Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)

Part Number E14568-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

11 OAAM Security and Autolearning Policies

This chapter describes the flows for the main scenarios in authentication and the policies and rules that are shipped with the product as part of the OAAM base snapshot. This chapter also includes autolearning policies that are shipped out of the box.

Policies are also included as separate policy files to import but they require that you import questions, entities, and patterns, and set up autolearning related properties.

11.1 Authentication Flow

Figure 11-1 shows the authentication flow of OAAM server when a user logs in to an application that is protected by Oracle Adaptive Access Manager.

Figure 11-1 Authentication Flow

The authentication flow is shown.

11.2 Forgot Password Flow

The Forgot Password flow allows the users to reset their password after successfully answering all challenge questions.

Figure 11-2 Forgot Password Flow

The Forgot Password flow is shown.

11.3 Reset Password (KBA-Challenge) Flow

Challenge Reset enables users to reset their challenge registration.

Figure 11-3 Reset Password

Reset password flow is shown.

11.4 OAAM Checkpoints and Responsibilities

The following table lists the OAAM checkpoints and their responsibilities.

Table 11-1 OAAM Checkpoints and Responsibilities

CheckPoint Name Responsibilities

Pre-Authentication

Determine if the request has to be BLOCKED

Device Identification

Determine how to identify the device

AuthentiPad

Determine which authentication pad to use

Post Authentication

Determine if the user has to be ALLOWED or BLOCKED

Registration

Determine which pieces of user information is pending registration

Challenge

Determine which mechanism to use to challenge the user

CSR KBA Challenge

Applicable when customer calls in for service. Reset settings is performed through CSR KBA Challenge.

Forgot Password

Activity to reset password performed based on challenge

Preferences

Sets the user information (Image, phrase, OTP settings, and so on)


11.5 Out-of-the-Box OAAM Policies

OAAM comes standard with out-of-the-box policies pre-built to detect suspicious activity.

11.5.1 Pre-Authentication Policies

Pre-authentication policies are summarized in this section.

11.5.1.1 OAAM Pre-Authentication

This policy stops fraudulent login attempts before the password is entered.

11.5.1.1.1 Policy Summary

Table 11-2 OAAM Pre-Authentication Policy Summary

Summary Details

Purpose

Stops fraudulent login attempts before the password is entered.

Scoring Engine

Maximum

Weight

100

Group Linking

All Users


11.5.1.1.2

OAAM Pre-Authentication Flow Diagram

Figure 11-4 OAAM Pre-Authentication Flow

OAAM Pre-Authentication Block is shown.
11.5.1.1.3

OAAM Pre-Authentication: Details of Rules

The table below shows the rule conditions and parameters in the OAAM Pre-Authentication Policy.

Table 11-3 OAAM Pre-Authentication Policy Rules Details

Rule Rule Condition and Parameters Results

Blacklisted Countries

Location: In Country group

Is In List = TRUE

Country in country Group=OAAM Restricted Countries

Action = OAAM Block

Alert = OAAM Restricted Country

Score = 1000

Weight = 100

Blacklisted devices

Device: Device in group

Is in group = TRUE

Device in group = OAAM Restricted Devices

Action = OAAM Block

Alert = OAAM Restricted Device

Score = 1000

Weight = 100

WEBZIP used

Device: Browser header substring

Substring to check = WEBZIP

Action = OAAM Block

Alert = OAAM Restricted Software

Score =1000

Weight = 100

Blacklisted IPs

Location: IP in group

Is in List = TRUE

IP List = OAAM Restricted IPs

Action = OAAM Block

Alert = OAAM Restricted IP

Score = 1000

Weight = 100

Blacklisted ISPs

Location: ISP in group

Is in List = TRUE

ISP List = OAAM Restricted ISPs

Action = OAAM Block

Alert = OAAM Restricted ISP

Score = 1000

Weight = 100

Blacklisted users

User: In Group

Is in group = TRUE

User Group = OAAM Restricted Users

Action = OAAM Block

Alert = OAAM Restricted User

Score = 1000

Weight = 100


11.5.1.1.4

Trigger Combinations

None

11.5.2 Authentication Pad Policies

The Authentication Pad policy is summarized in this section.

