Who Are You Anyway? Identity, a Security and Life Question We All Need to Ask Vern Williams HackFormers www.hackformers.org Vern Williams • • • • • • • • CSO, The Patria Group President, Computer Security and Consulting Services, LLC CISSP ISSEP CSSLP CBCP ISAM BS in Oceanography, US Naval Academy 20 Year US Navy Nuclear Submarines Masters of Science in Information Systems, Hawaii Pacific University ISSA Distinguished Fellow, IEEE Senior Member Disaster Relief Coordinator, Hill Country Bible Church /Austin Disaster Relief Network • • • • VernWilliams@PatriaCorp.com Vern.Williams@IEEE.org VernWilliams.ADRN@gmail.com 512-297-8798 www.hackformers.org Agenda • Teach Security • Teach Christ • Discussion www.hackformers.org Teach Security Identity Management Or the art of knowing who is who. www.hackformers.org IdM Process • • • • • • • Establish authentic credential source Determine roles and associated access Identity proofing Authorization Assign authentication Grant access (physical and logical) Monitor, modify, and/or revoke access www.hackformers.org Establish authentic credential source • • • • How do you know who is who? Chain of trust You rely on their processes What happens when they fail? – Turkey CA TURKTRUST – NJ CA Comodo Inc. – Dutch CA DigiNotar www.hackformers.org Identity Proofing • Identity Proofing –The process by which the credential issuer validates sufficient information to uniquely identify a person applying for the credential. (NIST) – Prove that the identity exists – Prove the applicant is entitled to that identity – Address the potential for fraudulent issuance of credentials based on collusion • Identity Source Documents: Need 2 I-9 Identity Sources – Must include a government-issued picture ID and fingerprints (10 for identification and two for verification) • Background Checks: SF 85 – Required Investigations based on the information provided in SF 85 and the Identity Source Documents www.hackformers.org Authentication • • • • Now you have a trusted source of credentials You know who you are dealing with Assign a role and then grant permissions. Provide a means to authenticate – UID and password is passe’ – Multi-factor is the way to go – Federate your identities www.hackformers.org Authentication Methods • Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chant • Something you have - ATM card, smart card, token, key, ID badge, driver license, passport • Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA www.hackformers.org Multi-Factor Authentication • Two-factor authentication - To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication: – ATM card + PIN – Credit card + signature – PIN + fingerprint • Three-factor authentication - Highest security: – Password + Fingerprint + Key Card Spring 2011 10 Password Problems • Insecure - Given the choice, people will choose easily remembered--hence easily guessed--passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. • Easily broken - Programs such as Rainbow Tables, Crack, SmartPass, PWDUMP, NTCrack and l0phtcrack can easily decrypt Unix, NetWare, and Windows passwords. – Dictionary attacks are only feasible because users choose easily guessed passwords! Spring 2011 11 Password Problems (cont.) • Inconvenient - In an attempt to improve security, organizations often issue users computer-generated passwords that are difficult, if not impossible to remember. • Repudiation - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction. Spring 2011 12 Password Problems (continued) A password should be like a toothbrush: • • • • Get a good one Use it every day Change it regularly Don’t share it with anyone Spring 2011 13 Biometrics • Authenticating a user via human characteristics • Using measurable physical characteristics of a person to prove their identification • Technologies: DNA, blood fingerprint Signature dynamics iris vein pattern retina keystroke dynamics voice layered biometrics Facial Hand geometry & topography Spring 2011 14 Biometric Advantages • Far greater security and traceability than passwords, PINs, and tokens • Low cost to implement • High functional impact • Easy to use - cannot be forgotten, lost, or borrowed Spring 2011 15 Biometric Measures • Type 1 error - reject an authorized user – False rejection / false negative identification • Type 2 error - accept an imposter – False acceptance / false positive identification • CER - crossover error rate – % where false rejection = false acceptance – a CER of 3 is more accurate than a CER of 4 Spring 2011 16 Crossover Error Rate Type 1 errors False Reject Rate Type 2 errors CER False Acceptance Rate Spring 2011 17 Hand Geometry Time and Attendance Terminal Spring 2011 18 Fingerprint Biometrics Spring 2011 19 Phone Biometrics Spring 2011 20 Teach Christ Identity of the Believer www.hackformers.org Christian Identity • • • • Based on identity of Christ God only knows for sure How do we prove our identity to others? What are the signs of our identity? www.hackformers.org Identity of Christ • • • • • The record in the Bible Messianic Prophesy Evidence of His deity Impact on His followers Archeological evidence www.hackformers.org The record in the Bible • Jesus own words – John 5:17-18 Jesus said to them, “My Father is always at his work to this very day, and I, too, am working.” For this reason the Jews tried all the harder to kill him; not only was he breaking the Sabbath, but he was even calling God his own Father, making himself equal with God. – John 10:30-33 “I and the Father are one.” Again the Jews picked up stones to stone him, but Jesus said to them, “I have