Webupon

With attackers developing new strategies and attacks at a truly frightening pace, defenders need to develop new countermeasures even quicker if they are to prevent an attack or at the very least diminish the damage done during an attack.

Winners and Losers

Let’s face it; there can be little doubt that both sides (the bad guys and the good guys) want to be on the winning side of the cyber security tug “o” war game. To complicate matters even more the speed at which the whole cybercrime and cyber attack situation evolves can at times become a bit overwhelming; even for the seasoned professional.

Fortunately there are a number of simple, easy to implement steps that you as an individual can take to reduce both your individual personal risk/threat impact levels as well as those of a large organization and everyone in between.

I will now present a number of simple but effective long standing “tried and true” strategies that have shown time and time again their capacity to reduce or mitigate your risk and your exposure to the most common attacks of today. Also note that reducing the impact and consequences of an attack; should it become a reality, and the measures and countermeasures available to you will be dealt with as well.

Realization and Understanding – Security Awareness

The first thing that we need to acknowledge is that there is always somebody (individuals and/or groups) out there looking to make a fast buck. Denial of this and you are destined to be perpetually on the losing side.

We also need to address such factors as “insider” or “insider” collaboration attacks, scams, social engineering, hacking, cracking, phishing etc. In addition; attacker motivations need to be determined, understood and recognized as this will allow us to construct more specific targeted responses and proactive countermeasures along with custom preventative initiatives.

Some of these motivations include: fraud, identity theft, malicious intent, revenge, financial greed, scams (e.g. Nigerian 419 attacks), extortion, thrill seeking and espionage etc.

Importantly however; most attacks are not perpetrated mindlessly and without any predefined purpose. The attacker always has some goal in mind when perpetrating the attack. This comes as no surprise when one considers the amount of effort that goes into the planning, design and implementation of many attacks.

When we understand what it is that the attacker hopes to achieve through the attack we can implement both reactive and proactive initiatives that will negate a particular type of attack. Using attack specific countermeasures means that the defenders will need to implement and maintain a considerable number of strategies in order to meet most threats head-on. Most current antivirus software is effective against considerable numbers of potential threats.

Password/Pass Phrase Policy

The development of a suitable password policy is always one of the first tasks that you should undertake whenever assessing, planning, implementing, administering, maintaining, documenting and updating your authentication methods and credentials. Passwords/pass phrase are no exception to this most basic of authentication rules.

• Policy Contents – Your password policy should outline and detail all requirements concerning and about passwords and their usage by yourself or within your organization. Consistency across the board is always one goal that a password policy should address.
• Policy Documentation and Enforcement – Thorough documentation and enforcement of your password/pass phrase policies are factors critical to the attainment of the goals and directives set forth in your password/ pass phrase policies.
• Assessment – Be a realist and assess your current password security procedures and status honestly. Do not let anyone else know the details of your self-assessment. The primary purpose of a password security assessment regime is to identify areas of weakness so that you can put them right.
• Logon Password Dialogue – Always reactivate the logon password dialogue if it has been disabled
• Logging, Accounting and Auditing – With logging turned on you will be able to identify such events as attempted, successful and unsuccessful system and network logon attempts. Here you can glean considerable information that may very well point to the presence of an intruder or even attempts by an insider attempting to access system and network resources for which they do not have the necessary account privileges.
• User Education – Through continual user education and updating it is possible to create an environment with a high level of user security awareness. This goes a long way toward the establishment of a security aware culture. The benefits of a security aware culture include a considerable reduction in exposure to potential attacker(s).

Users are less likely to become victims of phishing and social engineering attacks and so enhance an organization’s overall resistance to these types of attacks. Remember that it is breaches of user security that is the most common means by which attackers gain authentication credentials including logon account names and password pairs.

Password Complexity

The more complex a password, the harder it is for an attacker to crack. Most attackers will simply move on to easier targets. It is strongly recommended that you ensure that any passwords that you use comply with the following guidelines:

• Minimum Length – Make sure that your passwords are 8 characters or greater in length. The more characters in a password/pass phrase the better so using 14 characters provides immensely better password security than using 8, 9, 10 or 11 characters.
• Case Sensitive, Mixed Case, Numbers and Symbols – Ensure that all password authentication mechanisms are case sensitive and that they use a mixture of upper and lower case characters along with at least one numeral and one non-alphanumeric character (symbol) in every password
• Dictionary – Try not to use any real words that can be found in a dictionary
• Social Engineering – Try not to use names or dates that are associated with you as a person. This means that you should not use your address or birth dates or the names of family, friends or pets either.
• Defaults – Change all default authentication credentials at the earliest possible time. This will include the default administrator account and password. Also disable the Anonymous and Guest account access privileges. Do this for every device including your modems, switches, routers, workstations, firewalls, mobile devices etc.
• Retry Attempts and Retry Rate (Time-to-Wait) Limits – You can use Local Users and Groups > Passwords policy to limit the number of retries available to a user when logging on to the system/network.

Setting the maximum number of retries permitted before the account is locked-out to two or three will go a long way to preventing most password cracking attempts. It also makes brute-force dictionary attacks much harder and for most attackers impossible or undesirable to implement. They won’t bother wasting their time on you when there are a lot easy fish to be had.

You can also severely restrict the retry rate. Setting the time that the system waits after an unsuccessful password logon attempt (mismatch) is registered before another password retry will be permitted to 5 seconds will thwart most “brute force” password cracking tools.

