Who Are You Anyway? Identity, a

clearsleepingbagSecurity

Nov 30, 2013 (3 years and 6 months ago)

52 views

Who Are You Anyway? Identity, a
Security and Life Question We All
Need to Ask

Vern Williams

HackFormers


www.hackformers.org

Vern Williams


CSO, The Patria
Group


President, Computer Security and Consulting Services, LLC


CISSP ISSEP
CSSLP CBCP
ISAM


BS in Oceanography, US Naval Academy


20 Year US Navy Nuclear Submarines


Masters of Science in Information
Systems, Hawaii Pacific University


ISSA
Distinguished Fellow
, IEEE Senior Member


Disaster Relief Coordinator,
Hill Country Bible Church /Austin Disaster
Relief Network



VernWilliams@PatriaCorp.com


Vern.Williams@IEEE.org


VernWilliams.ADRN@gmail.com


512
-
297
-
8798

www.hackformers.org

Agenda


Teach Security


Teach Christ


Discussion

www.hackformers.org

Teach Security

Identity Management

Or the art of knowing who is who.

www.hackformers.org

IdM Process


Establish authentic credential source


Determine roles and associated access


Identity proofing


Authorization


Assign authentication


Grant access (physical and logical)


Monitor, modify, and/or revoke access


www.hackformers.org

Establish authentic credential source


How do you know who is who?


Chain of trust


You rely on their processes


What happens when they fail?


Turkey CA TURKTRUST


NJ CA Comodo
Inc
.


Dutch CA DigiNotar



www.hackformers.org

Identity Proofing


Identity Proofing

The process by which the credential
issuer validates sufficient information to uniquely identify a
person applying for the credential. (NIST)


Prove that the identity exists


Prove the applicant is entitled to that identity


Address the potential for fraudulent issuance of credentials
based on collusion


Identity Source Documents: Need 2 I
-
9 Identity Sources


Must include a government
-
issued picture ID and fingerprints
(10 for identification and two for verification)


Background Checks: SF 85


Required Investigations based on the information provided in SF
85 and the Identity Source Documents


www.hackformers.org

Authentication


Now you have a trusted source of credentials


You know who you are dealing with


Assign a role and then grant permissions.


Provide a means to authenticate


UID and password is passe’


Multi
-
factor is the way to go


Federate your identities





www.hackformers.org

Authentication Methods


Something you know

-

Password, PIN,
mother’s maiden name, passcode, fraternity
chant


Something you have

-

ATM card, smart card,
token, key, ID badge, driver license, passport


Something you are

-

Fingerprint, voice scan,
iris scan, retina scan, body odor, DNA






www.hackformers.org

Spring 2011

Multi
-
Factor Authentication


Two
-
factor authentication

-

To increase the level of
security, many systems will require a user to provide
2 of the 3 types of authentication:



ATM card + PIN



Credit card + signature



PIN + fingerprint


Three
-
factor authentication

-

Highest security:


Password + Fingerprint + Key Card

10

Spring 2011

Password Problems


Insecure

-

Given the choice, people will choose easily
remembered
--
hence easily guessed
--
passwords such
as names of relatives, pets, phone numbers,
birthdays, hobbies, etc.


Easily broken
-

Programs such as Rainbow Tables,
Crack, SmartPass, PWDUMP, NTCrack and l0phtcrack
can easily decrypt Unix, NetWare, and Windows
passwords.


Dictionary attacks are only feasible because users choose
easily guessed passwords!

11

Spring 2011

Password Problems (cont.)


Inconvenient

-

In an attempt to improve security,
organizations often issue users computer
-
generated
passwords that are difficult, if not impossible to
remember.


Repudiation

-

Unlike a written signature, when a
transaction is signed with only a password, there is
no real proof as to the identity of the individual that
made the transaction.

