Measure and control IT security

A survey which has been conducted recently shows that most users are resorting to insecure methods to store passwords because they are being overwhelmed by the number of passwords needed to do their every day jobs.

According to the research, 25% of users keep passwords on a spreadsheet, 22% store them on a PDA while 15% simply write them down and keep them in a “safe place”.

People are forced to handle so many passwords that are not possible to remember. More than 25% of users handle over 13 different passwords, yet another 30% juggle with 6 to 12 passwords. What’s more, most employees in companies are recommended to change their passwords every 3 to 6 months. The passwords must be at least 8 characters wrong, include digits and letters and comply with all existing security standards. Besides, the newly changed password should by no means resemble the previous one.

In this relation, I found some interesting ideas in DMAC blog. From a security standpoint, all security measures continue to have the same flaw: “They are vulnerable to end user laziness”. In fact, a security solution is only as strong as its weakest link and “unfortunately it’s Bill the dad of 4 who doesn’t give two cents about your password policy”.

“Security and Laziness must combine”. We must transform the way we think as security professionals. We must put ourselves in Bill’s shoes. Security professionals and end users must reach a compromise.

This blog is run by the authors of FindProtected, an effective information security solution. With Find Protected, IT administrators can do a deep inspection into employees’ files aiming to enforce an intelligent data security policy across the organization.

Security Blog has a witty description on the common attitude to password management called “The Zen of Password Management”.

The first reaction of an employee when a new password policy is enforced in an organization is “denial”. However, it is quickly replaced by anger. In fact, most people think: “I can’t believe that the security of the entire company depends on me changing my password at this time. It’s just a silly policy that IT uses to exercise digital control over the rest of the world”.

An employee fears that she might forget the new password. That’s why she may be forced to put the passwords down or store them in a text file on her computer.

Even the most complete password policy cannot guarantee 100% security. The passwords might be intercepted by the most sophisticated hacker attack. But it is more likely that people could accidentally or deliberately share their paswords with their co-workers, their family and so forth. In fact, there is no such thing as the best password policy.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Scott Pinzon’s article on password policy enforcement discusses the issues of policy implementation within a company. According to a UK study from 2004, employees could be incented to divulge their password rather easily. The study indicated that 70% of users would tell a stranger their computer password “in exchange for chocolate”.

However, what if we turn the equation around: try to make up specific mechanisms to incent the users to abide by the password policy rules. For instance, management could offer any user who follows the policy perfectly for a year a $100 gift certificate. Although it may seem absurd to pay the people just for getting them to do what they’re supposed to be doing already, such policy enforcement method may be very effective compared to the security risks the company faces when its security is breached.

Compared to the accountability you lose when users share their passwords and turn an individual account into a group account, a hundred bucks is cheap. Compared to the resources compromised on your network when an attacker cracks a 120-day-old password, a hundred bucks is dirt cheap. Compared to the cost of having every user take a class on computer security, a $100 prize is an economical way to generate a security-aware corporate culture.

Although passwords do not provide adequate protection for today’s networks, the “username and password” authentication remains the only access credentials that most small business networks require. So until new authentication methods are available, such as smart cards, tokens, or other two-factor authentication techniques, we need to work on password protections to be “good enough”.

This blog is run by the authors of Find Protected, an effective information security solution.

Employees in a company are generally forced to avoid easily stolen passwords. But hard-to-guess passwords that are most often used are not always hard to type as well, and therefore may be vulnerable to prying eyes.

Jacek Kopecky wrote: “When creating a password I choose random keys that are easy to write — alternating the fingers and trying it out. The commonly used passwords, even historical ones, are completely in my muscle memory.

This is also a fairly good defense against shoulder surfers trying to see what I’m typing — I type it very fast, usually sans mistakes, and it’s random enough that a looking person won’t get it.”

You can also use passphrases to create a strong password. Use a poetry line or a quotation that noone except you knows. To make a passphrase more complicated, replace the letters with appropriate symbols, for example type 1N&I@nA J8ne$ instead of “indiana jones”.

This blog is run by the authors of Find Protected, an effective information security solution.

Alistair McDonald’s article on password policy describes the key elements of the corporate security strategy.
Modern corporate life requires considerable dilegence, adhering to legislation, and many other distractions from the core business of an organisation. Where computers are concerned, there is potential for abuse of corporate systems, infection of corporate systems with viruses, trojans and other malware, and damage to reputation through hacking and improper use of resources by employees.
Each organization needs a comprehensive security strategy which provides for the proper location of protected files, authorization techniques, employees’ access rights, as well as a strong password policy. Password policy is a key element in creating a comprehensive security strategy.

Password policy should contain the folowing rules:
1. Never base a password on a single word. A password should be at least eight characters, and ideally 12 or more. The longer a password, the less chance of a hacker breaking it quickly. To connotate two words will create a longer word, but hacker tools will search for this, and it is better to misspell one or both of the words, so a straight dictionary approach will not work. Try to avoid using words in your passwords that can be associated with you or your work. Passwords must be based on a random combination of words. You can also replace occasional letters with numbers or punctuation marks. Using both upper and lower case will definitely help too.

2. Never write passwords down in an easy to read form. If you do write them down, try to disguise them. Never leave passwords near the PC.

3. Never share accounts or give out passwords.

4. Never use a work password for leisure. Sharing a password on more than one system will make the user’s life easy as they only have to remember one password. Single-sign-on systems can be very useful in the corporate environment, but users should not use their work passwords for any systems they use at home. Some websites and applications don’t give enough protection to its accounts, so the password may be easily intercepted. If you use similar passwords for a number of services, once the attacker intercepts a single password, he may access a large amount of information.

5. Reset accounts as soon as employees leave the firm. Every account that employees have access to should have its password reset as soon as they leave the building. The manager can take control of the accounts if required, but the passwords should be reset as soon as possible. This is vitally important if shared accounts are in use.

There’s been a lot of discussion around whether we should or should not put down our passwords. Although most security specialists agree that it is usually necessary to jot passwords down, some say it just cannot solve the problem. Nathan’s Daily Grind blog regards password security as “a MAJOR problem”.

We need some sort of federated, independent seciurity model that uses some form of two-factor authentication… The kicker is that we need a system that is (relatively) universally accepted and used, and not one organization (corporate or government) out there has the reputation to be trusted by all of us. Plus I don’t think we can get away with just one way of doing the two-factor authentication.

Each organization needs its own password policy, based on certain principles. It’s essential to create strong and reliable passwords, but it’s also important to track all the password protected files within a corporate network. To work out a comprehensive password policy, you need to identify and locate all confidential files first. You can find more information on this issue at Find Password Protected Files.