Single Sign-On

In the same series of security I would like to cover another important aspect of security. We all might have noticed in last few years, organizations are focusing on another security feature, known as Single Sign On (SSO). It is a process in which a single attempt of user authentication and authorization permits him to access all computers and systems where he has access permission, without the need to enter the passwords multiple times. Single sign-on reduces human error, which can be considered as one of the components of system failure and is therefore highly popular. It can also be called as Enterprise Single Sign On (ESSO) as it corresponds to authentication within enterprise as well as other authorized enterprises.

Let’s take an example of an organization which is using SSO software. Using SSO, this organization can provide access to all its users to the low risk information and multiple enterprise portals. This reduces the signing process of employees which results in higher productivity and security. However, when the same user tries to access sophisticated risky applications and information, for example a payroll system, the single sign on software demand them to use a stronger form of authentication, which may include digital certificates, security tokens, smart cards, biometric, etc.

Apart from this simple benefit, there are few more benefits, such as uniform enterprise authentication and authorization policy across the organization, improved security reporting and auditing as end to end user audit sessions are maintained, reduced burden on developers as they don’t have to implement identity security in their applications and last but not the least, SSO may result in cost saving due to reduced help desk calls for password recovery.

Now that we all are aware of SSO concept, let’s see its impact if it is not implemented properly. Single sign on systems in organizations can become a single point of failure if not properly designed. Although the application is running properly, and the SSO system goes down, no user will be able to access any resource or application secured by the SSO system. Many organizations have experienced this typical condition which also results in productivity loss. Therefore, it is recommended that organizations’ single sign on system should have good and well tested failover and disaster recovery design.

I found a good resource, which organizations should review before implementing SSO system. It is about “101 things to know about Single Sign On”. http://www.authenticationworld.com/Single-Sign-On-Authentication/101ThingsToKnowAboutSingleSignOn.pdf

Denial of Service (DOS)

In today’s complex IT environment, organizations are looking for a secure infrastructure. In order to implement highest level of security, organizations are spending a lot on security equipment and software. They are trying to reduce the complexity and increase the confidentiality of their resources. As the technology is advancing, and its implementation has made it more difficult for hackers to breach the security, the hackers are also keeping this pace with security experts. They keep on finding more innovative ideas to crack the security.In this blog, I would be covering one of the common attacks which organizations are facing. You must have heard of “Denial of Service (DOS)”, this is an attack in which an effort to squeeze the computer resource is made by either inserting a computer virus or overflowing the network with inadequate traffic. This type of attacks can be classified into two forms, computer attack and network attack. DoS attacks steal the resources, such as bandwidth or data storage space, to interfere with a network service.
Some of the common forms of denial of services attacks can be listed as:

Ping of death	In this case, attacker intentionally sends a ping packet, normally larger than 65,535 bytes to cause Ping of Death. It often causes computer system crash as most of the computer systems cannot handle such large IP packet.
Ping of flood	In this case, attacker crushes the victim's network with ICMP Echo Request packets. A flood of ping traffic consumes significant bandwidth on low to mid-speed networks bringing down a network to a crawl.
Smurf Attack	In this case, attacker sends repeated ping request to broadcast address of the target network.  The ping request packet generally uses forged IP address to cause the denial of service attack.
Teardrop Attack	In this case, attacker sends IP fragment packets that are difficult to reassemble. A confusing offset value in the succeeding fragments is added and if the receiving system doesn't know how to handle such situation, it may cause the   system to crash.
Mail Bomb	In this case, attacker sends large number of email messages with large attachments to a particular mail server causes Mail Bomb. It fills up disk space resulting in denied email services to other users.

Attacking a victim from multiple compromised computers can be defined as DDoS (Distributed Denial of Service). In this case, attacker installs a virus or Trojan software on compromised systems, and uses them to flood a victim's network in a way that the victim's server cannot handle it. This type of attack is sometime termed as, coordinated attacks as it generally involves 3 parties: an offender (who plans the attack), helpers (unsecured computers) and a victim (the person or organization who is hacked).

To avoid such attacks, organizations should use real-time filters such as firewalls and filtering routers to block particular Internet services, which seem to be exhaustive in nature.

Another solution can be, using CAPTCHAs for your applications. CAPTCHA stands for Completely Automated Turing Test To Tell Computers and Humans Apart. It is a program that protects websites against automated software, and illicit users. CAPTCHA generate tests that humans can easily pass but current computer programs cannot.

 If a user enters fake credentials multiple times, the server returns an error message indicating failed login followed by a CAPTCHA. Before granting the access to login screen again, as shown in above figure, the CAPTCHA is verified. This approach blocks fake requests in the initial stage itself.