11.5.2.1 OAAM AuthenticationPad

This policy determines the OAAM Authentication Pad to use.

11.5.2.1.1

OAAM AuthenticationPad Policy Summary

Table 11-4 OAAM AuthenticationPad Policy Summary

Summary Details

Purpose

Determines which OAAM Authentication Pad to use.

Scoring Engine

Average

Weight

100

Group Linking

All Users


11.5.2.1.2

OAAM AuthenticationPad Flow Diagram

Figure 11-5 OAAM AuthenticationPad Flow

OAAM Authentication Pad is shown.
11.5.2.1.3

OAAM AuthenticationPad: Details of Rules

The table below shows the rule conditions and parameters in the OAAM AuthenticationPad Policy.

Table 11-5 OAAM Authentication Pad Policy Rules Details

Rule Rule Condition and Parameters Results

Challenge SMS

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeSMS

Return if in list = TRUE

Action = OAAM Text Pad

Alert = NONE

Score = 0

Registered Image and Caption

User: Authentication Image Assigned

Is Assigned = TRUE

Action = OAAM Personalized Pad

Alert = NONE

Score = 0

Key Pad User

User: Authentication Mode

Authentication Mode is = Full Keypad

Action = OAAM KeyPad

Alert = NONE

Score = 0

Challenge Email

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeEmail

Return if in list = TRUE

Action = OAAM Text Pad

Alert = NONE

Score = 0

Register Challenge Question

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = RegisterChallengeQuestion

Return if in list = TRUE

Action = OAAM Question Pad

Alert = NONE

Score = 0

Check if mobile browser is used

DEVICE: Check if device is using Mobile Browser

Mobile Browsers Group = OAAM Mobile Browsers Group

Default Return Value = FALSE

Action = NONE

Alert =OAAM Mobile Users

Score = 0

Challenge Question

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeQuestion

Return if in list = TRUE

Action = OAAM Question Pad

Alert = NONE

Score = 0


11.5.2.1.4

OAAM AuthenticationPad: Trigger Combinations

Table 11-6 OAAM AuthenticationPad Policy Trigger Combinations

Description Combination Detail Result

Empty in the snapshot (Detect Mobile Browser)

Check if Mobile Browser is Used = TRUE

Challenge SMS = Any

Registered Image and Caption =Any

Key Pad User = Any

Challenge Email = Any

Challenge Question = Any

Register Challenge Question = Any

Action = OAAM HTML Pad

Alert = NONE

Score = 0

Empty in the snapshot (Unregistered Users)

Check if Mobile Browser is Used = Any

Register Challenge Question = Any

Challenge SMS = FALSE

Registered Image and Caption = FALSE

Key Pad User = FALSE

Challenge Email = FALSE

Challenge Question = FALSE

Action = OAAM Text Pad

Alert = NONE

Score = 0

Empty in the snapshot (Registered Users)

Register Challenge Question = Any

Check if Mobile Browser is Used = Any

Challenge SMS = FALSE

Registered Image and Caption = TRUE

Key Pad User = FALSE

Challenge Email = FALSE

Challenge Question = FALSE

Action = OAAM Text Pad Personalized

Alert = NONE

Score = 0


11.5.3 Post-Authentication Policies

This section summarizes the post-authentication policies.

11.5.3.1 OAAM Post-Authentication Security

This policy evaluates the level of risk after authentication is successful. The possible actions are Allow, Block, or Challenge.

11.5.3.1.1

OAAM Post-Authentication Security Policy Summary

Table 11-7 OAAM Post-Authentication Security Policy Summary

Summary Details

Purpose

Evaluates the level of risk after authentication is successful. The possible actions are Allow, Block, or Challenge.

Scoring Engine

Maximum

Weight

100

Group Linking

All Users


11.5.3.1.2

OAAM Post-Authentication Security Flow Diagram

Figure 11-6 OAAM Post Authentication Security Flow

OAAM Post Authentication Security is shown.
11.5.3.1.3

OAAM Post-Authentication Security: Details of Rules

The table below shows the rule conditions and parameters in the OAAM Post-Authentication Security Policy.

