Guide to CJIS Security with Advanced Authentication IIIIII A Brief for Law Enforcement Organizations
POLI CE
I . M . SAM PLE
B A D GE
12345 H I R E D ATE 02/ 12/ 2000 S TATU S A C TI VE A U TH OR I ZED
866965
ww w . g emalto . com
IIIIII Table of Contents
What is Advanced Authentication?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Why Advanced Authentication? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 How to Implement Advanced Authentication: Authenticators. . . . . . . . . . . . . . . . . . . . . . . . . . 4 Hardware one-time password (OTP) tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Smart cards with digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Smart cards with biometrics and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Issuing and managing authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Implementation: Upgrade systems and networking infrastructure . . . . . . . . . . . . . . . . . . . . .10 Upgrade desktops, laptops and police cars to work with authenticators. . . . . . . . . . . . . . . .11 Summing Up – Advanced authentication is essential to protecting CJI. . . . . . . . . . . . . . . . . 11 Thank You for Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Guide to CJIS Security with Advanced Authentication IIIIII A Brief for Law Enforcement Organizations
The Criminal Justice Information Services (CJIS) Division of the FBI serves as a focal point and central repository for criminal justice information (CJI) that is shared with federal, state, local and tribal law enforcement agencies. Protecting and securing that information is a shared responsibility and to ensure security, all CJIS users must follow requirements and guidelines defined in the FBI’s Criminal Justice Information Services Security Policy (Currently Version 5.0 of February 9, 2011, CJISD-ITS-DOC-08140-5.0). While broad in scope, Version 5.0 of the CJIS Security Policy introduced a specific new requirement called “advanced authentication” that is the subject of this brief. The deadline for compliance with the advanced authentication mandate is September 30, 2013. That might sound far off but in fact this gives partner agencies a very tight implementation timeline. Briefly stated, advanced authentication recommends as a best practice the use of a personal security device, such as a token or a smart card-based credential, whenever accessing CJI from outside a secure facility. As the global leader in digital security, last year alone Gemalto shipped more than six billion smart secure devices and supplied a wide range of software and services to hundreds of the world’s largest enterprises and government agencies. Our solutions help banks and mobile network operators ensure that billions of transactions every day are securely conducted between the right parties. They power ID documents that are practically impossible to forge. And they let people exchange information and access networks without fear of being spied on or hacked. Drawing from our extensive knowledge and experience, we will explain what advanced authentication is, why it is needed to maximize security and how it can be implemented. We hope the information shared in this guide will empower you to find actionable ideas that you can use to achieve CJIS advanced authentication compliance in your own Police Department or other law enforcement agency.
What Is Advanced Authentication? Authentication is proving your identity to an information system or service provider. In the case of CJIS, like many organizations and Web services, this is usually done with a login ID (username) and password. Advanced authentication provides for additional security by recommending an “authenticator” in addition to the login ID and password. This is also referred to as two-factor authentication, because you have to use two different things to prove your identity. It combines something you have, the authenticator, with something you know, your login ID and password. An everyday analogy that illustrates this idea of advanced authentication, or two-factor authentication, is how you withdraw cash at an ATM. Your ATM card (something you have) and your PIN code (something you know) are the «two factors» that provide you with a type of “advanced authentication.”
Guide to CJIS Security with Advanced Authentication
1
What makes advanced authentication more secure is that both factors are required for a transaction. In the banking example, if someone knows your PIN code but does not have your bank card, they cannot steal money from your account. In the CJIS example, if someone steals your login ID and password but does not have your authenticator, they cannot access CJI.
Why Advanced Authentication? The primary rationale for implementing advanced authentication is that passwords are weak protection for highly confidential and personal information such as CJI. The reason is that if someone else obtains your password they can access information posing as you. There are many ways this can happen. For one thing, passwords can be shared, which is a violation of the security policy because there is no longer an association of a CJI access credential with a single individual. It also can lead to a loss of control when it comes time to revoke an individual’s access privileges due to resignations, terminations or other causes. While their own password can be revoked, if they have a colleague’s login they might use it to continue to access CJI. Another problem is that passwords are often written down or stored on a smartphone or laptop, and if that paper or mobile device is not stored securely or lost, the login credentials can be compromised. Someone looking over your shoulder can even spy your password if you are not careful.
Advanced authentication is now an essential tool for law enforcement information security at every level of government.
Perhaps the greatest problem with passwords is the threat of malware (malicious software) or spyware designed to steal login credentials. These are nasty programs that someone sneaks onto your computer and are like a virus, but more directly criminal in intent. One way malware gets on your systems is through “Trojans.” Like the Greek myth, a Trojan horse is a malware program hiding inside another program that does something useful. This could be a freeware program, like an MP3 encoder, a tool for breaking DVD copy protection or a game cheat. Whatever it is, when you install it on your system it also installs a “payload”—one or more malware programs such as a keylogger or a backdoor.
