013

10. TYPES Access control lists (ACL) Role-based access control (RBAC) Attribute-based

    control Policy enforcement Discretionary controls Mandatory controls Saturday, November 9, 2013

11. MYTH #1 Multi-factor will keep us safe Saturday, November 9,

    2013

12. SILVER BULLETS Not a “cure all” Yet another hoop Different

    implementations Hardware versus Software Saturday, November 9, 2013

13. IT’S GOOD AT... Being a backup method, not a replacement

    Increasing confidence in users Helps with compliance Saturday, November 9, 2013

14. IT’S NOT GOOD AT... Being the only method Preventing out-of-band

    attacks Stopping other attacks (ex. SQLi on login) Preventing provider (IdP) issues Saturday, November 9, 2013

15. MYTH #2 It’s just a password, right? Saturday, November 9,

    2013

16. PASSWORD BALL & CHAIN Ancient origins Just feels ancient today

    New app? Use a password! Password policies Saturday, November 9, 2013

17. WHY PASSWORDS SUCK Shared across services Restrictive policies Too much

    work on “getting it right” Users are no good at them Cracking hardware is cheap Saturday, November 9, 2013

18. Saturday, November 9, 2013

19. PASSWORD CRACKING Offline attack Dictionary/guessing Brute force Key casting Cloud

    services ....and password policies Saturday, November 9, 2013

20. Saturday, November 9, 2013

21. Saturday, November 9, 2013

22. PASSWORD POLICIES Number/Lower/Upper/Special Reduce repeated characters Length > Complexity Use

    slow algorithm Salt and hash (at the least) Saturday, November 9, 2013

23. source: xkcd.com/936 Saturday, November 9, 2013

24. MYTH #3 Internal vs Cloud - Epic Battle Saturday, November

    9, 2013

25. INTERNAL More control More traditional options Easier to customize Hardware

    costs/infrastructure Too many tools Less stringent on encryption Saturday, November 9, 2013

26. EXTERNAL Standardized auth methods Agility & flexibility Cost savings High

    encryption/protection Less “control” Limited to provider options Saturday, November 9, 2013

27. CONNECTING SAML (Markup) “Vaulted” POST request Multi-factor integration Federated identity

    Custom API Saturday, November 9, 2013

28. CRITERIA Easy integration Scalability Provisioning integration User authentication methods Monitoring

    & management Saturday, November 9, 2013

29. MYTH #4 The Auth that Wasn’t Saturday, November 9, 2013

30. OWASP Top 10 A2: Broken Auth/Session Management A4: Insecure Object

    References A6: Sensitive Data Exposure Saturday, November 9, 2013

31. Bad Practices Sending plain-text passwords Sensitive data in the URL

    Informative error messages No throttling on resets or registrations or password failures Saturday, November 9, 2013

32. DON’T... Obscurity !== Security Share logins Use default credentials Plain-text

    Saturday, November 9, 2013

33. MYTH #5 But we have... Saturday, November 9, 2013

34. Integrated systems Firewalls WAF Encryption HARD & SOFTWARE Saturday, November

    9, 2013

35. HAVING USING and are not the same Saturday, November 9,

    2013

36. Defense in Depth Logging & auditing Fail securely Least privilege

    PRINCIPLES Saturday, November 9, 2013

37. FIXING AUTH Planning for Security Saturday, November 9, 2013

38. Audit of current components Gather usage data Plan, plan then

    plan some more Easier in hindsight REALIGNMENT Saturday, November 9, 2013

39. Think “Subject” not “User” Narrowing the options Pick the right

    fit, not the shiny one Plan for delegation LOOK AHEAD Saturday, November 9, 2013

40. More than one level? What to protect? Is it the

    same everywhere? Policies/procedures Reduce the overhead IN DEPTH Saturday, November 9, 2013

41. IDENTITY IS HARD Saturday, November 9, 2013

42. Questions or comments? @enygma http://websec.io https://joind.in/9986 THANKS Saturday, November 9,

    2013