Incident Response: Practice Makes Perfect

Posted on March 23, 2011 by John Davis

Is it possible to keep information secure? Read on to find out.

IF there is only one person that knows the information, IF that person never writes that information down or records it electronically, and IF that person is lucky enough not to blurt out the information while they are sleeping, drugged or injured, then the answer is yes…probably. Under any other conditions, then the answer is an emphatic NO! It is an unfortunate truth that no system ever developed to protect the security of information is perfect; they all can be breached one way or another. That is why it is so important to have a good incident response program in place at your organization.

And most of you out there, I’m sure, have an incident response plan in place. All information security standards organizations such as ISO and NIST include incident response in their guidance, and many of you are required to have incident response programs in place in order to comply with regulation. But how many of you practice responding to incidents to make sure your planning actually works? At MicroSolved, we’ve been involved in reviewing, developing and testing information security incident response programs for many years. And we have found that no matter how good response plans looks on paper, they’re just not effective if you don’t practice them. Practicing doesn’t have to be a big chore, either. We’ve helped many organizations conduct table top incident response exercises and they usually only last a few hours. They’ve never failed to produce valuable returns.

Unfortunately, there are no good incident response exercise frameworks available out there – we’ve looked. But it is not hard to create your own. Simply pick a type of incident you want to practice – a malware attack for example. You imagine what such an attack would look like to your help desk personnel, system administrators, security personnel, etc. and construct a scenario from that. You just need a basic outline since the details of the response will construct themselves as you proceed with the exercise.

What we have found from conducting and observing these exercises is that problems with the written plan are always exposed. Sure, maybe the plan says that this group of people should be contacted, but is there a procedure for ensuring that list is always kept current in place? Have you made pre-arrangements with a forensic specialist in case you need one? Are the help desk personnel and desk top administrators trained in how to recognize the signs of an attack in process? These are the types of issues performing simple table top incident response exercises will reveal.

Perhaps you will be lucky and never experience a bad information security incident. But if you do, you will be very glad indeed if you have a well practiced information security incident response program in place!

Touchdown Task #2: Detection: How Much Malware Do You Have? #security

Posted on December 6, 2010 by John Davis

Our last Touchdown task was “Identify and Remove All Network, System and Application Access that does not Require Secure Authentication Credentials or Mechanisms”. This time, it is “Detection”.

When we say “detection” we are talking about detecting attackers and malware on your network.

The best and least expensive method for detecting attackers on your network is system monitoring. This is also the most labor intensive method of detection. If you are a home user or just have a small network to manage, then this is not much of a problem. However, if your network has even a dozen servers and is complex at all, monitoring can become a daunting task. There are tools and techniques available to help in this task, though. There are log aggregators and parsers, for example. These tools take logging information from all of the entities on your system and combine them and/or perform primary analysis of system logs. But they do cost money, so on a large network some expense does creep in.

And then there are signature-based intruder detection, intruder prevention and anti-virus systems. Signature-based means that these systems work by recognizing the code patterns or “signatures” of malware types that have been seen before and are included in their databases. But there are problems with these systems. First, they have to be constantly updated with new malware patterns that emerge literally every day. Secondly, a truly new or “zero day” bit of Malware code goes unrecognized by these systems. Finally, with intruder detection and prevention systems, there are always lots of “false positives”. These systems typically produce so many “hits” that people get tired of monitoring them. And if you don’t go through their results and winnow out the grain from the chaff, they are pretty much useless.

Finally there are anomaly detection systems. Some of these are SEIM or security event and incident management systems. These systems can work very well, but they must be tuned to your network and can be difficult to implement. Another type of anomaly detection system uses “honey pots”. A honey pot is a fake system that sits on your network and appears to be real. An attacker “foot printing” your system or running an exploit cannot tell them from the real thing. Honey pots can emulate file servers, web servers, desk tops or any other system on your network. These are particularly effective because there are virtually no false positives associated with these systems. If someone is messing with a honey pot, you know you have an attacker! Which is exactly what our HoneyPoint Security Server does: identify real threats!

Undertaking this Touchdown Task is relatively easy and will prove to be truly valuable in protecting your network from attack. Give us a call if you’d like us to partner with you for intrusion detection!

New Feature, Just In Time for Fall! Introducing Touchdown Tasks! #security

Posted on October 1, 2010 by John Davis

We started a new feature in our newsletter called “Touchdown Task.” Each month, we focus on a specific, measurable task you can use to firm up your own security strategy. This “Touchdown Task” focuses on authentication credentials. Here we go!

