SECTION 13

In this lecture, we're going to cover the IAAA model.

And that is Identification, Authentication, Authorization and Accountability.

In some places, you might see them leave the "I" out of the model,

so it's just the AAA model.

But I'm going to leave it in there for two reasons.

First off, that's how I learned it.

And secondly, it makes more sense to me.

Because I think it's important to include who are we giving authentication to,

who are we authorizing, and who are we holding accountable.

So let's start out with the basics.

Identification is something that identifies you.

That can be your name, username, user ID,

employee number, or Social Security number.

It is something that, well, identifies you.

It's me saying, "I am Thor".

Then the system is going to ask me to prove that I am Thor.

And here we would want to do that with multifactor authentication.

And that really just means that we use at least two types of authentication,

something you know, you have and you are.

Something you know is something you're expected to memorize.

That is your password.

That is a passphrase.

It's something that you know.

It's the PIN number on your credit card.

It's something that you remember.

For my identification, I said, "I am Thor".

Then I use my knowledge-based factor, or something I know, or Type 1 authentication,

I use my password.

Since I know the password that Thor has, I must be Thor.

Knowledge-based authentication is by far the most commonly used type.

And of the different types of knowledge-based authentication,

passwords are the most used by far.

But they are also the weakest type.

It's much easier to compromise a password

than it is to compromise something you have or you are.

Somewhere in late 2017, when I was living in Hawaii,

a text message was sent out to every single phone in Hawaii

saying that a nuclear missile from North Korea was incoming,

prepare accordingly.

Luckily, it was sent by mistake.

It should have been a test.

But all the fail-safes that they had in place,

none of them worked.

So after that incident,

Missile Command in Hawaii had journalists out to interview them in their offices

and you could see on the monitors they had little sticky notes

with the passwords that Missile Command used.

And yes, on a TV screen today,

this is high enough resolution where you can actually see the password.

That's just a very, very, very horrible idea.

But it's also why so many attacks focuses on passwords.

They're just much easier to get than any other type of authentication.

A lot of times when you make accounts,

they have those security questions.

Where were you born?

Where did you go to high school?

So if, at some point, you lose access to the account,

you can regain it by answering those questions.

Which, of course, is smart.

But it's also a security issue.

When Sarah Palin was the running mate for the President election in 2008

in the United States,

someone hacked her private email account

because all the information she had used to secure it with

was publicly available.

You just could sit down and research

where did she go to school, when's her birthday,

what's the name of her first child.

Enter all that and gain access to her emails.

And while this is obviously easier for people who are in the public eye,

someone who is famous,

it is still a very easy attack vector compared to many of the others.

And even if you're not a public figure,

many people happily put that on Facebook.

Here is my birthday.

I went to this high school.

Here are the names of all my children, my mother's maiden name,

the street I grew up on, and on and on.

So I'm not saying scrub your social media profile completely clean.

While it might be a good idea, but just be careful with what you post.

And we already talked about how hard it can be to break encryption or passwords.

But if someone nice calls you from helpdesk and say,

"Hey, we have a problem with your account. Can you give me your password?"

Obviously, you answer no.

But many people say, "Yes, here it is."

Again here, we give them the training,

we raise their awareness.

And on top of having the appropriate training in our organization,

we should also have good password rules.

That means they should have a minimum length.

All passwords should have uppercase, lowercase, numbers, and symbols.

And they shouldn't be predictable.

So "summer2023" is not a good password

if the previous one was "spring2023".

And passwords need to have an expiration date.

Meaning, it's good for so many days.

We need to have a policy where you can't reuse your passwords.

And most of this is probably stuff you're used to, right?

We can also have a minimum age.

And while that one might not make sense,

if we have a rule where you can't use your last 10-12 passwords,

and if we don't have the minimum age,

then Bob is going to change his password 12 times

so that he can get his old password back

because he can remember that one.

So the passwords have both a maximum age,

after 90 days, you have to change your password.

But they also have a minimum age let's say, 5-10 days.

Just to make sure that Bob doesn't keep reusing the same password over and over.

It's very common for passwords that are not considered secure

to have the name of a pet or a child, a family member, significant other,

your anniversary date, birthday, birthplace, favorite holiday,

or something related to your favorite sports team,

or, you know, just "password".

As a best practice, don't use that in your passwords.

Also, when we log in, we can use key stretching.

And that is part of our layered defense.

That is, whenever someone logs into a system,

we add 0.5-2 seconds to the login time.

That way, brute-force attacking a password

is not a feasible attack vector.

And when an attacker tries to brute-force a password,

it's basically them using the entire key space.

Meaning all letters, numbers, characters,

anything you can do with a keyboard.

And it just starts from one end.

Is it A? No.

Is it B? No.

Is it C? No.

And once it goes through all the combinations, then it starts over.

Is it AA? No.

Is it AB?

And so on.

So to break even a slightly complex password,

they might need millions and millions of attempts.

Now, if we add 2 seconds to the login time,

it's no longer a good attack vector.

In most places, you would also have something where,

if you type the wrong password 3-5 times,

then the account gets locked.

And that is called clipping levels.

You type the password wrong enough times

and your account might get locked for an hour.

In an hour, you get another 3 attempts.

If you fail those too, well, maybe you're locked down for 5 hours

or you need to call someone in IT to unlock the account for you.

In some places where I have worked,

we've also had an automated system where you answer those secret questions

and based on that knowledge, you can unlock the account.

But we just talked about that one, right?

If that information is in the public domain or it's something people can research,

then it's just not that secure.

And while it's not that secure, we might still choose to implement.

Because we still need that right mix between security and usability.

I have been the person that was on call, and every time I was on call,

I got between two and four calls from the same person that forgot their password.

And yes, that is the same person that writes the password on a sticky note.

And in their case, I'm not really sure what the right answer is

but we always need to strike that balance between enough security

and having everything being as easy as possible

for the end users to do their jobs.

And with that, we are done with this lecture.

Thank you for being here and I will see you in the next one.