Table 11-8 OAAM Post Authentication Security Policy Rules Details

Rule Rule Condition and Parameter Values Results

Active Anonymizer

Location: IP in Group

Is in List = TRUE

IP in group = anonymizer_active

Action = OAAM Block

Alert = OAAM Active Anonymizer IP

Score = 1000

Suspect Anonymizer

Location: IP in Group

Is in List = TRUE

IP in group = anonymizer_suspect

Action = OAAM Challenge

Alert = OAAM Suspected Anonymizer IP

Score = 700

Unknown Anonymizer

Location: IP in Group

Is in List = TRUE

IP in group = anonymizer_active

Action = OAAM Challenge

Alert = OAAM Unknown Anonymizer IP

Score = 600

Private Anonymizer

Location: IP in Group

Is in List = TRUE

IP in group = anonymizer_private

Action = OAAM Challenge

Alert = OAAM Private Anonymizer IP

Score = 700

Risky Connection Type

Location: IP Connection Type in Group

Is in List = TRUE

Connection type in group = OAAM High Risk Connection Types

Action = OAAM Challenge

Alert = OAAM Risky Connection type

Score = 700

User Blocked Recently

User: Action Timed

Check Action = BLOCK

In seconds = 28800

More than = 2

Action = OAAM Challenge

Alert = User Blocked Recently

Score = 700

Maximum Users per Device

Device: User Count

Seconds Elapsed = 2592000

Max number of users allowed = 5

Action = OAAM Challenge

Alert = OAAM Device Multiple Users

Score = 500

Dormant IP

Location: IP Connection type in group

Is in List = FALSE

Connection type group = OAAM Mobile Connections

Location: IP Excessive Use

Number of Users = 4

Within (hours) = 24

And not used in days = 30

Action = OAAM Challenge

Alert = OAAM Dormant IP

Score = 500

Surge of Users from IP

Location: IP Connection type in group

Is in List = FALSE

Connection type group = OAAM Mobile Connections

Location: IP is AOL

Is AOL = False

Location: IP Maximum Users

Seconds Elapsed = 300

Max number of users = 3

Action = OAAM Challenge

Alert = OAAM IP Multiple Users

Score = 600

Risky countries

Location: In Country Group

Is in List = TRUE

Country in country group = OAAM Monitoring Countries

Action = OAAM Challenge

Alert = OAAM Monitored Country

Score = 500

Dormant Device

Device: Excessive Use

Number of Users = 4

Within (hours) = 24

And not used in (days) = 30

Action = OAAM Challenge

Alert = OAAM Dormant Device

Score = 500

Device with Many Failures

Device: Timed not status

Authentication status is not = SUCCESS

Within duration (seconds) = 28800

For more than 4 (times)

Action = OAAM Challenge

Alert = OAAM Many Failures from Device

Score =600

Maximum Devices per User

User: Check Devices Used

Maximum number of devices = 2

Within duration (seconds) = 28800

Action = OAAM Challenge

Alert = OAAM Max Devices for User

Score =300

Risky Device

Device: In List

Is in group= TRUE

Device in group = OAAM Risky Devices

Action = OAAM Challenge

Alert = OAAM Risky Device

Score = 700

Device Maximum Velocity

Device: Velocity from last login

Last Login within (Seconds) = 72000

Miles per Hour is more than = 600

Action = OAAM Challenge

Alert = OAAM Device Maximum Velocity

Score =700

Risky IP

Location: IP in group

Is in List = TRUE

IP List = OAAM Risky IPs

Action = OAAM Challenge

Alert = OAAM Risky IP

Score = 700


11.5.3.1.4

OAAM Post-Authentication Security: Trigger Combinations

None

11.5.3.2 OAAM Predictive Analysis

This policy harnesses the predictive capabilities of Oracle Data Miner. The rules in this policy are only functional if Oracle Data Miner is configured.