Goal: To identify and remove all network, system and application access that does not require secure authentication credentials or mechanisms.

What this task entails is finding all those systems and applications on your network that can be accessed without having to enter a user name or password; or that can be entered using a widely known default password. This is a very important task indeed! Our techs are often able to compromise the systems we test because of blank or poor passwords. This is especially dangerous since attackers of any skill level or even just the curious can take advantage of these blank or poor user credentials to poke around, access private information or even elevate their privileges and take control of the system!

There are a number of very common services and applications that come from the vendor with blank or well known default passwords. One of the most dangerous of these, and one we see all the time, is the SQL database. This software installs a blank SA administrator password and it is very easy to forget to change once the software is installed.

How do you find the blank and common vendor default passwords that may be present on your network? The best way is to perform an internal network vulnerability assessment (or have one performed for you by your security partner). There are a number of assessment tools available to carry out this task. Your organization most likely already has one in place. You can configure your assessment tool to perform these tests; isolating the data needed for this task from a more general security finding. Also make sure to check your FTP sites and file shares to ensure that they cannot be accessed anonymously.

To remedy the situation once suspicious access credentials have been found, simply change or install passwords that comply with your site’s information security password policy. Generally speaking, passwords should never be blank, widely known (default) or easily guessable. For example, your password should never be “password”, “admin”, “1234567”, “qwerty”, etc.

Passwords should also never be the same as the account name, the name of the organization, the name of the software package or other easily guessable possibilities. Good passwords should contain at least three of the four possible character types (upper and lower case letters, numbers, and special characters).
Undertaking this Touchdown Task is relatively easy and will prove to be truly valuable in protecting your network from attack! Give us a call if you’d like us to partner with you for security assessments.

Passwords, Dinosaurs, and 8-Track Tapes

Posted on August 25, 2010 by John Davis

What do passwords dinosaurs and 8 track tapes all have in common? Pretty soon they will all be in the same category: things of the past! It’s not just a matter of people using short, simple, “stupid” passwords any more. With advances in easily available and cheap computing power such as advanced graphics processors and solid state drives (SSDs), even long and complex passwords can be cracked in seconds! Not to mention the fact that if you get hacked and someone installs a keylogging Trojan on your machine, it doesn’t matter how long and complex a password you use; it’s game over!

There are always big concerns about the “exploit du jour” in the information security field. SQL injection, application hacks, XSS, Bots – you name it! But ever since the start the number one way computers get hacked is because of password problems. It’s still going on today! No matter what system one tests, it seems someone has a password of “password” or “admin” or something dumb like that. Or someone forgets to change a blank SA password or forgets to change the default password in some application. Then, of course, there are the system admins who use the same passwords for their user and admin accounts. Instant privilege elevation is given to domain admin and, once again, game over! This is really just a problem of human nature. We all have ambitions to follow the password policies exactly, to use strong passwords all the time, use different passwords for every account, change them on a regular basis, and never reuse the same ones twice, etc. But we all get lazy, or complacent or busy or forget or just screw up! Like I say – human nature.

What is the upshot of all this? Passwords alone as a security measure are hopelessly inadequate. And they always have been! So what is the answer? Well, obviously, we need to use something in addition to passwords. Ideally it would be preferable to use all three of the possible authentication techniques: something we know, something we have and something we are. But it’s hard enough to get people and organizations to consider even two of the three. There is TREMENDOUS resistance against insisting that everyone use tokens for example. And I can understand that. They cost money, you always have to remember to have them with you, they might break at the most awkward of moments, they can be stolen or they can be lost. Same thing with biometrics. They are expensive, they are not always reliable, they can be often be circumvented and they may leave you open to personal attack or even kidnapping! These are all real issues that need to be addressed and, what’s more, gotten used to. People are just going to eventually come to the realization that one or more of these techniques MUST be used. Until now, though, people have been willing to accept the consequences rather than bite the bullet and put up with the hassles and expense. The tipping point has yet to be reached. But, with identity theft, cyber crime and the increasing ease with which passwords can be stolen or broken that point is now very close indeed!

In the mean time, we all should REALLY do a much better job in using strong passwords. The new MINIMUM standard for passwords should be 12 characters and they should use at least three of the four possible character types. And that’s just for normal folks. For system admins and other high value access passwords alone should never be enough. These folks should surely be using multi-part authentication techniques no matter what the expense or hassle. After all, they DO hold the keys to the kingdom for all of us!