The headlines are full of examples of blue-chip companies that have been data breach victims of attacks like these. Hackers breached Citibank’s security and accessed the information of close to 360,000 customers. Attackers broke into systems of Directors Desk that facilitate boardroom-level communications for 10,000 senior executives and company directors where they may have had access to inside information on publicly traded stocks. Credit card processor Global Payments Inc. had information on 1.5 million payment accounts stolen. “Hacktivists” stole personal information and passwords from one million SonyPictures Corp. customers, the second time Sony was attacked. There are many more examples, but the point is the threat of a data breach is real for organizations of any size.
2
Here are three examples of the many ways criminals use malware to steal login credentials: > A keystroke monitor (keystroke logger, keylogger) is a type of malware that monitors every stroke you type on the keyboard. It analyzes your keystrokes to gather information used for identity theft, including account logins and passwords, which it sends to the hacker > An Internet address redirect attack sends your Internet browser to a phishing site—an authentic looking hacker site that tricks you into entering your login information; typically they will give you a password error message and route you through to the real site after stealing your password so you do not even suspect anything is amiss > A carefully crafted authentic looking “spearphishing” email comes to you and tells you there is a security problem you need to fix; you click the embedded link but end up at a hacker’s site where they steal your credentials Malware is a very common problem, even in PCs protected by anti-virus software. The Anti-Phishing Working Group (APWG), an industry organization that reports statistics on crimeware, estimates that 39% of all PCs in the United States have malware installed on them. One important cause for this is that anti-virus software and firewalls only work for attacks they have seen before, which is why your anti-virus software is constantly updating to protect against the latest detected threats. The problem this creates is that there is a vulnerability gap between the detection of a new virus and when the antivirus software is updated and installed on everyone’s PCs, known in the IT security industry as “zero-day.” The problem is that hackers have become so efficient at changing the attack viruses using toolkits like SpyEye and ZeuS that every day is zero-day. For example, there are more than 70,000 known ZeuS variants. An organization that tracks networks of PCs and servers hijacked by SpyEye —botnets—estimates that 75% of the time anti-virus software fails to detect SpyEye infections. Another trend is that individuals or specific organizations with access to high value targets, such as CJIS, can be targeted with a unique Trojan that the hacker does not use anywhere else, rendering anti-virus software protection useless in defending that individual. To counter these security risks caused by over-reliance on weak password-based authentication, the CJIS Security Policy now requires the use of advanced authentication in many cases. Even if someone manages to steal your password, without the authenticator they will not be able to access CJI posing as you. There are several cases in which the CJIS Security Standard requires advanced authentication: > When the location of the device is known and it is not in a physically secure location > When the location is known to be physically secure, but where all required technical controls have not been implemented > When the location is not known and the request comes from a non-agency managed user device > When the location is not known and the request comes from an agency managed device associated with a Law Enforcement Conveyance (vehicle), but the agency has not implemented IPSec to comply with Security Policy Version 4.5 1 > Irrespective of location, when accessing a service that itself requires advanced authentication, such as Law Enforcement Online (LEO), the FBI’s state-of-the-art, Internet system for sensitive but unclassified information
Guide to CJIS Security with Advanced Authentication
3
1 An exception to this scenario is that CJIS Security Policy Version 5.0 waives the advanced authentication requirement for user devices associated with a Law Enforcement Conveyance that were not acquired or updated since 2005.
How to Implement Advanced Authentication: Authenticators There are two main areas of effort required to implement advanced authentication: > Provide users with authenticators
– Provision the user-level devices that enable advanced authentication
– Implement a process for issuing and managing authenticators
> Upgrade the identity and access management infrastructure
– Modify systems and networking infrastructure to accept advanced authentication
– Implement an advanced authentication server
– Upgrade desktops, laptops and police cars to work with authenticators
The first step is to choose an authenticator technology, or even a combination of them. The CJIS Security Standard requires robust security technology for authenticators, and the following are the most secure and acceptable choices for advanced authentication as defined in the policy.
866965 PO L I C E
I . M . SA M P L E
Hardware One-time Password (OTP) tokens for Secure Access to CJI
BADGE
12345 HIRE DATE 02/12/2000 STATUS ACTIVE AUTHORIZED
POLICE
I. M. SAMPLE
BADGE
12345 H I R E D AT E 02/12/2000 S TAT U S ACTIVE AUTHORIZED
I. PO M . L IC E SA MP LE
Smart cards with Digital Certificates for Secure Access to CJI
Smart Cards with Biometrics and Certificates for Secure Access to CJI
Each of these options is explained in more detail below.