11.5.3.2.1

OAAM Predictive Analysis Policy Summary

Table 11-9 OAAM Predictive Analysis Policy Summary

Summary Details

Purpose

Harnesses the predictive capabilities of Oracle Data Miner. These rules are only functional if Oracle Data Miner is configured.

Scoring Engine

Maximum

Weight

100

Group Linking

Linked Users


11.5.3.2.2

OAAM Predictive Analysis Flow Diagram

Figure 11-7 OAAM Predictive Analysis Policy Flow

OAAM Predictive Analysis Policy is shown.
11.5.3.2.3

OAAM Predictive Analysis Policy: Details of Rules

The table below shows the rule conditions and parameters in the OAAM Predictive Analysis Policy.

Table 11-10 OAAM Predictive Analysis Policy Rules Details

Rule Rule Condition and Parameters Results

Predict if current session is fraudulent

USER: Check Fraudulent User Request

Classification Model = OAAM Fraud Request Model

Required Classification = Fraud

Minimum Value of Probability required = 0.70

Maximum Value of Probability required = 1.00

Default Value to return if error = FALSE

Action = NONE

Alert = OAAM Suspected Fraudulent request

Score = 700

Predict if current session is anomalous

USER: Check Anomalous User Request

Anomaly Model = OAAM Anomalous Request Model

Minimum Value of Probability required = 0.60

Maximum Value of Probability required = 1.00

Default Value to return if error = FALSE

Action = NONE

Alert = OAAM Anomalous Request

Score = 600


11.5.3.2.4

OAAM Predictive Analysis Policy: Trigger Combination

None

11.5.3.3 Auto-learning (Pattern-Based) Policy: OAAM Does User Have Profile

This policy checks if pattern autolearning is enabled and if a user has past behavior recorded. Users with enough recorded behavior are evaluated against their own profile while users without enough recorded behavior are evaluated against the profiles of all other users.

11.5.3.3.1

OAAM Does User Have Profile Policy Summary

Table 11-11 Auto-learning (Pattern-Based) Policy: OAAM Does User Have Profile Summary

Summary Details

Purpose

Checks if pattern autolearning is enabled and if a user has past behavior recorded. Users with enough recorded behavior are evaluated against their own profile while users without enough recorded behavior are evaluated against the profiles of all other users.

Scoring Engine

Maximum

Weight

100

Group Linking

All Users


11.5.3.3.2

OAAM Does User Have Profile Flow Diagram

Figure 11-8 Autolearning (Pattern-Based) Policy: OAAM Does User Have Profile Flow

The OAAM Does User Have Profile policy is shown.
11.5.3.3.3

OAAM Does User Have Profile: Details of Rules

Table 11-12 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Does User Have Profile

Rule Rule Condition and Parameters Results

Does user have a profile

System - Check Boolean Property

Property = vcrypt.tracker.autolearning.enabled

Value = True

Default Return Value = True

System - Check Boolean Property

Property = vcrypt.tracker.autolearning.use.auth.status.for.analysis

Value = True

Default Return Value = False

User - Check Login Count

Check only current user = True

Authentication Status = Success

In seconds = 0

With Login more than = 7

If Error return = False

Consider current request or not = True

Action = None

Alert = None

Score = 0


11.5.3.3.4

OAAM Does User Have Profile: Trigger Combination

Table 11-13 Auto-learning (Pattern-Based) Policy: OAAM Does User Have Profile Trigger Combination

Description Combination Detail Result

If a user has enough recorded behavior in his profile he is evaluated by this policy.

Does User have profile = TRUE

Policy = OAAM users vs. themselves

Alert = NONE

If a user does not have enough recorded behavior in his profile he is evaluated by this policy.

Does User have profile = ANY

Policy = OAAM users vs. all users

Alert = NONE


11.5.3.4 Auto-learning (Pattern-Based) Policy: OAAM Users vs. Themselves

If a user has a sufficient amount of historical data captured, this policy is used to evaluate his current behavior against his own historical behavior. This policy uses pattern-based rules to evaluate risk.

