Forwarded by: Lloyd D. Crosby <lloydcat_private> I wish to express my concerns regarding this article. To be sure, user passwords have been the bane of System Administrators and Security offices since the dawn of computers, having become one of the most thorny of computer management issues to date. There are two issues here, first, the scope and depth of security procedures and, second, the education of users to security threats and procedures coupled with best personal security practices. Regarding security procedures, my concern rests with the actual application of adequate security measures. User passwords should be addressed as an important, inextricably linked element of validated security procedures that have been developed, promulgated and, yes, fairly enforced across the board (read level playing field) in any business. These security procedures should be realistic, dynamic and flexible based upon regular Risk / Threat Assessments balanced with the cost-effectiveness of solutions. This applies across the spectrum of working environments from a hardcopy / physical environment to softcopy / electronic and finally through to a Web / Cyber environment. To this end, one of the most effective and easily implemented security procedures that can be applied to user passwords can be drawn from those procedures utilized in the management of combination locks. When a combination lock is first acquired, it has been given a default setting at the factory. The same holds true of many components of computer systems whether hardware or software. When it is brought into service, a delegated security authority, with the appropriate tools available only to security personnel, walks the user through the process of changing the combination (read password), ensuring it conforms with existing security guidelines. The combination is verified separately by the security authority and the user on site before being officially placed into service. Once confirmed, the set combination is then recorded on forms duly prepared to manage combinations, put into an appropriately marked envelope (one per lock combination), sealed, dated and signed / countersigned along seams. The envelope is then brought to the security office for safekeeping being held in a securable container / cabinet with strict access controls in place. Records keeping of these envelopes includes the participants of the change, the date of the change and cross-referencing of those locks / combinations the user has access to. At this point, a situation is present which benefits the user and the business. At the least, in those cases where it has been forgotten by the user, the combination can be acquired by the user (with appropriate verification). For the business, if the employee leaves or is terminated, the business has the current combination(s), a list of what access the user had and can commence combination changes thereby maintaining security levels. Another tangible benefit presents itself at this point; a means to manage combinations along prescribed security guidelines. In high security areas, combinations are changed on a regular basis, usually every three to six months. Utilizing the date of the initial 'in service' date of a lock and current combination, a timeline can be defined whereupon combinations can be changed affording a higher degree of protection overall. Moreover, when a combination has been compromised in any way or when authorized access has been detected, requisite combination changes can be managed more rapidly and efficiently. There is of course an increased burden placed upon the personnel and resources of security offices in the areas of administration and management of these procedures. The appropriate level of implementation / burden can be assessed and more realistically determined based once again on the Risk / Threat Assessments and the expected return on investment (ROI) these procedures bring to safeguarding business information and systems. Regarding education, this is perhaps one of the most critical yet least addressed aspect of security. If users are not made aware of the perceived threats posed to their livelihood / business nor updated on developments and, regularly informed and reinforced what impact lax personal security practices pose, users become complacent and apathetic. At this point, rather than being important Allies and 'Team players' to implementing and supporting best security measures, users develop unsafe practices that jeopardize security thus becoming the weakest link. This has far reaching implications, particularly in a softcopy / electronic and Web / Cyber environment. Initial security education of new employees is essential. In many cases, this can be readily conducted by security personnel during the 'Welcome Aboard' and induction phase of recruitment. Continued awareness and reinforcement is just as essential. This can be accomplished by any number of means, from regular refresher sessions (especially after holiday seasons), posters placed in high traffic areas, flyers in mailboxes to gentle email reminders. Regards. Lloyd D. Crosby ----- Original Message ----- From: InfoSec News <isnat_private> To: <isnat_private> Sent: 26-Jun-01 05:07 Subject: [ISN] Survey: Security Password Picks Are Easy Prey > http://dailynews.yahoo.com/h/nf/20010625/tc/11524_1.html > > By Jay Lyman > www.NewsFactor.com > Monday June 25, 2001 ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 03:03:42 PDT