CIS 608-301 - Week 3 Blog Post: Thoughts on Network Identity Management

The federal government is moving towards full adoption of a Personal Identity Verification Card and the Department of Defense adopted the Common Access Card as the basis of identification on its networks in response to Presidential Directive 12 after the 9/11 attacks in 2001. The goal of this effort was to bolster security of federal and DoD networks against attack. The National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-76-2 to detail Biometric Specifications for Personal Identity Verification (National Institute of Standards and Technology, 2013). The document discusses how to obtain biometric data, including multiple types of biometric data, as well as encoding PIV cards with that data.

These various cards are intended to be used to access network resources whether the user is physically at the site or is utilizing remote access. Unfortunately, it is possible that users leveraging remote access often have the ability to use any computer, not necessarily a government issued and secured computer. All one needs is proper middleware and a card reader, both of which are usually available, to use a PIV or CAC from any system. The counter to this is that network access control (NAC) solutions are required for network access, both on site and remote, but are often either not procured or too difficult to manage and keep working properly and thus simply sit around not performing the NAC function.

Utilizing unsecured computers for remote access is a major concern when using CAC or PIV cards (PoweredbySSI, 2014)<>. There are a number of attack vectors including visual counterfeiting, skimming, sniffing, social engineering, and electronic cloning. Another attack vector available is malicious code (Lawton, 2012). A virus named “Skyipot” attacks the middleware of card readers and installs a key-logger to steal the PIN and then data from the card while it is still in the reader. It is likely that most sites do have holes in their security that could allow one or more of these attacks to be successful on a network when not using remote access given the ongoing revelations of hacking of government websites by the media such as the recent massive Office of Personnel Management (OPM) data breach (Nakashima, 2015).

One interesting note about these cards is that when implemented, are typically configured with a 6 to 8 digit PIN for access, thus providing two factor authentication (something you have and something you know). However, this does not necessarily need to be a PIN to gain access and could be anything, like a fingerprint. Apple has incorporated this fingerprint technology on its iPhone devices for access and it could conceivably be ready for wide deployment in the future. Given the number of attack vectors and the ease with which the access code can be obtained, individuals using these cards should be very wary of such a development for fear of losing biometric data.

Works Cited

Lawton, S. (2012, 1 18). DoD ID cards under attack. Retrieved 6 26, 2015, from scmagazine.com: http://www.scmagazine.com/dod-id-cards-under-attack/article/223625/

Nakashima, E. (2015, 6 18). Washington Post. Retrieved 6 20, 2015, from washingtonpost.com: http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/

National Institute of Standards and Technology. (2013, 7). NIST.org. Retrieved 6 26, 2015, from Biometric Specifications for Personal Identity Verification: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf

PoweredbySSI. (2014, 4 3). poweredbyssi.com. Retrieved 6 26, 2015, from poweredbyssi.com: http://poweredbyssi.com/smart-cards-are-not-the-solution-to-identity-theft-the-resolution-is-verifiable-identity-authentication-says-saas-software-inc-ssi/