Chapter 6: Security & Risks
The identity authentication system is a high-value target for attackers because compromising it grants access to all protected resources. A comprehensive security and risk framework must address threats at every layer: protocol weaknesses, implementation vulnerabilities, operational failures, and insider threats. This chapter presents a structured threat model, identifies the highest-priority attack vectors, defines mitigation controls, and maps requirements to major compliance frameworks including NIST SP 800-63, ISO 27001, PCI DSS, and SOC 2.
6.1 Threat Model
The STRIDE threat model provides a structured framework for identifying and categorizing threats to the identity authentication system. Each threat category maps to specific attack vectors and corresponding mitigations. The threat model should be reviewed annually and updated whenever significant architectural changes are made or new threat intelligence is received.
| STRIDE Category | Threat Description | Attack Example | Primary Mitigation | Risk Level |
|---|---|---|---|---|
| Spoofing | Attacker impersonates a legitimate user or device | Credential stuffing, pass-the-hash, rogue RADIUS server | MFA, EAP-TLS mutual auth, RADIUS server certificate validation | Critical |
| Tampering | Attacker modifies authentication data in transit or at rest | RADIUS packet manipulation, AD object modification | TLS for all RADIUS traffic (RadSec), AD audit logging, integrity monitoring | High |
| Repudiation | User or admin denies performing an action | Admin denies unauthorized config change, user denies session | Immutable audit logs, session recording, NTP-synchronized timestamps | High |
| Information Disclosure | Sensitive identity data exposed to unauthorized parties | RADIUS shared secret exposure, LDAP credential sniffing | LDAPS/TLS, strong RADIUS secrets, HSM for key storage | High |
| Denial of Service | Authentication service made unavailable | RADIUS flood attack, OCSP responder overload | Rate limiting, RADIUS cluster HA, OCSP stapling | Critical |
| Elevation of Privilege | Attacker gains higher access than authorized | VLAN hopping, TACACS+ bypass, PAM credential theft | Dynamic VLAN enforcement, TACACS+ command authorization, PAM MFA | Critical |
6.2 Top Attack Vectors and Mitigations
Based on real-world incident data and penetration testing findings, the following attack vectors represent the highest-priority risks for enterprise identity authentication systems. Each vector is accompanied by a detailed description, detection indicators, and a layered mitigation strategy that addresses prevention, detection, and response.
| Attack Vector | Description | Detection Indicators | Prevention | Detection & Response |
|---|---|---|---|---|
| Credential Stuffing | Automated use of breached username/password pairs against authentication endpoints | High auth failure rate from single IP; multiple accounts from same source | MFA mandatory; account lockout; IP rate limiting | SIEM alert on failure rate threshold; SOAR block + notify |
| Pass-the-Hash / Pass-the-Ticket | Attacker uses captured NTLM hash or Kerberos ticket without knowing plaintext password | Lateral movement from compromised host; unusual service ticket requests | Credential Guard; LAPS; restrict NTLM; tiered admin model | EDR detection; SIEM Kerberos anomaly rules; isolate host |
| Rogue RADIUS Server | Attacker deploys unauthorized RADIUS server to capture EAP credentials | New RADIUS server IP in logs; EAP-TTLS/PEAP auth from unknown server | Server certificate validation in supplicant; RADIUS server IP whitelist on switch | NAC anomaly detection; alert on new RADIUS server IP |
| RADIUS Shared Secret Brute Force | Attacker attempts to recover RADIUS shared secret from captured packets | Unusual RADIUS traffic patterns; failed auth from unknown NAS | Shared secret ≥ 32 random chars; rotate annually; use RadSec (TLS) | SIEM alert on unknown NAS; audit shared secret age |
| Certificate Theft / Misuse | Attacker steals a valid machine or user certificate for unauthorized access | Auth from unexpected device/location with valid cert; cert used after device decommission | Short cert lifetime (90 days); OCSP revocation; device binding in cert SAN | SIEM alert on cert usage anomaly; immediate revocation workflow |
| Insider Privilege Abuse | Authorized admin misuses privileged access for unauthorized purposes | Off-hours admin activity; commands outside normal role; access to sensitive segments | PAM session brokering; TACACS+ command authorization; SoD enforcement | PAM session recording; SIEM behavioral analytics; manager review |
6.3 Security Hardening Checklist
The following hardening checklist provides a prioritized set of security controls that must be implemented before production deployment. Controls are categorized by component and priority level, enabling project teams to track implementation status and demonstrate compliance during security reviews.
| Component | Control | Priority | Validation Method |
|---|---|---|---|
| RADIUS Server | RADIUS shared secrets ≥ 32 random characters; rotate annually | P1 - Critical | Config audit; entropy check |
| RADIUS Server | Enable RadSec (RADIUS over TLS) for all authenticators that support it | P1 - Critical | Packet capture verification |
| RADIUS Server | Restrict NAS IP whitelist; deny unknown authenticators | P1 - Critical | Config review; test with unknown NAS |
| RADIUS Server | Enable OCSP revocation checking with < 300 ms timeout | P1 - Critical | Test with revoked cert; verify rejection |
| AD/LDAP | Use LDAPS (TCP 636) only; disable plaintext LDAP (TCP 389) | P1 - Critical | Port scan; packet capture |
| AD/LDAP | Enable AD audit logging for all authentication and authorization events | P1 - Critical | GPO audit; SIEM log verification |
| PKI/CA | Offline root CA; sub-CA in HSM; air-gap root CA after issuance | P1 - Critical | Physical inspection; HSM audit |
| PKI/CA | Certificate lifetime ≤ 1 year for user/device certs; ≤ 90 days for high-security | P2 - High | CA template review |
| TACACS+ | Enable per-command authorization; deny all commands not explicitly permitted | P1 - Critical | Test with unauthorized command |
| PAM | MFA required for all PAM sessions; no bypass mechanism | P1 - Critical | Attempt session without MFA; verify block |
| All Servers | Management access via PAM jump server only; disable direct SSH/RDP | P1 - Critical | Direct SSH test; verify block |
| All Servers | NTP synchronization with authentication; max offset < 100 ms | P2 - High | NTP status check; offset measurement |
6.4 Compliance Framework Mapping
Enterprise identity authentication systems must satisfy requirements from multiple compliance frameworks simultaneously. The following mapping table aligns key authentication controls with specific requirements from NIST SP 800-63B, ISO/IEC 27001:2022, PCI DSS v4.0, and SOC 2 Type II. This mapping supports compliance reporting and audit evidence collection.
| Control Area | NIST SP 800-63B | ISO 27001:2022 | PCI DSS v4.0 | SOC 2 Type II |
|---|---|---|---|---|
| MFA for privileged access | AAL3 (hardware authenticator) | A.8.5 (Secure authentication) | Req 8.4.2 | CC6.1 |
| Password / credential policy | SP 800-63B §5.1 | A.5.17 | Req 8.3.6 | CC6.1 |
| Session management | SP 800-63B §7 | A.8.5 | Req 8.2.8 | CC6.1 |
| Audit logging | SP 800-92 | A.8.15 | Req 10.2 | CC7.2 |
| Log retention | NIST SP 800-92 | A.8.15 | Req 10.7 (12 months) | CC7.2 |
| Certificate management | SP 800-57 | A.8.24 | Req 4.2.1 | CC6.7 |
| Network segmentation | SP 800-125B | A.8.22 | Req 1.3 | CC6.6 |