What authentication isn’t
To a lot of you, this is post isn’t going to tell you anything you don’t already know, but for others I think it needs to be said again. MAC and IP addresses are easily changeable and are useless for authentication.
Far too often when we’re on site we see security measures that rely heavily on them, and its something that we need to move away from in control systems. We need to decouple connectivity and authentication. This is bad enough on the control network itself, but often it goes past that point and extends out to the corporate network, allowing a handful for special ips to access the control systems, essentially rendering your firewall useless.
Of course we know a lot of devices on our networks don’t support this kind of authentication, and due to unavailability, along with time and resource constraints that just the way its going to be for the foreseeable future. And in those cases when you can’t do authentication, you have to depend on effective monitoring (access logs, network monitoring, our own quickdraw project, etc).
How do you know if you’re using real authentication? If its not using something you have, something you know, or something you and only you are, then its not real authentication and you’re setting yourself up for problems down the road. This is something that can and will cause a lot of problems down the road as more and more layers of assumed security/authentication are built on top of a faulty premise.
Author: Daniel Peck
Posted: November 24th, 2009 under Big Picture.
Comments: 6
Comments
Comment from Jake Brodsky
Time: November 24, 2009, 11:22 pm
Let’s be honest. There are many posers who call themselves IT security specialists. Joe Weiss has often stated that there may not be more than a hundred control system cyber security specialists in the world. And I’ve heard that there may not be more than 1000 IT security specialists who are worth much either.
That estimate sounds about right, though it may be off by a factor of two or three. There aren’t many who really understand what goes on in a network, what the authentication is based upon, or even what authentication actually is.
These are still very new and raw fields of interest. There are lots of pretenders. The public doesn’t know the difference between the wannabes and the real pros.
Until professional organizations get good at showing people what to look for and what to expect from a reputable security professional, I feel that this farce will continue.
Comment from Ray Parks
Time: November 25, 2009, 12:01 am
A further problem is that there is a distinction between authentication and authorization. Once an entity (human, software, or hardware) in a system is authenticated, there needs to be a gatekeeper that checks whether that entity is authorized to perform the requested action. The simple form of this is authentication via a password and authorization to act upon a file based on ACLs. Role-based access control is the corollary to multiple factor authentication. If you mix authentication and authorization of different strengths, the resulting system is only as strong as the weakest.
You’re quite right about the strength of MACs and IP addresses – we are in the midst of an assessment during which we used faking of both – not to perform an attack but to get access to another network for setup! We’ll use the techniques for the actual pen-test once we download all the packages we want.
Another issue is reliance on VLANs as a security measure. I can’t claim any credit, but my teams have used multiple techniques to get past VLAN separation, usually to get to the primary, privileged VLAN.
All of this relates back to the fourth principle of cyberwarfare (according to Duggan and Parks 
:
Some entity within the cyber world has the authority,
access, or ability to perform any action an attacker desires
to perform. The attacker’s goal is to assume the identity of
that entity, in some fashion.
Comment from Rob Casey
Time: November 25, 2009, 1:38 am
Interesting post – The issue of appropriateness of a mechanism for the purposes of authentication however extends beyond simply MAC and IP addresses, but to the strength of any authentication. In its most ideal form, authentication should be absolute, transparent and unique. This however is not always realised – or more generally, even able to be realised – within the practical setting. Authentication by MAC and IP address is one example of the compromised authentication mechanism that is often employed without understanding of the attack vectors that may be employed to circumvent or undermine this mechanism.
I would note that the comments from Ray with regard to distinction of authorisation are additionally insightful and serve as an important element of access control even where authentication is implemented in an ideal manner in order to ensure access is permitted only as required.
Comment from Éireann Leverett
Time: November 26, 2009, 9:16 am
I know what some of Jake is saying is true, but also a little harsh. Some of those ‘posers’ need more experience to become experts. Specifically, authentication is hard to learn, as you rarely get proper feedback on your mistakes. Also, many people do not read current academix literature on the subject, and many who like to, are not given the time!
This is where some time ‘attacking’ will in the long run inform ‘design’. I agree with Jake on learning more about the folks you’re hiring, but also like to point out that newbie to expert is not a simple phase transition, it takes time.
Comment from Rob Lewis
Time: November 28, 2009, 5:30 pm
@ Ray Parks,
Very astute Ray.
I am with the vendor a security sub-system that is in effect, an “authorization engine” that works in tandem with IDM or authentication methods. Enforcement of user access rights are extended from the network edge to the resulting end behaviors that occur on the network, post-authentication.
It is very common to view authentication used as a “proxy” for authorization, which is insufficient. Without actual enforcement, the opportunity for unauthorized behaviors will exist. If we think about your quote of the 4th principle, and realize that is generally easy for malware or external attackers to gain entry to the network, then an extension of that is that the current lack of this capability is why malware and insiders currently present high security risk.
What is not realized often enough, is that external attackers that successfully penetrate the perimeter are now insiders. Their highest probability of success comes from assuming the identity of low ranking employees, because there tends to be more of them. The lack of authorization at that point is why there is a failure to prevent privilege escalation, at which point the attacker has access to anything in the network.
A strong authorization engine protects the systems and resources from even the authorized users with passwords.
Comment from Daniel Peck
Time: December 4, 2009, 11:10 am
@Jake,
Im going to disagree with you there. I dont think the problem is a lack of experts, I believe the bigger problem is lack of basic security knowhow in our admins and developers, along with the necessary transparency and documentation to allow an admin to know exactly how authentication is being preformed.
Experts are for expanding the knowledgebase of the field, discovering new attack/defense techniques, etc, but we can’t honestly blame the lack of them for problems like this.
Issues with IPs and MAC addresses were added to that knowledgebase a couple decades ago and by now there is really no excuse for systems to still be being built/updated that use those mechanisms.
Write a comment