Another Good Reason to Increase Internal Security

Posted on August 11, 2010 by John Davis

Well, the much anticipated 2010 Verizon Data Breach Investigations Report is out, and once again it is an eye-opener! Let me say what a boon these reports are to the infosec community! Verizon and their team are to be praised and congratulated for all their hard work. These reports really help us keep current so we can protect our information from the right threats in the right ways. I know it’s not a large scale study, but I do feel it gives us good indications of trends and threats in the industry.

This particular threat report mainly gives us the data breach picture for 2009. It was compiled from nearly 900 actual incidents and includes a lot of input from the U. S. Secret Service this year. One of the surprising results of this particular report was the 26% increase in data breaches from insiders. It seems that organized cybercriminals are promising money to insiders with access to administrator level credentials. Unfortunately for these naïve inside individuals, it is proving very easy for the authorities to catch them. Also, it seems, the cybercriminals are usually not even paying them as promised! Despite these facts, it is evidently fairly easy to find plenty of insiders that are willing to sell their credentials. Go figure!

There are several ways to help counter the insider threat. The easiest thing you can do right off the bat is to ensure that those with high level access to the system don’t use the same credentials for their administrator and user accounts. You’d be amazed at what a common practice this is! All cybercriminals have to do is bust a few user level accounts and there is a VERY good chance that they will then be able to gain administrator level access. Administrator level passwords should be long, strong and ONLY used for administration purposes.

Another very effective method to counter the insider threat is to use true multi-part authentication mechanisms for administrative level access to the system; especially with very effective mechanisms such as tokens. Employing this practice means that cyber criminals not only have to steal credentials, they also have to get their hands on a token. And even if they do, it only gives them a short time to act; admin tokens are usually missed very quickly. There is also the option to employ biometrics. These can be problematic, but are improving all the time. And effective and reliable biometrics are even harder to overcome than token use.

You might say that good passwords, biometrics, and tokens won’t keep actual system and database administrators from selling out to the bad guys, which is true. However, there are other mechanisms available that can prevent lone bad-actors from compromising the system. One effective practice is management monitoring of high level access. If, every day, managers are looking at who accesses what and when, then the difficulty of stealing or corrupting data goes WAY up! Also, there are applications out there that can send out alerts when high level access is underway.

Another method, and a tried and true one, is the use of dual controls. If it takes two individuals to access systems, then cybercriminals have to corrupt two individuals and it becomes even easier for the authorities to figure out who the rats are. I don’t recommend this control except for very high value assets. The downside is that it’s a hassle to implement. There ALWAYS has to be at least two individuals available at all times or access becomes impossible. There are vacations, lunches and breaks to consider, and what happens in true emergencies such as floods, snow storms and the like? But this is a control that has been in use since long before computer systems were in place and it has proven to be very reliable.

These certainly aren’t all of the controls available to help counter the inside threat. I’m sure that you can come up with some others if you give it a little thought. But used individually, or even better, in combinations, should go a long way in protecting your data from the bad guys within!

2 Ways to Get the Most Out of Security Awareness Training

Posted on July 29, 2010 by John Davis

A good security training and awareness program is one of, if not the most important part of any effective information security program. After all, people are the ones that cause security problems in the first place and, ultimately, people are the ones that have to deal with them. Not to mention the fact that people are twice as likely to detect security problems and breaches as any automated system. Doesn’t it make sense that you should do everything in your power to ensure that all of your people are behind you in your security efforts? That they are provided with the knowledge and the tools they need to understand information security and what their responsibilities are towards it? That they are aware of how devastating an information security incident can be to the company, and consequently, how devastating it can be to them personally? Well, you’re not going to get that from having them read the policy book as new hires and then hold a two hour class six or twelve months later!

And that is traditionally how information security is dealt with in most companies. All enthusiasm for the process is absent, too. They don’t want to do this training! It costs them time and money! The only reason most companies provide any security training outside of the very basics is because of their need to comply with some regulation or another. So what you end up with is a whole group of undertrained and unenthusiastic employees. And these employees become, in turn, the very kind of security liabilities that you are trying to avoid in the first place! So why not turn them into security assets instead? You have to provide them with some security training anyway, so why not give it that extra little “oomph” you need to make it worth your while to do?