4
IIIIII Hardware one-time password (OTP) tokens These small devices display a numeric password that changes with every login. When logging in, the user presses a button on the device to get the unique code, and then types it into the keyboard. The big advantages of OTP are that it can be implemented quickly because it does not require changes at the user device level and it is simple to administer.
866965 The police officer is prompted to create a one-time password (OTP) for authentication to CJI.
The police officer creates an OTP by simply pushing a button on the OTP device.
866965
The OTP appears on the device, and the police officer enters it along with his/her username.
The username and OTP is verified, and the police office has secure access to CJI.
Guide to CJIS Security with Advanced Authentication
5
IIIIII Smart cards with digital certificates A smart card is an ID card-sized piece of plastic that contains a small computer, or microprocessor, and its own data storage, processing power and software. Smart cards are a well-established digital security technology that today protects more than two billion mobile phones and 600 million smart credit cards worldwide from fraud.
The police badge contains a secure contact smart card.
POLICE
I. M. SAMPLE
BADGE
The police officer inserts his/her badge into the reader, and enters his/her PIN.
12345 HIRE DAT E 02/12/2000 STAT US ACTIV E AUTHORIZ E D
The smart card provides advanced authentication for secure access to CJI. 12 34
I.
PO M . L IC E SA MP LE
5
L]Vi�^h�hbVgi�XVgY�iZX]cdad\n4
I.
BA DG E H 0 2 IR E /1 D ST 2 /2 AT A C AT 00 E 0 A U T IV U S TH E O R IZ ED
12
34
M
5
PO L . S IC AM E PL E
Smart card technology uses a computer and software with 100s of built-in security features. outside The contacts on the surface of the device are connected...
inside ...to wires running from a computer chip under the surface.
The whole piece is embedded into a plastic card or hard token.
A digital identity certificate is a software token issued using public key infrastructure (PKI) technology. Digital ID certificates are widely used to secure identities in information systems and supported by all leading IT infrastructure providers.
6
By putting a digital ID certificate on a smart card, you not only create a very powerful advanced authentication authenticator, you also get a highly secure ID credential for secure visual identity verification and physical access control. There is broad government and industry support for using smart card-based ID credentials with these three key attributes—visual security, physical access, and advanced authentication—as an effective digital security technology: > The U.S. federal governmentwide ID credential, known as the Personal Identity Verification (PIV) card, is based on this technology; use of the credential is mandatory for both physical access and IT systems access > The national federal, state and local program to define an interoperable ID card for first responders in emergency situations is based on this technology; DHS and FEMA are managing this initiative with 17 states already involved 2 > The U.S. National Institute of Standards and Technology (NIST) recommends this approach for advanced authentication in its “Electronic Authentication Guideline” (NIST Special Publication 800-63-1, p.77); NIST standards are cited as references in the CJIS policy > Microsoft defines advanced authentication using digital PKI certificates and smart cards as important attributes of a well-managed identity infrastructure using Microsoft’s Forefront Identity Manager To use a smart card ID, insert it into a special reader device in your keyboard, an attached reader or your laptop, much as you would put a card into an ATM machine, and then enter your PIN code. The card stays in place during the transaction. Once the PIN code is accepted unlocking the card, there is an encrypted authentication exchange between the smart card and the host system. What makes this approach so secure is that the smart card uses its own processor and software independent of the PC to authenticate the user. Since this authentication is isolated from the PC and is unique with each login, users are protected from any threats on the end user device, the network or the Internet. Not only does the smart card provide more security, it is also more convenient for the user. Instead of trying to keep track of complex, frequently changing passwords, users only need to remember their PIN code and the smart card authenticator takes care of strongly authenticating the user and establishing an encrypted secure session. Advantages of a smart card/digital ID combination compared to an OTP token are: > More convenient because users do not have to type in the numeric one-time password > More secure and more effective against more advanced attacks such as man-in-the-middle (see NIST “Electronic Authentication Guideline,” p.77) > ID credential also supports more secure visual identification and physical access control > Optional advanced authentication for unlocking disk encryption > Can digitally sign and encrypt emails or documents > Interoperability with the national first responder ID card initiative (FRAC)
Guide to CJIS Security with Advanced Authentication
7
2 The First Responder Access Card (FRAC) is based on the Personal Identity Verification – Interoperable (PIV-I) standard. PIV-I, developed as a secure credential for non-federal entities, is an interoperable derivative based on the same standards used in the federal government’s PIV card.
