The security and cybercrime tug-o-war is constantly among the hottest news topics and as attackers develop new strategies the defenders respond with new countermeasures will remain so.
Computer security, hacking, and cybercrime related issues and scams now seem to make news headlines every day with some new slant that has netted fraudsters six figure sums from their illegal activities. Will it ever end? With this sort of money to be had the answer is probably not. There will always be somebody out to make a fast buck at somebody else’s expense.
Cybercrime Tug “o” War
As attackers develop new strategies defenders develop new countermeasures. So the attackers develop counter-countermeasures to which the defenders respond with counter-counter-countermeasures and so on it goes and at such a rate that it sets your mind spinning. It really does seem to get quite overwhelming at times.
Everybody’s objective in the cybercrime, tug “o” war games is to be on the winning side. Nobody likes losing especially when the prize is your own personal property or even worse your identity that is at stake. However, there are steps you can take to reduce both an organization’s and your individual personal risk/threat impact levels.
Single Point of Failure
Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.
Ostrich tactics won’t work here so be a cold-blooded pragmatic realist and assess your current password security procedures and status honestly. Do not let anyone else know the details of your self-assessment. Identify areas of weakness and put them right.
Passwords – Hard Copies (Paper)
Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive ongoing long-running issues facing the information security specialist.
The best advice concerning the practice of making hard copies of authentication credentials is DON’T. But we live in the real world and people do. So here is what can be done to tighten security for password hard copies.
Keeping a Copy in the Desk
Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk.
The locks on most desks are merely a trivial inconvenience to those with a little know-how and a flat-edged envelope opener. Five to ten seconds is usually all that it takes to open the majority of desk drawers.
Failing to lockup your desk compounds the crime. It may save damage to your desk’s lock but will do nothing to save the hard copy of your passwords. You cannot keep watch over your desk 24/7 so there really is no way that you can guarantee that your desk is a secure location to store password authentication credentials.
Password Hard Copy Security Basics (If You Really Must)
- Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor
- Do not make a hard copy of your logon and password details and leave it in open public view
- Do not write your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor. This is probably the worst password hard copy security practice of all.
- Lock desk
- Use a safe
- Store the credentials in another room or even off-site
Passwords – Electronic, Magnetic and Optical Copies
While not as risky as maintaining hard copies of your authentication details considerable care still needs to be taken when storing electronic, magnetic or optical copies of authentication credentials. Here are a few pointers to improve your security preparedness with regards to storing password authentication credentials on electronic, magnetic or optical media:
Encryption – You should always encrypt the authentication credentials data when storing it in an electronic, magnetic or optical format.
Password Protection – Use a password to lock and protect the file for additional security.
Hashing – While you are at it I do recommend using a hashing algorithm; such as MD5, to ensure the integrity of the file. It will help by identifying that the file has been tampered with. Apply the hashing algorithm after the file has been saved to disk and make sure that you include the files attributes in the hash. This works best on NTFS systems such as Windows XP, Vista, Server 2003 and Server 2008.
Using a hash will tell you if anybody has attempted to access the file in the period between when you applied the hash and are now checking the files validity. It will not tell you as to whether or not they had any success but it will tell you that they were there. It may not be able to tell you who it was but if it was another network user then they may well have left identifying evidence behind.
Forewarned is forearmed. Knowing that you are under attack removes the advantage of surprise from your attacker they will most likely be unaware that you know that somebody has been there.
Theft – As with paper hard copies, any physical copy of any data is liable to additional risk of physical theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC too big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together.
Physical Security – Protecting electronic, magnetic and optically stored physical copies of your data always begins with physical security measures such as using data vaults, lock and key and off-site storage etc. You should also only store this information in an encrypted format to increase your data protection strategies.
Password Protect Electronic Copies – Password locking the files containing the copies of your password authentication credentials is also important.
Password Complexity
The more complex a password, the harder it is for an attacker to crack. Most attackers will simply move on to easier targets. It is strongly recommended that you ensure that any passwords that you use comply with the following guidelines:
Minimum Length – Make sure that your passwords are 8 characters or greater in length. The more characters in a password/pass phrase the better so using 14 characters provides immensely better password security than using 8, 9, 10 or 11 characters.
Case Sensitive – Ensure that all password authentication mechanisms are case sensitive
Mixed Case – Use a mixture of upper and lower case characters
Numbers – Include at least one numeral in every password
Symbols – Include at least one non-alphanumeric character (symbol) in every password
Dictionary – Try not to use any real words that can be found in a dictionary
Social Engineering – Try not to use names or dates that are associated with you as a person. This means that you should not use your address or birth dates or the names of family, friends or pets either.