12

Spring 2011

Password Problems
(continued)

A password should be like a
toothbrush:


Get a good one


Use it every day


Change it regularly


Don’t share it with anyone


13

Spring 2011

Biometrics


Authenticating a user via human characteristics


Using measurable physical characteristics of a person to
prove their identification


Technologies:


DNA
, blood


Signature dynamics


vein pattern


keystroke dynamics


layered biometrics


fingerprint


iris


retina


voice


Facial


Hand
geometry &
topography


14

Spring 2011

Biometric Advantages


Far greater security and traceability than
passwords, PINs, and tokens


Low cost to implement


High functional impact


Easy to use
-

cannot be forgotten, lost, or
borrowed

15

Spring 2011

Biometric Measures


Type 1 error

-

reject an authorized user


False rejection / false negative identification


Type 2 error

-

accept an imposter


False acceptance / false positive identification


CER

-

crossover error rate


% where false rejection = false acceptance


a CER of 3 is more accurate than a CER of 4

16

Spring 2011

Crossover Error Rate

Type 1
errors

Type 2
errors

CER

False Reject Rate

False Acceptance Rate

17

Spring 2011

Hand Geometry

Time and Attendance Terminal

18

Spring 2011

Fingerprint Biometrics

19

Spring 2011

Phone Biometrics

20

Teach Christ

Identity of the Believer

www.hackformers.org

Christian Identity


Based on identity of Christ


God only knows for sure


How do we prove our identity to others?


What are the signs of our identity?

www.hackformers.org

Identity of Christ


The record in the Bible


Messianic Prophesy


Evidence of His deity


Impact on His followers


Archeological evidence


www.hackformers.org

The record in the Bible


Jesus own words


John 5:17
-
18 Jesus said to them, “My Father is always at his work to
this very day, and I, too, am working.” For this reason the Jews tried all
the harder to kill him; not only was he breaking the Sabbath, but he
was even calling God his own Father, making himself equal with God.


John 10:30
-
33 “I and the Father are one.” Again the Jews picked up
stones to stone him, but Jesus said to them, “I have shown you many
great miracles from the Father. For which of these do you stone me?”
“We are not stoning you for any of these,” replied the Jews, “but for
blasphemy, because you, a mere man, claim to be God
.”


Statements of his disciples


Philippians 2:5
-
6 Your attitude should be the same as that of Christ
Jesus: who, being in very nature God, did not consider equality with
God something to be grasped
.

www.hackformers.org

Messianic
Prophesy

Messianic prophecy is the collection of over 100 predictions (a
conservative estimate) in the Old Testament about the future Messiah
of the Jewish
people


Born of a virgin (Isaiah 7:14; Matthew 1:21
-
23)


A descendant of Abraham (Genesis 12:1
-
3; 22:18; Matthew 1:1;
Galatians 3:16)


Of the tribe of Judah (Genesis 49:10; Luke 3:23, 33; Hebrews 7:14)


Of the house of David (2 Samuel 7:12
-
16; Matthew 1:1)


Born in Bethlehem (Micah 5:2, Matthew 2:1; Luke 2:4
-
7)


Taken to Egypt (Hosea 11:1; Matthew 2:14
-
15)


Herod
´
s killing of the infants (Jeremiah 31:15; Matthew 2:16
-
18)


Anointed by the Holy Spirit (Isaiah 11:2; Matthew 3:16
-
17
)

www.hackformers.org

Messianic
Prophesy (cont.)


Heralded by the messenger of the Lord (John the Baptist)
(Isaiah 40:3
-
5; Malachi 3:1; Matthew 3:1
-
3)


Would perform miracles (Isaiah 35:5
-
6; Matthew 9:35)


Would preach good news (Isaiah 61:1; Luke 4:14
-
21)


Would minister in Galilee (Isaiah 9:1; Matthew 4:12
-
16)


Would cleanse the Temple (Malachi 3:1; Matthew 21:12
-
13)


Would first present Himself as King 173,880 days from the
decree to rebuild Jerusalem (Daniel 9:25; Matthew 21:4
-
11)


Would enter Jerusalem as a king on a donkey (Zechariah 9:9;
Matthew 21:4
-
9)


Would be rejected by Jews (Psalm 118:22; 1 Peter 2:7)

www.hackformers.org

Messianic
Prophesy (cont.)


