Re: [ISN] Survey: Security Password Picks Are Easy Prey

From: InfoSec News (isnat_private)
Date: Thu Jun 28 2001 - 00:00:13 PDT

  • Next message: InfoSec News: "[ISN] FC: Mastercard lawyers threaten over satire site"

    Forwarded by: Lloyd D. Crosby <lloydcat_private>
    I wish to express my concerns regarding this article.
    To be sure, user passwords have been the bane of System Administrators
    and Security offices since the dawn of computers, having become one of
    the most thorny of computer management issues to date.
    There are two issues here, first, the scope and depth of security
    procedures and, second, the education of users to security threats and
    procedures coupled with best personal security practices.
    Regarding security procedures, my concern rests with the actual
    application of adequate security measures. User passwords should be
    addressed as an important, inextricably linked element of validated
    security procedures that have been developed, promulgated and, yes,
    fairly enforced across the board (read level playing field) in any
    business. These security procedures should be realistic, dynamic and
    flexible based upon regular Risk / Threat Assessments balanced with
    the cost-effectiveness of solutions. This applies across the spectrum
    of working environments from a hardcopy / physical environment to
    softcopy / electronic and finally through to a Web / Cyber
    To this end, one of the most effective and easily implemented security
    procedures that can be applied to user passwords can be drawn from
    those procedures utilized in the management of combination locks. When
    a combination lock is first acquired, it has been given a default
    setting at the factory. The same holds true of many components of
    computer systems whether hardware or software. When it is brought into
    service, a delegated security authority, with the appropriate tools
    available only to security personnel, walks the user through the
    process of changing the combination (read password), ensuring it
    conforms with existing security guidelines. The combination is
    verified separately by the security authority and the user on site
    before being officially placed into service. Once confirmed, the set
    combination is then recorded on forms duly prepared to manage
    combinations, put into an appropriately marked envelope (one per lock
    combination), sealed, dated and signed / countersigned along seams.
    The envelope is then brought to the security office for safekeeping
    being held in a securable container / cabinet with strict access
    controls in place. Records keeping of these envelopes includes the
    participants of the change, the date of the change and
    cross-referencing of those locks / combinations the user has access
    At this point, a situation is present which benefits the user and the
    business. At the least, in those cases where it has been forgotten by
    the user, the combination can be acquired by the user (with
    appropriate verification). For the business, if the employee leaves or
    is terminated, the business has the current combination(s), a list of
    what access the user had and can commence combination changes thereby
    maintaining security levels.
    Another tangible benefit presents itself at this point; a means to
    manage combinations along prescribed security guidelines. In high
    security areas, combinations are changed on a regular basis, usually
    every three to six months. Utilizing the date of the initial 'in
    service' date of a lock and current combination, a timeline can be
    defined whereupon combinations can be changed affording a higher
    degree of protection overall. Moreover, when a combination has been
    compromised in any way or when authorized access has been detected,
    requisite combination changes can be managed more rapidly and
    There is of course an increased burden placed upon the personnel and
    resources of security offices in the areas of administration and
    management of these procedures. The appropriate level of
    implementation / burden can be assessed and more realistically
    determined based once again on the Risk / Threat Assessments and the
    expected return on investment (ROI) these procedures bring to
    safeguarding business information and systems.
    Regarding education, this is perhaps one of the most critical yet
    least addressed aspect of security. If users are not made aware of the
    perceived threats posed to their livelihood / business nor updated on
    developments and, regularly informed and reinforced what impact lax
    personal security practices pose, users become complacent and
    apathetic. At this point, rather than being important Allies and 'Team
    players' to implementing and supporting best security measures, users
    develop unsafe practices that jeopardize security thus becoming the
    weakest link. This has far reaching implications, particularly in a
    softcopy / electronic and Web / Cyber environment.
    Initial security education of new employees is essential. In many
    cases, this can be readily conducted by security personnel during the
    'Welcome Aboard' and induction phase of recruitment. Continued
    awareness and reinforcement is just as essential. This can be
    accomplished by any number of means, from regular refresher sessions
    (especially after holiday seasons), posters placed in high traffic
    areas, flyers in mailboxes to gentle email reminders.
    Lloyd D. Crosby
    ----- Original Message -----
    From: InfoSec News <isnat_private>
    To: <isnat_private>
    Sent: 26-Jun-01 05:07
    Subject: [ISN] Survey: Security Password Picks Are Easy Prey
    > By Jay Lyman
    > Monday June 25, 2001
    ISN is hosted by
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 03:03:42 PDT