How do you go about that you may ask? Here are some tips:

1. Make sure that they understand what an information security incident or anomaly looks like. Make sure that they know all about social engineering techniques and how Malware is spread. Give them some tips on how to recognize bogus websites, phishing emails and bogus phone calls. Let them know some of the things they can expect to see if there is a virus present on their machines. And don’t use just one format to provide them with this information. Use every method you can think of! There are many formats for security and awareness training to choose from. Group assemblies with speakers and PowerPoint presentations, lunch and learns, training days, self directed web based learning, directed webinars, security documents, email reminders, posters and pamphlets, podcasts, departmental meetings, discussion groups and many more. And make sure that management personnel, especially top management personnel, make it clear how important this task is and how much it means to them and the company. Without this support, your efforts will go nowhere.

2. Give your people incentives that make them want to participate in the information security program. One method is to simply ask for their help. Make sure your employees understand how important the participation of each and every one of them is to the effort. People often respond very favorably to such requests. Whereas if they are simply told that they must do it, they are much more likely to be unconcerned and uncooperative. Another way is to provide them with rewards for active participation in the program. Put the names of employees who have reported security issues in a hat and have a monthly drawing for a prize or a day off. Give these people a free lunch. Give them the best parking spot in the lot for a month. I’m sure you can think of a dozen other ways to reward your employees for participating in the program. Or simply post the picture of the employee on a bulletin board or internal web page or recognize their accomplishments at group meetings. Everybody really likes to be recognized for doing a good job!

The whole idea is to turn your personnel into “net cops”. If you can do that, you can turn your own people into the best IDS system there is, and for a lot less money than you would spend on machines or hosted services…or for cleaning up a security incident!

New HITECH Law Expands HIPAA Requirements

Posted on July 17, 2009 by John Davis

A new law was enacted on February 17th of this year that expands the HIPAA privacy rule to include “business associates” of health care providers. This law also sets a new requirement for notifying individuals in the event that their private health information (PHI) has been compromised and gives State Attorneys General new powers to prosecute persons or organizations that fail to comply with HIPAA privacy and security requirements. This law is called the Health Information Technology for Economic and Clinical Health Act (HITECH), and is a part of the new American Recovery and Reinvestment Act of 2009.

What this means is that a number of different organizations that process or use PHI on behalf of a HIPAA “covered entity” must now also comply with the HIPAA security rule just as the covered entity is required to. This includes the need to develop or alter policy and procedural documents, conduct risk assessments and gap analyses, apply appropriate encryption and secure transmission methods to PHI and more. And the security breach notification rule comes into effect just one month from today on August 16th!

Now, this gets a little complicated, so first let’s look at what “covered entity” and “business associate” means in terms of HIPAA and HITECH. A “covered entity” is basically defined as:

A health care provider that conducts certain transactions in electronic form
A health care clearinghouse
A health care plan

A “business associate” is basically defined as a third party that performs or assists in the performance of: A function or activity involving the use or disclosure of individually identifiable PHI, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing and more.

A third party person or organization that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for a covered entity or wherever the provision of services involves disclosure of individually identifiable PHI to a business associate.

In other words if you process or have access to PHI from a covered entity, then you can be pretty sure that this law applies to you! So what do you need to do if you find that this new law does indeed apply to you or your organization? Well, the best thing you can do is encrypt all of your PHI data for both transmission and storage. This has to be done according to Department of Health and Human Services requirements which in turn means that it has to be done according to standards found in NIST 800-111 and FIPS 140-2 (Also see 45 CFR Parts 160 & 164). If you do meet these standards, you have suitably rendered PHI information “Unusable, Unreadable or Indecipherable to Unauthorized Individuals” and therefore do not need to develop the elaborate information security breach notification measures that are specified in the new law.

And not having to deal with breach notification is something most people and organizations should definitely want to avoid! Not only does it just make good sense to properly encrypt and protect private information from a best practices standpoint, a breach could do you or your organization real harm. For example, under the new law if you have a security breach that reveals the PHI of 500 individuals or more, there is a MANDATORY requirement to notify the news media! What affect would THAT have on your reputation and bottom line!? And remember, even if you do suitably protect PHI in motion, at rest, while in use and when being disposed of, you need to have a suitable written information security program in place that details the administrative, physical and technical security measures you will use to protect PHI. And these measures must be strong enough to meet HIPAA Security Rule requirements. If your organization does not meet the specified data encryption standards, then you also need to develop written policies and procedures around the new Security Breach Notification Requirements found in HITECH.