IIIIII Smart cards with biometrics and certificates This approach is the same, except it replaces a PIN code with a fingerprint biometric. This helps avoid problems with people forgetting their PIN codes—and prevents them from sharing their PIN code and credential with someone else. Fingerprint biometric systems do not actually store the complete fingerprint. Instead they create a template from the fingerprint image during enrollment, which is used to authenticate the user. Also, the matching is done internally on the smart card using matchon-card technology, which protects it from threats on the PC or user device. Another benefit of match-on-card is that the user always has their biometric identifier with them, securely stored and encrypted on the card, so they are not dependent on network connections for authentication to the card.
Police officer places employee badge into the reader. The data on the card verifies fingerprint template biometric confirming identity.
P OL IC E
I. M . S A M P L E
B A D GE
12345 H IR E D ATE 02/12/2000 S TATU S A C TIVE A U TH OR IZED
Police officer places finger on pad. Reader verifies fingerprint against template stored on card, and the police officer is granted secure access to CJI.
IIIIII Issuing and managing authenticators In order to effectively implement advanced authentication, the CJIS policy calls for processes and systems that manage user identifiers and information system authenticators.
8
You will need to develop a comprehensive plan for enrolling people and providing them with an authenticator. Key elements of this plan include: > Develop registration process: Includes enrolling participants, setting up in issuing an authenticator and digital certificate if needed, and binding the authenticator/certificate with the individual’s identity > User training: Need to cover everything from why advanced authentication is necessary to how to set up, use and protect the authenticator > Administrator and helpdesk training: Important day know what to do in exception situations such as a lost or stolen credentials, a forgotten PIN code or when the authenticator is not working > Compliance audit and sign-off: Validation of the implementation as required under the security policy Because both smart card-based digital ID certificates and OTP tokens are widely used in government and private sector organizations, systems for issuing and managing digital identities and authenticators are available from leading IT infrastructure players. For example, Microsoft provides these off-the-shelf solutions for managing advanced authentication and identities: > Forefront Identity Manager (FIM): A simplified framework for managing and provisioning user identities, user accounts, access privileges and smart card certificate-based credentials – Manages identity-based policies across Windows and heterogeneous environments – Spans the entire lifecycle of the identity and credential, from first issuance until revocation > Certificate Authority: Tool for digital ID PKI certificate issuance A fast way to get started is to use a technology provider that offers a combination of supporting security partner specialists and Web-based services. Gemalto has strong security channel partners to help you plan and implement your strong authentication solutions. As for the authenticators, simplify and accelerate deployment in your organization by requiring these capabilities from your technology provider: > Range of solutions — Find a partner that offers a full spectrum of advanced authentication solutions including smart cards, OTP tokens and biometrics > Complete Web-based fulfillment service — Why maintain a stock of OTP tokens or smart cards? Look for a company that can provide complete smart card credential or OTP token fulfillment including order handling, packaging, shipping, tracking and provisioning > No batch fulfillment requirement — Make sure your technology partner will ship an individual hardware OTP device to an individual end user or provides the option to ship in batches to a central distribution point > Webstore — Explore options for a custom webstore for your users to order their authentication device and provide shipping information > Self-activation and automated Web-based service such as password resets — Enable user to selfactivate once they have received their OTP device or card and provide for automated processes such as forgotten PINs and deactivating lost or stolen cards
Guide to CJIS Security with Advanced Authentication
9
Implementation: Upgrade systems and networking infrastructure One final bit of good news is that the process for provisioning, deploying and using either smart card-based credentials with identity certificates or OTP tokens is very straightforward today. All leading IT infrastructure suppliers, including Microsoft, IBM, HP, Computer Associates, Citrix, Adobe and many more are already fully supporting the use of OTP tokens and smart card-based advanced authentication. In fact, many of these IT leaders already use smart card ID credentials internally themselves. If your organization is primarily operating a Microsoft environment, you can be assured your core infrastructure is ready to evolve into advanced authentication security. Key Microsoft components that support smart card-based credentials and certificates include: > Active Directory and Active Directory Federated Services (ADFS): Tools for certificate issuance, authentication and access control for credentials and identities > Windows desktops and server operating systems: Full support for desktop logins, terminal services and security policy enforcement, as well as self-service provisioning and maintenance with FIM for everyday tasks like PIN resets > Applications including Outlook, SharePoint, Office: Login, digital signature and encryption capabilities As the leading provider of wireless access for law enforcement agencies, NetMotion VPN integration is essential to interoperable and secure remote access using advanced authentication. This integration can be achieved off-the-shelf, for example by using Gemalto OTP tokens and smart card-based credentials. For Linux and Apple infrastructures, implementation at the desktop level is also readily achieved using off-the-shelf resources. Provisioning can be accomplished using Microsoft’s FIM or Gemalto’s cloud-based provisioning and life cycle management solutions for example, as well as services from other providers. To provide the advanced authentication service for either OTP tokens or smart cards, you will need to add a Versatile Authentication Server, a system that connects into your core infrastructure to handle the authentication process initiated from end user devices and authenticators. Inbound requests are routed to the authentication server, verified or rejected, and passed back to the host system with the result. Settings for the VPN and network access systems then need to be configured properly to work with the Versatile Authentication Server and require OTP or smart card certificate authentication for successful access. OTP deployment calls for special requirements to support high availability and provide redundant backup of the authentication. For smart card certificates, Microsoft Active Directory ensures redundancy. Consideration should also be given to using a hardware appliance for the authentication server in high performance environments. You will need to establish a thorough provisioning process that strongly binds credentials to an individual user, something mandated by the security policy. Another important step is to develop secure and thorough exception processes and backup access methods for common user situations such as forgotten, lost and stolen credentials. Finally, as in any significant process change, implement change management and user training and education initiatives.