Defaults – Change all default authentication credentials at the earliest possible time. This will include the default administrator account and password. Also disable the Anonymous and Guest account access privileges.
Retry Limits – You can use Local Users and Groups > Passwords policy to limit the number of retries. Setting the maximum number of retries permitted before the account is locked-out to two or three will go a long way to preventing most password cracking attempts. It also makes brute-force dictionary attacks much harder and for most attackers impossible or undesirable to implement. They won’t bother wasting their time on you when there are a lot easy fish to be had.
Retry Rate (Time-to-Wait) – You can also severely restrict the retry rate. Setting the time to wait before another password retry will be permitted after a mismatch to 5 seconds will thwart most “brute force” password cracking tools.
Password Renewal – Regularly change authentication credentials including passwords and passphrases.
Password Policy – Develop, document and implement a password/pass phrase policy and enforce it.
Pass Phrases
Using pass phrases rather than passwords is a far more secure practice. It also means that a higher degree of complexity can be built-in while still remaining user friendly. As an example you could use pass phrases like this – 2Shorts&3Longs. Note that in this example we have a total of 14 characters and that it includes a mixture of upper and lower case, numeric characters and a the ampersand symbol.
A simple modification of this could be – 2*Shorts&3*Longs. Simply including the two asterisks has made this a 16 character mixed upper and lower case alphanumeric with symbols included pass phrase. It is easy to remember if you think of it like this – 2 times Shorts & 3 times Longs.
Automatically Generated Passwords
Most modern operating systems including Windows and Linux have the capacity to automatically generate passwords that adhere rigidly to a predefined set of rules such as those contained within password policies.
The passwords so generated are not necessarily easy to remember for most us mere mortal humans. Thus pass phrases as outlined above may be more appropriate for you.
Here is another pass phrase – InTheDoor4*4 at 12 characters of mixed upper and lower case with numerals and a symbol this is quite a strong pass phrase and will be accepted by most if not all systems. Say it as “In The Door 4 by 4”. It’s the rhyming factor that makes it easy to remember.
Security-In-Depth
Using a security-in-depth strategy entails the implementation of more than one mechanism in your defenses. You can build multiple layers of defenses based around password authentication.
One set of credentials (user logon name and password) to open a channel after which you use additional passwords to gain any additional access privileges and user rights as required. This is a strategy that Cisco has used with their IOS. They have also provided the capacity to make the password encrypted through the use of the “enable secret” command.
Here is an example to illustrate the security-in-depth approach using password authentication systems:
- You log onto the network using one password, which in association with your logon user name will, once authenticated, allow you access to basic network assets, services and resources
- If some time later you need access to a resource requiring a higher privilege level, such as a database, you may need to supply another user name with a different password. In this way, we now have a two-tiered hierarchy of access privileges to specific resources. Still password-based, but immeasurably more secure than just a one password accesses all system implementation provides.
- Now suppose you wish to gain access to and modify sensitive information held within that database. In this case, you will need to supply another different user name and password. A third layer of password protection access has now taken place. Your level of security has increased yet again and the best bit is that it is not going to cost you anything.
Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.
A classic example of this would be your email account. Your operating system will require you to supply the first password protected authentication level at logon. Your email service provider will require another password protected authentication when you wish to check your email.
WARNING: A word of caution however, most email password authentication processes occur unencrypted which is a very bad idea. Anybody with a “packet sniffer” utility can capture the traffic and view it in plain text at their leisure. To overcome this you can configure more secure communications channels and use multifactor authentication systems, which I do recommend and will discuss in another article which I hope to have finished in a day or two.
Conclusions
NEVER disclose account authentication credentials such as logon names and passwords. At all times and under all circumstances you must ensure that this type of information (authorization credentials) remains known only to you, the user in question, your security, administration and support personal and then only on a need to know basis.
NEVER keep hard copies of passwords and other authentication details
ALWAYS store data in an encrypted format
ALWAYS afford authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network
ALWAYS implement multiple layers of password-protected authentication. A security-in-depth approach is applicable to practically every system with a little careful planning.
REACTIVATE the logon password dialogue if it has been disabled
One final thought is to remember the 3 A’s:
September 11th, 2008 at 1:43 pm
Alot of information. Well Written