Security: Back to Basics Password Primer Lyne Bourque
Password Primer
A recent SecurityFocus report on the Department of Homeland Security indicated that about 37% of the passwords used could be broken by dictionary words. Password strength is one of those things that today shouldn't be an unknown. Security and security knowledge are maturing and this is one of those things that should be second nature by now.
But I suspect we are assuming that this is second nature. The specific issue, however, isn't just that the passwords are weak. It's also an issue of a lack of a security culture.
When it comes to passwords, we don't need to get super complex and have a computer generate it for us. We can use things that we are familiar with, such as phrases. The length of the phrase and additional punctuation will help make the password effective.
Remember that existing cracking tools work on the password as a whole rather than its individual components. So if I have a password of "No bike tour is long enough!" (with the quotes, of course) I have effectively created a password that is a) memorable and b) strong (30 characters including upper case, lower case, spaces, and special characters). I wouldn't have to write this down and it would be unique enough that it would be hard to guess.
I remember when I first got online, my ISP would regularly check the strength of my password. If it wasn't strong enough, they would send me an email reminding me of the importance of password strength, explain with simple examples of what makes a good, strong password and encourage me to change it. Password strength checking should make a return as a regular activity (make sure it's noted in the security policy and indicates who has the authority). Additionally, if you do bring it back, remember to use an isolated, non-networked machine to check password files (SAM and/or Shadow).
A good supplement is regular password changing (3 months is a good standard to go by) and a decent history of passwords. Many organizations do not enforce this practice because they use two- or three-fold authentication methods. Regardless, passwords need to be useful and effective as well as unique.
It's Not Like You Use Dial-up Anyway...
One particular oversight that raised the ire of Homeland Security group is the issue of modems all over the place that can be wardialed. What was scary about this particular issue is that no one knew where the modems were or what they were for. I suspect that users wanted to connect to their personal ISP and bypass existing security measures. Bye, bye integrity. The security system becomes effectively useless.
When systems are purchased, ask for modems to be removed unless they are needed. If that's not an option, disable it in the BIOS or on the board itself. No desktop PC in an organization should need a modem in this day and age. All PCs should be forced to get network access via the method you chose. That is, it should connect via your network and go through a specific gateway.
Imagine that it is the tollbooth of your personal highway. You want to collect the toll (i.e., ensure that the traffic is legitimate and safe) before allowing anyone in or out. When someone "jumps" the fence there is a huge security risk. So if you haven't disabled or can't disable modems, get wardialing (with written permission of course) on your company to find out what is open and insecure.
Remind employees that this kind of activity opens up issues for the company. And encourage employees to talk to about what things they feel they need access for. Don't make it an "us vs. them" situation. Help them realize you're both on the same team.
The last point, availability, is also an issue with modems. Since these will open up our secure network to a largely undetectable attack or unauthorized access, it could open up avenues to availability issues.
By virtue of connecting to the Internet, we open our company up to these dangers. But what's interesting of late is that availability has suffered not from the Internet and the threats therein, but rather from internal sources, most notably older hardware.
Young, Healthy Systems
Much of the hardware that exists today is from around the time of Y2K, give or take a year. Reality is that there is a finite life to our hardware. At some point it does need to be replaced so that performance and reliability are assured. Some corporations run on bare minimum budgets and assume that hardware can last for decades. The problem with this is that OS upgrades, patches, and other assorted goodies demand more processing power out of systems. Operating systems and software are undoubtedly getting better, but they are also getting bigger in both processing requirements and general size.
Add to that the movement of hard drives, environmental issues and general wear and tear... something is bound to fail. The Register UK recently ran a security survey and indications were that more downtime was attributed to hardware/software failure than security issues.
Hardware failure can be especially rough on an organization. Despite the cost, we cannot afford have a single system as our sole provider. We need multiple systems in place to share the load and take over in a pinch, or backup systems that are ready to go at a moment's notice. Redundancy, pure and simple, is the order of the day.
What does this all boil down to? Well, to put it in the simplest of terms: a culture of security. People have to be made aware that security is an integral part of business today, not solely the function of the guard roaming your offices or the IT department. It means being aware of our weakest link – the human element – and regularly taking stock of all the facets of security within your organization — not just the latest technological boogieman, but the basics as well.
So don't neglect those little details when battling with their high-tech cousins. Oh, and don't forget the "culture of sunscreen" this summer when venturing out after ensuring all is safe.