10
Upgrade desktops, laptops and police cars to work with authenticators As stated earlier, a big advantage of OTP tokens is that no change is needed at the user device level to implement advanced authentication. The OTP token is a small, unconnected device. The user enters the one-time password through the keyboard. This is one reason why many organizations that implement advanced authentication start with OTP. To use smart cards with digital ID certificates, the end user inserts the ID card into a special reader and then enters a PIN code or uses a biometric reader to unlock the card. The smart card establishes an advanced authentication secure session with CJIS or other host systems. The card stays in the reader for the duration of the secure session. Removing the card ends the session. Two things are required at the user device level to implement smart card certificates: > A smart card reader — A device to read and accept the smart card must be built into laptops or keyboards, or an inexpensive USB reader can be added > Client level middleware — Typically involves setting up features available in Microsoft Windows that enable advanced authentication at the user device; working transparently to the end user, the program interacts with the authenticator, the VPN if present, the host network and the authentication server to ensure positive identity verification and encryption of all communications
Summing Up – Advanced authentication is essential to protecting CJI Every week brings new stories of leading companies whose reputations—and their customers’ personal or financial information—are damaged by data breached, a problem that can be prevented by using advanced authentication. It is evident that username and password authentication is simply not a secure way to protect CJI. Making an OTP token or certificate-based smart card ID credential part of your login procedure can prevent data loss and protect confidential CJI information. Using these technologies is not only a mandate of the CJIS security policy, in these times of criminal hackers, hackitivists and potentially cyber warfare, advanced authentication is now an essential tool for law enforcement information security at every level of government.
POLI CE
I . M . SAM PLE
B A D GE
12345 H I R E D ATE 02/ 12/ 2000 S TATU S A C TI VE A U TH OR I ZED
866965
Guide to CJIS Security with Advanced Authentication
11
Thank you for reading The purpose of this brief was to give you an overview of the CJIS security policy’s advanced authentication mandate, why it is needed and how you can implement it to maximize security. We hope these ideas can help you start planning new possibilities for an advanced authentication security IT strategy to better protect your organization. What did you find most useful? What would you like to know more about? We look forward to hearing your feedback and questions. Where do you go from here? To start, we hope you share this brief with you colleagues. Work with your management to make sure they understand the threats and rationale—as well as the CJIS mandate—for implementing strong authentication, and what that will do to strengthen the security of your IT infrastructure. And in the case of smart card ID credentials, dramatically increasing your identity and physical access control security as well.
Advanced authentication is now an essential tool for law enforcement information security at every level of government.
When the time is right, consider contacting us. Gemalto’s Protiva family and Defender Suite for law enforcement applications offer a full spectrum of strong authentication solutions, from OTP to PKI credentials in cards or tokens. Our Protiva Strong Authentication Server fits simply into your infrastructure, and is fully integrated into Microsoft’s identity and access management solutions. Gemalto gives you many options for deployment, from enabling your in-house management to cloud-based services for hosting of provisioning on-boarding. We would be delighted to make specific recommendations for your situation, and provide you with more detailed information about what we have to offer and how we work. Do not hesitate to contact us in whichever way suits you best. Contact information for our offices worldwide can be found at http://www.gemalto.com/php/office_search.php.
12
13
w w w . g emalto . com
© 2012 Gemalto. All rights reserved Gemalto, the Gemalto logo are trademarks and service marks of Gemalto NV and are registered in certain countries. May 2012.
IIIIII ��The world leader in digital security
