I had started a series on my old blog regarding security. I'd only gotten the first post up when I found out I was being laid off, so I never finished the series. I think, however, it is worth finishing as this is an important topic that we should all take seriously.
When I was out delivering presentations for Microsoft, I would often discuss aspects of security. I had several different angles I would use to start the discussion, but however I approached it, I could always see that it wasn't reaching some of my audience. They would put on their "this doesn't apply to me" faces and wait for me to finish. That is just plain wrong. Security applies to everyone. The truth is that some businesses probably are not going to be the intended victim of a ring of skilled hackers (like something you would see in a movie), but everyone needs to be concerned about security, regardless of the business you are in. "Why?" you ask. Good question. Let me tell you. You might not fall victim to Robert Redford's gang of cyber-criminals from Sneakers. And you may never come to the attention of Timothy Hutton's band of do-gooding thieves from Leverage. But what about Joe in accounting? He's angry at being denied a raise/promotion/preferred parking spot/extra week of vacation/etc. Do you think you might come to his attention? Am I setting up this scenario to scare you? I am if that is what it takes to get you to think about your IT security. The main concern I have is that often people don't think of IT security as something they need to worry about. Enterprises have entire teams devoted to security while some (though not all) smaller organizations sometimes think that security is making sure employees are using a password.
Let's start our security discussion right there -- passwords. What is your password policy? Are you using a domain with complex password enforcement? Do your passwords expire? Is that really enough? The truth is that it is not. It's really only a start. People, inherently, can't remember really good passwords. They especially can't remember a number of good passwords, which means it is likely that they are using the same passwords in multiple places. They're also probably using passwords that have some relevance to them, like personal information. And what about password hints? If they're prompted for their birthdate or their pet's name, how hard is that to find out? It is likely that other people in the office know their birthdate (and guessing the year isn't that tough). And their pet's name? Really? When did this become a question that was hard to answer. How many dog people do you know that don't love talking about Sparky, George or Fido? My point is that questions which can be answered by the intended party could also be answered by others, especially people who know them. Going back to the disgruntled employee example, you can see the problem here.
So how do we fix this problem? Unfortunately, that's not an easy question to answer. User education is step 1. Explaining the dangers inherent in weak passwords may help, but it is likely that they will consider your worries paranoid. "What information do I have that a hacker could want?" is a typical response. Enforcing policies only goes so far, too. Creating a password policy that is too draconian and you end up with people writing their passwords down in order to remember them. Personally, I am an advocate of passphrases, rather than passwords. They're secure (because they can be very long and contain special characters like punctuation) and they're easier to remember. Look at this example:
X30$2lnLeom (This is a good password. It has multiple character sets, is 11 characters long, and contains no personal information nor dictionary words. It's also pretty impossible to remember.)
What about this password, though? (This is a good password, too. It's got multiple character sets, is quite long, and has the benefit of being much easier to remember.)
These passphrases could be song lyrics, movie quotes, or even things your mom told you when you were little. Take, for instance, one of my favorite songs, Istanbul Was Constantinople, by They Might Be Giants. This song offers tremendous password potential. The chorus is "Istanbul was Constantinople. Now it's Istanbul, not Constantinople. Been a long time gone, Constantinople. Why did Constantinople get the works? That's nobody's business but the Turks." Any of these lines, complete with the punctuation, makes a great passphrase. (And who in the world is going to guess that whole thing?) I could also use the first line of the song as my first passphrase, switching to the next line every time I need to update my password. This provides a lot of passwords before I have to move on to the next song. (It has the happy side benefit of getting me humming each time I log into my PC.) :)
Leveraging passphrases like this also provides users with a better ability to use different passwords in different places. Need a password for work? How about lines from Working in a Coal Mine by Devo or Bang the Drum All Day by Todd Rundgren? A password for your financial sites could come from Money by Pink Floyd or Money by the Flying Lizards. For your social networking sites, you could use songs like Joe Cocker's With a Little Help from my Friends or Bill Withers' Lean on Me. Get the idea? By making these connections, it is much easier to remember which song (and therefore, which password) goes with which login. This means it is more likely that users will use different passwords in different places. How do you make this happen? There is no substitute for user education. You need to explain to users why this is important and give them some helpful tips on creating good passwords (like the ones above). You also need to ensure you have a policy in place outlining your password requirements. (And, in this case, I'm speaking of a written policy as well as a domain policy enforcing strong passwords, password expiration, history, etc.)
Is using a passphrase going to protect your network? Nope. Not even close. It's a good start, though. I'm going to continue discussing some security concerns in the coming days. Hopefully, once we're done, you'll have a more comprehensive idea of what the dangers really are and how you can protect your assets.
1 comments:
Read your story on Hugh's blog and just wanted to say all the best, and so hope you get your job back soon or an even better one :)
Best of luck.
Chris
Post a Comment