11.5.3.4.1

OAAM Users vs. Themselves Policy Summary

Table 11-14 Auto-learning (Pattern-Based) Policy: OAAM Users vs. Themselves Summary

Summary Details

Purpose

Used to evaluate a user's current behavior against his own historical behavior. This policy uses pattern-based rules to evaluate risk.

Scoring Engine

Maximum

Weight

100

Group Linking

Linked Users (It is a nested policy)


11.5.3.4.2

OAAM Users vs. Themselves Flow Diagram

Figure 11-9 Auto-learning (Pattern-Based) Policy: OAAM Users vs. Themselves Flow

The OAAM Users vs. Themselves policy is shown.
11.5.3.4.3

OAAM Users vs. Themselves: Details of Rules

Table 11-15 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Users vs. Themselves

Rule Rule Condition and Parameters Results

ISP

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 6

Pattern name for membership = User: ISP profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: ISP

Score = 600

Connection type

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 6

Pattern name for membership = User: ASN profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: connection type

Score = 600

Routing type

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 6

Pattern name for membership = User: Routing type profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: Routing type

Score = 600

Device

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 10

Pattern name for membership = User: Device profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: Device

Score = 700

Day of the week

ENTITY: Entity is member of pattern bucket for first time in certain time period

Pattern name for membership = User: Day of Week profiling pattern

Is ConditionTrue = True

Time period type for pattern membership = Months

Time period for pattern membership = 3

Member type for pattern membership = User

First time count = 1

Action = OAAM Challenge

Alert = OAAM User: day of the week

Score = 500

Country and State

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 10

Pattern name for membership = User: State profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: state

Score = 600

Time of Day

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 3

Pattern name for membership = User: timerange profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: time of day

Score = 500

ASN

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 6

Pattern name for membership = User: ASN profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 1

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: ASN

Score = 600

Country

ENTITY: Entity is member of pattern less than some percent times

Pattern Hit Percent less than = 20

Pattern name for membership = User: Country profiling pattern

Is Membership Count Less than patternHitPercent = True

Time period type for pattern membership = Months

Time period for pattern membership = 3

Member type for pattern membership = User

Action = OAAM Challenge

Alert = OAAM User: Country

Score = 700


11.5.3.4.4

OAAM Users vs. Themselves: Trigger Combinations

None

11.5.3.5 Autolearning (Pattern-Based) Policy: OAAM Users vs. All Users

If a user does not have a sufficient amount of historical data captured this policy is used to evaluate his current behavior against the historical behavior of all other users. This policy uses pattern-based rules to evaluate risk.

11.5.3.5.1

OAAM Users vs. All Users Policy Summary

Table 11-16 Auto-learning (Pattern-Based) Policy: OAAM users vs. All Users Summary

Summary Details

Purpose

Evaluates the user's current behavior against the historical behavior of all other users. This policy uses pattern-based rules to evaluate risk.

Scoring Engine

Maximum

Weight

100

Group Linking

Linked Users (It is a nested policy)


11.5.3.5.2

OAAM Users vs. All Users Flow Diagram

Figure 11-10 Auto-learning (Pattern-Based) Policy: OAAM Users vs. All Users Flow

The OAAM Users vs. All Users flow is shown.
11.5.3.5.3

OAAM Users vs. All Users: Details of Rules

Table 11-17 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Users vs. All User

Rule Rule Condition and Parameters Results

Users: Day of the week

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 5

Pattern name for membership= User: Day of the week profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Months

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Day of the week

Score = 300

Users: Country

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 3

Pattern name for membership= User: Country profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Months

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Country

Score = 500

Users: Time of Day

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 5

Pattern name for membership= User: Time of day profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Months

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Time of day

Score = 300

Users: Connection type

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 5

Pattern name for membership= User: Connection type profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Months

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Connection type

Score = 500

Users: Locale

ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture

Pattern Bucket Hit Percent less than = 3

Pattern name for membership= User: Time of day profiling pattern

Is membership count less than pattern hit percent = true

Time period type for pattern membership = Years

Time period for pattern membership = 6

Member Type for pattern membership = User

Action = OAAM Challenge

Alert = Users: Locale

Score = 500


11.5.3.5.4

OAAM Users vs. All Users: Trigger Combinations

None

11.5.4 Registration Policies

Registration policies are summarized in this section.