• Pass Phrases – Use pass phrases rather than passwords
• Password Renewal – Regularly change authentication credentials including passwords and passphrases

Security in Depth

Surprisingly many systems today still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance.

• Single Point of Failure – By using password only authentication you are introducing a single point of failure/attack (the logon name/password combo) into to your network. There is little doubt that this situation does make you considerably more exposed to the efforts of cybercrime.
• Multilevel Authentication – In short; a security-in-depth strategy entails the implementation of more than one authentication mechanism at all points of your system/network. If an attacker can penetrate one authentication mechanism they will still not be granted access to your system and network resources as they are yet to successfully complete all required authentication mechanisms. More often than not the casual attacker (attacker of opportunity) will simply move on to the next potentially easier to “crack” system or network. In this way much of the potential damage that an attacker might cause is averted.

For example; your defenses may be based around the use of user entered passwords to; once authenticated to permit the user to gain access to the next level in your authentication process. Here they will need to correctly complete this element of the authentication process. Once logged into the system or network the user may be required to supply additional authentication verification in order to gain higher levels of privileges. This can of course be as simple as the user being required to enter another different password in order to proceed any further.

Multilevel Password Only Authentication – Here is an example to illustrate the security-in-depth approach using password only authentication systems:

The user logs onto the network using one password, which in association with that account’s logon user name will, once authenticated, grant the user access to basic network assets, services and resources.

At a later time the user needs to access a higher privilege level asset or resource; such as a database or administrative capabilities, the user will be prompted to supply another user account name along with a different password for authentication before the user is permitted to go any further.

In this way, we now have implemented a two-tiered hierarchy of access privileges to specific resources. Although; still solely password-based, it is immeasurably more secure than would be the case for all system(s)/network(s)/resource(s) that require just the one logon user account and password to accesses all system/network assets and resources.

If the user needs to have access to assets and resources including the personally identifiable information contained within the customer database they will need to provide an additional different user account logon name and password. In this way we have built a three-tiered password-only authentication system.

Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.

Multifactor Authentication – When implementing a multifactor authentication system many different types of authentication mechanisms are used jointly. This means that in order for a user to gain access to system/network resources and assets they will need to provide many different types of information for authentication validation. For instance a user may be required to supply a password as well as a smart card or thumb print, retinal scan or even a voice sample to the authenticating system.

Password Hard Copies

The best advice concerning the practice of making hard copies (paper) of authentication credentials is DON’T DO IT. Physical hard copies of your passwords are liable to the additional risk of physical theft. Here are some more practices you should not do if you feel that you must make a hard copy of your passwords and keep it near to hand:

• Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor.
• Do not maintain a hard copy (paper) of your passwords and keep them locked in your desk drawer. You cannot guarantee that nobody will attempt to break into your desk. The locks on most desks are merely a trivial inconvenience to those with a little know-how and a flat-edged envelope opener. It usually takes no more than five to ten seconds to open the majority of desk drawers. Forgetting to lockup your desk compounds the crime.
• Do not make a hard copy of your logon and password details and leave it in open public view
• Do not write your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor. This is probably the worst password hard copy security practice of all.

Electronic, Magnetic and Optical Password Copies

While not as risky as maintaining hard copies of your authentication details considerable care needs to be taken when storing electronic, magnetic or optical copies of authentication credentials.

• Encryption – You should always encrypt authentication credentials data; or any other data for that matter, when storing it in an electronic, magnetic or optical format.
• Physical Security – As with paper hard copies, any physical copy of any data is liable to additional risk of theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC too big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together. Do not leave any of these devices lying around or in a position where they may be stolen.
• Physical Security Measures – Protecting electronic, magnetic and optical physical copies of your data always begins with physical security measures such as using data vaults, lock and key and off-site storage etc.
• Password Protection – Always use a password to add an additional layer of protection to the encrypted data which you need to store. This includes all electronic, magnetic and optical storage media. You should also encryption and password protection for all folders and files including those on your computer.

Maximum Protection

Always afford passwords and other authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network.

• Nondisclosure – Never disclose account authentication credentials such as logon names and passwords to anybody. This means your account’s authentication credentials as well as those of other users which you may be managing or administering.
• Confidentiality – At all times and under all circumstances you must ensure that authentication and authorization credentials remain known only to you.
• Need to Know – The only exceptions to this being the user in question, your security personal, administration and support personal and then only on a need to know basis.
• Secure Communications – Always assume that you are being tapped or your networking and communications traffic is being “sniffed”. Thus; wherever and whenever possible opt for the highest level of secure communications. Never transmit “plain” English passwords are to be transmitted over publically access networks and transmission media such as wireless networks.
• Hashing Algorithms – Hashing algorithms; such as MD5, should be used to ensure the integrity of files as they will help you to identify that a file has been tampered with. This should be applied to all data that you store as well as your password data.

If you include the file attributes in the hash then you will be able to tell if someone has attempted to open the file. This works best on NTFS systems such as Windows XP, Vista, Server 2003 and Server 2008.

By knowing that you are under attack the attacker loses the element of surprise. Furthermore; they will most likely be unaware that you know that somebody has been there.

Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive issues facing security on an ongoing basis. It is through the development, documentation and implementation of a rigidly enforced password/pass phrase policy that you have the greatest chances of overcoming these issues.