So there has been an article going around the IT/Security community a bit today that was an eye opener to many - and old news to most of us.
http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/
This article starts with the catchy title "Please do not change your password" and alludes that it is better for users NOT to change passwords than to change passwords. I don't disagree that passwords are often more trouble than they are worth, and they can themselves become a weakness. This is not news folks, if you ask any certified InfoSec professional, they should advise you that multi-factor authentication is the right choice if you are serious about protecting access. One of the challenges has been to date that implementing this level of control is expensive and not usually done for leisure activities/web sites.
Any organization that is still relying on simple passwords as a security control in 2010 deserves the hacking that they no doubt have received. If you are in a regulated industry (i.e. health care, financial institution, or PCI compliance) or have intellectual property or trade secrets that you want to protect, passwords should not be a control that you look to as secure or appropriate to your environments.
Information Security is not for the faint of heart or for the lazy. You have to have professionals that stay informed about the threats that are manifesting, a rigorous maintenance process for your environments (including reliable methods for updating all systems with patches, monitoring your system for suspect activity, and responding in a reasonable way to any intrusions). You also must have environmental knowledge of where the key or sensitive data resides, the controls and monitoring in place to protect or alert you, etc.
One of the items that the author brings up is the complexity of security measures. This is unfortunately due to the complexity of the environments that we as Information Security professional are often tasked with protecting. The systems that most companies have deployed over the past 15 years or so have for the most part been developed and deployed without taking risk and security into account.
A couple easy suggestions for making any company more secure:
Some of these may not be appropriate for every environment, and some should be part of a larger security program or control framework (if you need more guidance here check out ISF, ISO27001, or NIST-800).
1) Do not let users have administrative access to their systems by default. There are a number of ways in any OS to prevent the users from having too much access (sudo, runas, etc.) there is no reason for most users to have admin access to a system. Many attacks will just fail if the user is not logged in as a local admin.
2) If you have something worth protecting, spend the time to assess the software, systems, networks, and other contributing factors to the systems that hold the "crown jewels". Propose more strict controls, monitoring, and assessment for these systems, and when something doesn't look right make sure to get to the bottom of it and find out what happened.
3) Inform your users, executives, and IT staff of what to do in the event of a security incident. Make sure they know who to call, what to expect when they call, and what kind of communication to expect if there is a serious outage. Likely this can be rolled into an existing data center plan or BCP/DR plan.
As I have often told executives when asked, "Security is a journey, not a destination" it requires the company leadership to be on-board to hire the right people, to establish policies and processes that are meaningful and appropriate to the level of risk, deploy technology to assist in maintaining the security controls and validating that they remain effective, and to enforce the policies and help to develop a secure environment.
http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/
This article starts with the catchy title "Please do not change your password" and alludes that it is better for users NOT to change passwords than to change passwords. I don't disagree that passwords are often more trouble than they are worth, and they can themselves become a weakness. This is not news folks, if you ask any certified InfoSec professional, they should advise you that multi-factor authentication is the right choice if you are serious about protecting access. One of the challenges has been to date that implementing this level of control is expensive and not usually done for leisure activities/web sites.
Any organization that is still relying on simple passwords as a security control in 2010 deserves the hacking that they no doubt have received. If you are in a regulated industry (i.e. health care, financial institution, or PCI compliance) or have intellectual property or trade secrets that you want to protect, passwords should not be a control that you look to as secure or appropriate to your environments.
Information Security is not for the faint of heart or for the lazy. You have to have professionals that stay informed about the threats that are manifesting, a rigorous maintenance process for your environments (including reliable methods for updating all systems with patches, monitoring your system for suspect activity, and responding in a reasonable way to any intrusions). You also must have environmental knowledge of where the key or sensitive data resides, the controls and monitoring in place to protect or alert you, etc.
One of the items that the author brings up is the complexity of security measures. This is unfortunately due to the complexity of the environments that we as Information Security professional are often tasked with protecting. The systems that most companies have deployed over the past 15 years or so have for the most part been developed and deployed without taking risk and security into account.
A couple easy suggestions for making any company more secure:
Some of these may not be appropriate for every environment, and some should be part of a larger security program or control framework (if you need more guidance here check out ISF, ISO27001, or NIST-800).
1) Do not let users have administrative access to their systems by default. There are a number of ways in any OS to prevent the users from having too much access (sudo, runas, etc.) there is no reason for most users to have admin access to a system. Many attacks will just fail if the user is not logged in as a local admin.
2) If you have something worth protecting, spend the time to assess the software, systems, networks, and other contributing factors to the systems that hold the "crown jewels". Propose more strict controls, monitoring, and assessment for these systems, and when something doesn't look right make sure to get to the bottom of it and find out what happened.
3) Inform your users, executives, and IT staff of what to do in the event of a security incident. Make sure they know who to call, what to expect when they call, and what kind of communication to expect if there is a serious outage. Likely this can be rolled into an existing data center plan or BCP/DR plan.
As I have often told executives when asked, "Security is a journey, not a destination" it requires the company leadership to be on-board to hire the right people, to establish policies and processes that are meaningful and appropriate to the level of risk, deploy technology to assist in maintaining the security controls and validating that they remain effective, and to enforce the policies and help to develop a secure environment.
Comments