Die a humiliating death (Psalm 22; Isaiah 53) involving:


rejection (Isaiah 53:3; John 1:10
-
11; 7:5,48)


betrayal by a friend (Psalm 41:9; Luke 22:3
-
4; John 13:18)


sold for 30 pieces of silver (Zechariah 11:12; Matthew
26:14
-
15)


silence before His accusers (Isaiah 53:7; Matthew 27:12
-
14)


being mocked (Psalm 22: 7
-
8; Matthew 27:31)


beaten (Isaiah 52:14; Matthew 27:26)


spit upon (Isaiah 50:6; Matthew 27:30)


piercing His hands and feet (Psalm 22:16; Matthew 27:31)


being crucified with thieves (Isaiah 53:12; Matthew 27:38)

www.hackformers.org

Messianic
Prophesy (cont.)


Die a humiliating death (Psalm 22; Isaiah 53) involving:


praying
for His persecutors (Isaiah 53:12; Luke 23:34)


piercing His side (Zechariah 12:10; John 19:34)


given gall and vinegar to drink (Psalm 69:21, Matthew 27:34,
Luke 23:36)


no broken bones (Psalm 34:20; John 19:32
-
36)


buried in a rich man’s tomb (Isaiah 53:9; Matthew 27:57
-
60)


casting lots for His garments (Psalm 22:18; John 19:23
-
24
)


Would rise from the dead!! (Psalm 16:10; Mark 16:6;
Acts 2:31)


Ascend into Heaven (Psalm 68:18; Acts 1:9)


Would sit down at the right hand of God (Psalm 110:1;
Hebrews 1:3)


www.hackformers.org

Messianic
Prophesy the odds

www.hackformers.org

Evidence of His
deity


Miracles


Feeding the 5000


Raising the dead


Healing the sick


The resurrection


The empty tomb


The guards were bribed to lie


Presenting himself to over 500 followers


Within days, he was seen by many and touched


www.hackformers.org

Impact on His
followers


11
of the 12 apostles, and many of the other early disciples,
died for their adherence to this story. This is dramatic, since
they all witnessed the alleged events of Jesus and still went to
their deaths defending their faith. Why is this dramatic, when
many throughout history have died martyred deaths for a
religious belief? Because people don’t die for a lie.


The
apostle Paul makes this clear in his first letter to the
Corinthians:
But if there is no resurrection of the dead, then
not even Christ has been raised. And if Christ has not been
raised, then our preaching is futile and your faith is empty. …
For if only in this life we have hope in Christ, we should be
pitied more than anyone

(1 Cor. 15:13
-
14, 19).




www.hackformers.org

Archeological
evidence


Over
the last few decades, significant evidence revealing the
life, teaching, death and resurrection of Jesus has been
uncovered!


Christ’s
childhood town of Nazareth is still active
today


Ancient
harbors matching the biblical record have been
located in recent drought cycles.


In
Jerusalem, we still see the foundations for the Jewish
Temple Mount built
by Herod the Great. Other remarkable
sites in Jerusalem include the "Southern Steps" where Jesus
and his followers entered the Temple, the
Pool of Bethesda
where
Jesus healed a crippled man, and the recently
uncovered Pool of Siloam where
Jesus healed a blind man.

www.hackformers.org

What is our identity based on?


Acceptance of the saving grace of Christ


A free gift lest any should boast


Presence of the Holy Spirit in our lives


The fruit of the Spirit:
22

But the fruit of the Spirit is
love, joy, peace, forbearance, kindness, goodness,
faithfulness,
23

gentleness and self
-
control. Against
such things there is no law
.

Galatians
5:22
-
23
New
International Version
(NIV)



www.hackformers.org

Discussion Points


Is there enough evidence to convict you of
being a Christian in a court of law?


If SAML is the means of passing identity
credentials in the IT world, what are the ways
we pass our identity in Christ on to others?

www.hackformers.org

Closing Thoughts


Christ has given us proof beyond a doubt of
His ability to forgive us our sins and save us for
Himself, we need to be ready to defend the
truth of the gospel…. Of the life that is in us.

www.hackformers.org