11.5.4.1 OAAM Registration

This policy is used to determine the user information that needs to be registered.

11.5.4.1.1

OAAM Registration Policy Summary

Table 11-18 OAAM Registration Policy Summary

Summary Details

Purpose

Determines what parts of user information has to be registered

Scoring Engine

Weighted Average

Weight

100

Group Linking

All Users


11.5.4.1.2

OAAM Registration Flow Diagram

Figure 11-11 OAAM Registration Flow

The OAAM Registration flow is shown.
11.5.4.1.3

OAAM Registration: Details of Rules

Table 11-19 OAAM Registration Policy Rules Details

Rule Rule Condition and Parameters Results

Check Registration

User: Account Status

User Account Status = ACTIVE

Is = FALSE

Action = OAAM Register

Alert = NONE

Score = 0

Register Questions

User: Question Status

User Question Status = Set

Is = FALSE

Action = OAAM Register Challenge Questions

Alert = NONE

Score = 0

Skipped registration more than 3 times

User: Action Count Timed

Checkpoint (Optional) = NONE

Action = Register User Optional

In seconds = 300

Count Action only once per session? = TRUE

More Than = 3

Action = OAAM Registration Required

Alert = NONE

Score = 0

Register User Information

User: Check Information

Key to comma separated values to check = RequiredChallengeInfo

If Information is set, return = FALSE

Action = OAAM Register User Information

Alert = NONE

Score = 0

Register Image and Caption

User: Authentication Image Assigned

Is Assigned = FALSE

Action = OAAM Register Preferences

Alert = NONE

Score = 0


11.5.4.1.4

OAAM Registration: Trigger Combinations

None

11.5.5 Challenge Policies

Challenge policies are presented in this section.

11.5.5.1 OAAM Challenge

This policy determines how the user has to be challenged. All the decision making in this policy is achieved using trigger combinations.

11.5.5.1.1

OAAM Challenge Policy Summary

Table 11-20 OAAM Challenge Policy Summary

Summary Details

Purpose

Determines how the user has to be challenged. All the decision making in this policy is achieved using trigger combinations.

Scoring Engine

Weighted Average

Weight

100

Group Linking

All Users


11.5.5.1.2

OAAM Challenge Flow Diagram

Figure 11-12 OAAM Challenge Flow

OAAM Challenge flow is shown.
11.5.5.1.3

OAAM Challenge: Details of Rules

Table 11-21 OAAM Challenge Policy Rules Details

Rule Rule Condition and Parameters Results

Max failed SMS attempts

User: Check OTP failures

OTP Challenge Type = ChallengeSMS

Failure More than or Equal To = 3

If above or equal = TRUE

Action = NONE

Alert = NONE

Score = 0

Max failed Email attempts

User: Check OTP failures

OTP Challenge Type = ChallengeEmail

Failure More than or Equal To = 3

If above or equal = TRUE

Action = NONE

Alert = NONE

Score = 0

Max failed Question attempts

User: Challenge Maximum Failures

Number of Failures More than or equal to = 3

Current Question Count only? = False

If above or equal, return = True

Action = NONE

Alert = NONE

Score = 0

Questions Active

User: Question Status

User Question Status = Set

Is = True

Action = NONE

Alert = NONE

Score = 0

Challenge Email Available

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeEmail

Return if in list = True

Action = NONE

Alert = NONE

Score = 0

Challenge SMS Available

Session: Check value in comma separated values

Parameter Key = AvailableChallengeTypes

Value to Check = ChallengeSMS

Return if in list = True

Action = NONE

Alert = NONE

Score = 0

Check for HIGH Risk Score

Session: Check Risk Score Classification

Risk score classification to check = High Risk

Default value to return in case of errors = False

Action = NONE

Alert = NONE

Score = 0


11.5.5.1.4

OAAM Challenge: Trigger Combinations

Table 11-22 OAAM Challenge Trigger Combinations

Description Combination Detail Result

Allow the user to register if the risk score is not High and if the user is not registered

Check for High Risk Score = False

Questions Active = False

Challenge Email Available = False

Challenge SMS Available = False

Max failed Question Attempts = Any

Max failed Email Attempts = Any

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM Allow

Alert = NONE

Score = 0

Challenge the user with SMS if the risk score is High and he is registered for SMS and has not failed the maximum number of SMS challenges.