shown you many great miracles from the Father. For which of these do you stone me?” “We are not stoning you for any of these,” replied the Jews, “but for blasphemy, because you, a mere man, claim to be God.” • Statements of his disciples – Philippians 2:5-6 Your attitude should be the same as that of Christ Jesus: who, being in very nature God, did not consider equality with God something to be grasped. www.hackformers.org Messianic Prophesy Messianic prophecy is the collection of over 100 predictions (a conservative estimate) in the Old Testament about the future Messiah of the Jewish people • Born of a virgin (Isaiah 7:14; Matthew 1:21-23) • A descendant of Abraham (Genesis 12:1-3; 22:18; Matthew 1:1; Galatians 3:16) • Of the tribe of Judah (Genesis 49:10; Luke 3:23, 33; Hebrews 7:14) • Of the house of David (2 Samuel 7:12-16; Matthew 1:1) • Born in Bethlehem (Micah 5:2, Matthew 2:1; Luke 2:4-7) • Taken to Egypt (Hosea 11:1; Matthew 2:14-15) • Herod´s killing of the infants (Jeremiah 31:15; Matthew 2:16-18) • Anointed by the Holy Spirit (Isaiah 11:2; Matthew 3:16-17) www.hackformers.org Messianic Prophesy (cont.) • Heralded by the messenger of the Lord (John the Baptist) (Isaiah 40:3-5; Malachi 3:1; Matthew 3:1-3) • Would perform miracles (Isaiah 35:5-6; Matthew 9:35) • Would preach good news (Isaiah 61:1; Luke 4:14-21) • Would minister in Galilee (Isaiah 9:1; Matthew 4:12-16) • Would cleanse the Temple (Malachi 3:1; Matthew 21:12-13) • Would first present Himself as King 173,880 days from the decree to rebuild Jerusalem (Daniel 9:25; Matthew 21:4-11) • Would enter Jerusalem as a king on a donkey (Zechariah 9:9; Matthew 21:4-9) • Would be rejected by Jews (Psalm 118:22; 1 Peter 2:7) www.hackformers.org Messianic Prophesy (cont.) • Die a humiliating death (Psalm 22; Isaiah 53) involving: – rejection (Isaiah 53:3; John 1:10-11; 7:5,48) – betrayal by a friend (Psalm 41:9; Luke 22:3-4; John 13:18) – sold for 30 pieces of silver (Zechariah 11:12; Matthew 26:14-15) – silence before His accusers (Isaiah 53:7; Matthew 27:1214) – being mocked (Psalm 22: 7-8; Matthew 27:31) – beaten (Isaiah 52:14; Matthew 27:26) – spit upon (Isaiah 50:6; Matthew 27:30) – piercing His hands and feet (Psalm 22:16; Matthew 27:31) – being crucified with thieves (Isaiah 53:12; Matthew 27:38) www.hackformers.org Messianic Prophesy (cont.) • Die a humiliating death (Psalm 22; Isaiah 53) involving: – praying for His persecutors (Isaiah 53:12; Luke 23:34) – piercing His side (Zechariah 12:10; John 19:34) – given gall and vinegar to drink (Psalm 69:21, Matthew 27:34, Luke 23:36) – no broken bones (Psalm 34:20; John 19:32-36) – buried in a rich man’s tomb (Isaiah 53:9; Matthew 27:57-60) – casting lots for His garments (Psalm 22:18; John 19:23-24) • Would rise from the dead!! (Psalm 16:10; Mark 16:6; Acts 2:31) • Ascend into Heaven (Psalm 68:18; Acts 1:9) • Would sit down at the right hand of God (Psalm 110:1; Hebrews 1:3) www.hackformers.org Messianic Prophesy the odds www.hackformers.org Evidence of His deity • Miracles – Feeding the 5000 – Raising the dead – Healing the sick • The resurrection – The empty tomb – The guards were bribed to lie • Presenting himself to over 500 followers – Within days, he was seen by many and touched www.hackformers.org Impact on His followers • 11 of the 12 apostles, and many of the other early disciples, died for their adherence to this story. This is dramatic, since they all witnessed the alleged events of Jesus and still went to their deaths defending their faith. Why is this dramatic, when many throughout history have died martyred deaths for a religious belief? Because people don’t die for a lie. • The apostle Paul makes this clear in his first letter to the Corinthians: But if there is no resurrection of the dead, then not even Christ has been raised. And if Christ has not been raised, then our preaching is futile and your faith is empty. … For if only in this life we have hope in Christ, we should be pitied more than anyone (1 Cor. 15:13-14, 19). www.hackformers.org Archeological evidence • Over the last few decades, significant evidence revealing the life, teaching, death and resurrection of Jesus has been uncovered! • Christ’s childhood town of Nazareth is still active today • Ancient harbors matching the biblical record have been located in recent drought cycles. • In Jerusalem, we still see the foundations for the Jewish Temple Mount built by Herod the Great. Other remarkable sites in Jerusalem include the "Southern Steps" where Jesus and his followers entered the Temple, the Pool of Bethesda where Jesus healed a crippled man, and the recently uncovered Pool of Siloam where Jesus healed a blind man. www.hackformers.org What is our identity based on? • Acceptance of the saving grace of Christ – A free gift lest any should boast • Presence of the Holy Spirit in our lives • The fruit of the Spirit: 22 But the fruit of the Spirit is love, joy, peace, forbearance, kindness, goodness, faithfulness, 23 gentleness and self-control. Against such things there is no law. Galatians 5:22-23 New International Version (NIV) www.hackformers.org Discussion Points • Is there enough evidence to convict you of being a Christian in a court of law? • If SAML is the means of passing identity credentials in the IT world, what are the ways we pass our identity in Christ on to others? www.hackformers.org Closing Thoughts • Christ has given us proof beyond a doubt of His ability to forgive us our sins and save us for Himself, we need to be ready to defend the truth of the gospel…. Of the life that is in us. www.hackformers.org