Sample NVA Report 229
across multiple platforms and link them to a single entity. It would also be
nearly impossible to trace an event to an individual or group. These events
are occurring, as Your Company noted, during some of the VULNERABILITY
ASSESSMENT tests. User IDs and passwords only provide single-factor iden-
tification. In systems where the value of the resource justifies stronger
authentication and the ability to trace a user identity, there must be at least
two-factor authentication: one that is unique to the individual and one
generated randomly at the time credentials are presented. An I&A service,
with a time service such as the one CLIENT already has, can also address
one of the more difficult problems that exists in modern networked envi-
ronments, the issue surrounding time of a change in privilege versus the
time of privilege usage.
The problem, known as TOCTOU (Time of Change versus Time of Use)
comes from a practice during the old mainframe days where the privilege a
user has is granted at log-in. The user privileges were managed by the systems
Reference Monitor, which was an integral part of the operating system.
Therefore, any change in the user’s privilege level was immediately enforced
by the operating system, so there was period of time when the user’s privileges
that were in effect did not match the privileges that the user was invoking.
In networked environments, the practice still exists of granting privilege at
the time of log-in. However, because there is no centralized Reference Monitor
that is directly tied into each and every operating system on the network, a
change in the user’s privilege level is not registered until the user logs off the
network and then logs back on. This is the TOCTOU problem. Identification
and Authentication services, when coupled with a time service, can resolve
this issue in that they force users to present their credentials before accessing
any resource on the network. This provides a chance for the privileges to be
checked, as well as ensuring the authenticity of the identity of the user ID
accessing the resource.
Intrusion Detection
Because of CLIENT’s open and fluid environment and the fact that new
network-based threats are identified almost daily, an effective means to detect,
react, and manage events is necessary. An IDS (intrusion detection system)
to identify suspect activity and alert someone of the risk is becoming an
increasingly critical part of security architecture. In most environments, this
would be coupled with segmentation of network resources across internal
firewalls or centralized I&A services. While segmentation may not be feasible
within the current CLIENT trust model and architecture, I&A services as well
as increased auditing is possible.
An IDS hat can conduct profiling as well as one that utilizes signatures
would most likely be the best fit for CLIENT. The profiling of users, especially
after the implementation of an I&A service, would allow for anomalous activity
to be detected immediately and would allow for an automated review of
various system logs that are not being properly reviewed at this time.