Check for High Risk Score = TRUE

Questions Active = Any

Challenge Email Available = Any

Challenge SMS Available = TRUE

Max failed Question Attempts = Any

Max failed Email Attempts =Any

Max failed SMS Attempts = False

Policy = NONE

Action = OAAM Challenge SMS

Alert = NONE

Score = 0

Challenge the user with email if the risk score is High and he has registered for email and he did not fail the email challenge the maximum number of times yet.

Check for High Risk Score = HIGH

Questions Active = Any

Challenge Email Available = TRUE

Challenge SMS Available = Any

Max failed Question Attempts = Any

Max failed Email Attempts = FALSE

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM Challenge Email

Alert = NONE

Score = 0

Challenge the user with questions if he has challenge questions active and has not failed the maximum number of challenges for questions

Check for High Risk Score = Any

Questions Active = TRUE

Challenge Email Available = Any

Challenge SMS Available = Any

Max failed Question Attempts = TRUE

Max failed Email Attempts = Any

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM Challenge Question

Alert = NONE

Score = 0

Challenge the user with OTP via SMS if he has not failed Challenge SMS and he is registered for SMS.

Check for High Risk Score = Any

Questions Active = Any

Challenge Email Available = Any

Challenge SMS Available = TRUE

Max failed Question Attempts = Any

Max failed Email Attempts = Any

Max failed SMS Attempts = FALSE

Policy = NONE

Action = OAAM Challenge SMS

Alert = NONE

Score = 0

Challenge the user with email if he is registered for email and he did not fail the email challenge the maximum number of times yet.

Check for High Risk Score = Any

Questions Active = Any

Challenge Email Available = TRUE

Challenge SMS Available = Any

Max failed Question Attempts = Any

Max failed Email Attempts = FALSE

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM Challenge Email

Alert = NONE

Score = 0

Block the user if he has not registered for questions or OTP and the risk score is High. This block can be overridden using the "Temp Allow" functionality.

Check for High Risk Score = TRUE

Questions Active = FALSE

Challenge Email Available = FALSE

Challenge SMS Available = FALSE

Max failed Question Attempts = Any

Max failed Email Attempts = Any

Max failed SMS Attempts = Any

Policy = NONE

Action = OAAM BLOCK

Alert = NONE

Score = 0

Challenge Block the user if he failed to answer all types of challenge mechanisms. Note: This block cannot be overridden through the "Temp Allow" functionality.

All rules with result = ANY

Policy = NONE

Action = OAAM Challenge BLOCK

Alert = NONE

Score = 0


11.5.6 Customer Care Policies

Customer care policies are presented in this section.

11.5.6.1 OAAM Customer Care Ask Question

This policy determines if the user has active questions, more questions left for the challenge, and how many challenges have failed.

11.5.6.1.1

OAAM Customer Care Ask Question Policy Summary

Table 11-23 OAAM Customer Care Ask Question Policy

Summary Details

Purpose

Determines if the user has active questions, more questions remaining for challenges, and how many challenges have failed.

Scoring Engine

Weighted Maximum

Weight

100

Group Linking

All Users


11.5.6.1.2

OAAM Customer Care Ask Question Flow Diagram

11.5.6.1.3

OAAM Customer Care Ask Question: Details of Rules

Table 11-24 OAAM Customer Care Ask Question Rule Details

Rule Rule Condition and Parameters Results

No Questions

USER: Question Status

Triggers when users do not have questions registered. Two possible scenarios are un-registered users and users with questions reset by customer care.

