In the previous two blog posts of this series on identity credentials, we discussed identity proofing and authentication. This blog post will focus on an attack of the operational controls of an identity system. This is the third and final attack that we’ll consider for Risk Category 2, nefarious impersonation.
Why Do Identity Systems Need Operational Controls?
Consider an attack where a bad actor could assume anyone’s identity or many identities at the same time. This risk is very serious. This type of attack is widely regarded as a catastrophic failure of an identity system. The attack vector? People and operational controls.
In certificate authority (CA) compromises over the past two decades, the attacks occurred due to untrustworthy operational controls employed by the certificate authority, or, CA. Those controls range from improper procedures used for enrollment, weak cybersecurity controls, and technology stacks that don’t conform to industry standards.
Let’s briefly revisit our original analogy, the figurative banquet with over 320 million Americans. As before, your job at reception is to hand the right seating assignment to the right person after checking their credentials. If you fail, the person won’t be seated at the same table as the rest of their family.
In the last blog post, we extended the analogy to allow guests to have three meals throughout the day. However, for each meal they need to return to the registration desk to obtain a new ticket for breakfast, lunch, and dinner. For simplicity’s sake and practical uses in cyberspace, let’s say you’re handing out unique QR codes to registrants when they receive their badges. This way, when they approach you for a meal ticket, they can present their QR code for verification. The system keeps track of who has already received a meal, assuring the same person can’t get more than one ticket per meal.
Attack #3: Weak Operational Controls Causing Catastrophic Failure
Now imagine your manager separates the registration duties into two stations. The first station registers new guests and gives identity proofed guests secret QR codes, while the second station prints out meal tickets after authenticating a guest. You’re operating the meal ticket desk, and you still need to ensure the right person gets their meals. It’s your responsibility to scan the guests’ secret QR codes they were issued by the other desk. After scanning their secret QR code, you can print out a meal ticket. This new methodology builds efficiency. Someone else is completely handling all the ID proofing and credential binding of all guests. All you must do is rely on the guests’ issued authenticators (secret QR codes).
However, when you look over at the registration desk, you notice those people went on a bathroom break at the same time, leaving the registration desk unattended. You don’t know how long they’ve been gone. You put it out of your mind, and you check in a guest with a memorable face. Fifteen minutes later after you’ve checked in hundreds of thousands of guests (you have 320 million people the feed!), you see a familiar face. You could have sworn the same guest with a memorable face returned for another meal ticket. Nevertheless, he hands you a different QR code and successfully gets another meal ticket. Fifteen minutes later, it happens again, but this time you stop the person.
Using your authoritative and serious voice, you question him, and you’re able to get him to spill the beans (excuse the pun 😊). He confesses to having hundreds of unique QR codes in his pockets! He admits to sneaking behind the registration desk and printing out secret QR codes associated with other guests while the desk was unprotected.
This is an example of a catastrophic failure of an identity system. In this example, the registration desk serves as the identity system. The nefarious guest was able to assume anyone’s identity that he wants. He compromised the issuance process for issuing secret QR codes that you rely on for handing out meal tickets.
Operational Controls of Identity Systems
In the digital world, identity systems are among the most highly sought after systems by advanced threat actors. An example of an advanced threat actor is an Advanced Persistent Threat. That’s a fancy way of saying a “nation-state” is levying (or sponsoring) an attack on a system. Identity systems make attractive targets because bad actors can access lots of information by assuming others’ identities. Attacks like this are also difficult to detect. For example, you didn’t know the nefarious guest stole meal tickets until the third time he approached your desk.
Luckily, compromises on identity systems are quite rare, because many identity systems operated by commercial Credential Service Providers (CSPs) are among the most secure and closely guarded systems in the world. This is especially true of a special class of CSPs called Certificate Authorities (CAs) due to the norms associated with operating a CA.
There are many ways to compromise the operational controls of an identity system. While those techniques are outside the scope of this post, all of them have a common denominator: people and operational controls. Ensuring the staff who operate and maintain the identity system are highly trained and trustworthy is of paramount importance. It forms the bedrock of the rest of the technical security controls employed by an identity system.
DirectTrust’s Role in Ensuring Strong Operational Controls of Identity Systems
This example should illustrate why Credential Service Providers need strong cybersecurity controls, which can help prevent this kind of attack. NIST SP 800-63 is mostly silent on this threat, but DirectTrust has built a comprehensive set of policies into its assurance program that goes beyond NIST SP 800-63 as a measure to ensure DirectTrust-accredited CSPs are trustworthy.
There are many other ways to impersonate an individual online. With that said, the three examples we have explored in this blog series (Attacks 1-3) make up the most common risks that identity systems face. The final blog in this series addresses the third and final risk category: unauthorized access.
This article was originally published on the DirectTrust blog and is republished here with permission.