Digital Version of March/April 2015
Digital Version of January/February 2015 Print Edition
Advanced authentication: New requirements restrict access to Criminal Justice Information Security (CJIS) database
Mike Moir of Entrust
Despite a strained economy, contracting budgets and scarce resources, law enforcement agencies are still obligated to stay on mission to protect citizens.
To continue to protect and serve, investigative tools are a critical component in the law enforcement equation. To that end, both state and local agencies must be able to access information within the FBI’s Criminal Justice Information Service (CJIS) database, which holds virtually all criminal justice information submitted from state, county and municipal law enforcement. This data allows personnel to properly identify individuals, make informed choices about who can purchase weapons and provides other pertinent information that helps safeguard society.
Due to the sensitive nature of this information, controlling access to the CJIS database is a top priority. The latest CJIS Security Policy now requires advanced security authentication measures to be in place from non-secure locations (e.g., field vehicles) for a user to access and share criminal justice information on individuals, stolen property, criminal organizations, etc. Prior to this newly-added requirement, Section 22.214.171.124 of the CJIS Security Policy already clearly defined how passwords are to be created, maintained and changed. Therefore, many law enforcement agencies are probably thinking, “Why is CJIS now requiring advanced authentication from non-secure locations? We don’t have budget for this. Is it really necessary? Passwords are effective, aren’t they?” As it turns out, Yes, it is necessary, and No, passwords are not effective.
Information housed and organized in the CJIS database helps law enforcement agencies make educated decisions and contains sensitive information that could prove harmful if it lands in the wrong hands. For this type of information, passwords simply aren’t enough protection.
The trouble with passwords
With online users challenged to remember more passwords every day, users often forget them and in turn create passwords that are easy to remember. Passwords, such as children’s names or re-used passwords from multiple sites, have unfortunately become the status quo. Although many people are very strict about protecting a password when logging onto an online bank account, they may not take the same precautions when logging into Facebook. And, if the passwords are the same, that user has created a serious vulnerability.
There are almost as many proven ways to compromise passwords as there are ways to protect them. The most simple is “shoulder surfing,” or the act of simply watching someone type in their password. For more savvy hackers, Trojans, Keyloggers or other malware can be installed onto a network from a variety of sources, such as an employee clicking on a compromised link in email, visiting a compromised Website, file-sharing with an unauthorized user or hacking. Once a system is compromised, these programs begin collecting usernames and passwords, and then pass them to the criminals without the user’s knowledge. By taking advantage of a breach in security, a hacker can also plug in a low-cost micro-controller hidden in a keyboard or mouse to capture plaintext passwords, hashed passwords and other data.
An evolution of hacks
A relatively newer and more sophisticated technique is the use of “rainbow tables.” When a computer user sets a password on any system, the password is stored in a hashed format, similar to a numerical representation of the plaintext password. When a user logs in, the hash of the entered password is compared to the hash of the stored password.
Today, hackers can purchase extremely large external hard drives on black market Websites that are fully loaded with billions of plaintext passwords along with the hashed equivalent (i.e., rainbow tables). Alternatively, hackers can download free software to create their own rainbow tables. When the hacker gains possession of a hashed password, it can take only minutes to search the rainbow table and find the plaintext equivalent.
Once a hacker has access to the CJIS system, they can steal personal information, change or delete past offenses, or put the public and law enforcement at risk. To combat cyber-criminals from gaining access to the network, CJIS now requires two-factor authentication for an additional level of security, making it much harder for unauthorized users to gain access to the network. This is especially important when an accessing the CJIS database from non-secure locations, including police cars, etc.
Choosing the right authentication method
There are a number of factors a law enforcement agency should consider when choosing an authenticator. It is important to remember that today’s requirements may not be the requirements of tomorrow. Selecting a platform that supports a number of proven methods means different authenticators can be issued to different user groups, based on the level of risk associated with their position, unique requirements and expense.
While a single authentication solution might meet immediate requirements, it is highly recommended to “future proof” security technology as much as possible to preserve precious resources and adapt to an escalating threat environment. Finally, consider how easily the solution can be integrated into the existing infrastructure. The authenticator should be simple to administer and allow the user to perform self-administration tasks (self service) to reduce the administrative burden and improve the usability for the users.