Question status of the user

User Question Status=Not Set

Is=True

Action = OAAM No User Questions

Alert = NONE

Score = 0

Weight=100

Maximum Answers Failed

USER: Challenge Channel Failure

Triggers when user failed maximum allowed answers with current question. Count is combination of customer care and online challenge.

If a user has a failure counter value over a specified value from specific channel

Challenge Channel=<select>

Current Question Count only? = true

Failures greater than or equal to = 3

Action = OAAM Next Question

Alert = NONE

Score = 0

Weight=100

Question Blocked

User: Challenge Question Failure

Checks how many questions have failures

Failure more than or equal to=1

Action = OAAM Reset Question

Alert = NONE

Score = 0

Weight=100

Maximum Questions Failed

User: Question Failure

Triggers when user fails the maximum allowed questions.

Failure more than or equal to=3

Action = NONE

Alert = NONE

Score = 0

Weight=100


11.5.6.1.4

OAAM Customer Care Ask Question: Trigger Combinations

None

11.6 Use Cases

The following sections provide security policy use case scenarios.

11.6.1 Use Case: WebZIP Browser

All users using a WebZIP browser must be blocked from attempting a login.

  1. user1 uses WebZip and tries to log in to the application.

  2. user1 is blocked.

  3. The administrator logs in to OAAM Admin.

  4. The administrator views the session for user1.

  5. The administrator sees that Rule: "WEBZIP" used was triggered.

11.6.2 Use Case: IP Risky User OTP Challenge

User "test user" is a registered user. He is traveling on business to a different country and does not have access to email or phone. The IP he logs in from is considered a risky IP and hence, he is challenged by SMS. Since he cannot access his OTP, he fails to answer the OTP challenge by SMS. He is now challenged via KBA and unfortunately, he forgot the answers to his challenge questions. He guesses and answers the questions incorrectly. He is now locked out of the system. He calls the CSR and proves his identity. The CSR unlocks the user so he can log in again.

  1. OTP is set up for SMS and Email.

  2. The auto-learning policy (OAAM does user have profile) is disabled.

  3. The user is registered as testuser.

  4. His IP is in the Risky IP group.

  5. testuser tries to log in to the application.

  6. testuser is challenged via SMS.

  7. testuser answers incorrectly 3 times.

  8. testuser is challenged via KBA.

  9. testuser answers challenge question incorrectly 3 times.

  10. testuser is locked out.

  11. CSR must create a case and then unlock challenge questions for the user.

  12. testuser is able to log in to the application successfully.

11.6.3 Use Case: Anonymizer IP - From the Group

User "anonymizer" logs in using an IP which is considered an anonymizer in the Quova geolocation database. The user is blocked and a case is automatically created with the proper information. The investigator works on the case, adds a disposition, and closes the case.

Administrator

  1. The administrator logs in to OAAM Admin.

  2. He creates a new action instance using the action template "Create customer care case".

  3. He selects the "post -authentication" checkpoint, the Block action, a score of "1000," and case type "2".

User

  1. New user "anonymizer" tries to log in to the application.

  2. The user is blocked.

    A fraud case is automatically created.

Investigator

  1. The investigator logs in to OAAM Admin as an Investigator.

  2. He opens the case and adds notes.

  3. He closes the case with a disposition.

11.6.4 Use Case: Pattern Based Evaluation

User "test user2" is a registered user. He resides in the United States and hence, all his logins are typically from the United States. He is traveling on business to China and performs a few logins from there. Since OAAM identifies that this is not the normal behavior, it challenges the user.

Rules:

  • The rule only triggers when the device used appears to have traveled faster than 600 MPH in the last 20 hours. A trigger results in a challenge action and appropriate and informative alerts sufficient enough to determine why the challenge was generated.

  • The following rule only triggers a challenge action when both conditions are false: Has this user used this country more than 2 times ever?

    AND

    Has this user used this country more than 10% in the last month?

  • If a user is challenged post-authentication, and he has KBA active, and he does not have OTP active and the risk is above 600, then he should be asked a KBA question.