In a nutshell, here are some of the steps you or your organization should be taking to ensure compliance with HITECH:

Find out if you or your organization is a covered entity or business associate under the new law
Perform risk assessments and/or gap analyses as needed to see if you meet HIPAA Security Rule and HITECH standards or not. (If not, you will need to develop a roadmap detailing what you will do to meet these standards in the future)
Update or develop your information security, privacy and HIPAA policies and procedures as needed to meet the HIPAA Security Rule
Update any relevant Notice of Privacy Practices documents you have in order to meet the new standards
Develop or update your Breach Notification Policies and Procedures to comply with HITECH and any State counterpart law
Update and/or expand your business associate agreements to include the new security and notification requirements

Remember, if your organization willfully or through ignorance or inattention does not meet these new requirements, the penalties have been strengthened against you. Civil monetary penalties have been increased and for the first time, this law authorizes State Attorneys General to begin pursuing civil actions for HIPAA privacy and security violations that have threatened or adversely affected residents of their respective States. Also, starting early next year, entities using electronic health records will be required to track any disclosures of patients’ medical information, including disclosures made for treatment and payment.

So, don’t get caught short by HITECH! Consider implementing proper encryption and information protection measures now. Strengthen and update all of your information security policies and procedures. The need to do so will only increase in the future anyway. And if you need help developing policies and procedures or performing risk assessment and gap analyses, MicroSolved has the experience and expertise needed to get the job done. Give us a call!

Flu: Facts and Advice

Posted on April 27, 2009 by John Davis

The 2009 version of the Swine Flu has already hit the U.S., and it looks like it could be a bad outbreak. There have already been more than 300 deaths among the 1,600 reported cases in Mexico, and cases of the Flu will undoubtedly turn up in more U.S. States over the next several days. Here are some facts about the Flu, pandemics and contagious diseases in general that may help you and your business better prepare for a serious outbreak:

Pandemics are defined as epidemics or outbreaks in humans of infectious diseases that have the ability to spread rapidly over large areas, possibly worldwide. Several pandemics have occurred throughout history and experts predict that we will experience at least one pandemic outbreak in this century. Although avian flu viruses are currently the most likely disease vector to cause a pandemic, in reality any highly infectious drug resistant disease could lead to a pandemic outbreak.

So how can Flu viruses spread? The most insidious way for the flu virus to spread is through the air in the form of “droplets”. When persons with the flu cough or sneeze into the air, large and very small droplets of liquid filled with virus travel through the air and can easily make their way into lungs or onto hands. Large droplets generally do not travel more than six feet but small “micro-droplets” can float through the air for some time and travel greater distances. Flu virus can also enter your body through your digestive system or eyes. If there is flu virus on your hands or food and you put them in your mouth, you can get the flu. If you have flu virus on your hands and you rub your eyes or nose, you can get the flu. So, what can you do to protect yourself from getting the flu or giving it to others?

The best thing you can do, even though it is a pain, is wash your hands. I mean wash your hands each time before you touch anything and put it in your mouth, or before you rub your eyes. Also, I wouldn’t eat food that has been sitting uncovered around where people have been coughing or sneezing.

Another thing you can do that really helps is wear a face mask. Even though individual viruses are small enough to go right through the pores in a normal face mask, it is not true that you get the flu from individual viruses; you get the flu from droplets of moisture that contain and protect thousands of virus cells. So if you want to keep from getting the flu, wear a mask. If you have the flu and don’t want to give it to others, wear a mask and cover your face when you cough or sneeze.

There are also a number of different things that can kill microorganisms like flu viruses. Ultra violet radiation, such as direct sunlight, kills microorganisms almost instantly. Also, Microorganisms die quickly when they come in contact with hard, smooth, dry surfaces. For example, counter tops or glass surfaces or plastic objects won’t support microorganisms as long as there is no moisture or grease on the surfaces to protect the cells. Microorganisms also cannot exist in freely flowing water. And finally, microorganisms can be killed or removed by the use of soaps and other chemical cleaners such as hand sanitizing lotions or disinfectant sprays.

So how do you protect your business from the flu? One way is to implement the advice above. When the flu is rampant in the community, protect yourself when you are in close public areas such as grocery stores, automobiles, airplanes or malls. You should also remember that you can be infectious 24 hours before symptoms appear and you will continue to be contagious for about seven days after symptoms do appear. So if you know you have been in contact with someone with the Flu, or if you are feeling ill yourself, stay away from other people as much as you possibly can. Have your employees do any work remotely that they can. If they can VPN into the network securely or use the telephone and work from home, have them do so. If you are a financial institution, consider closing or restricting access to the lobby and doing as much business as possible via the drive up windows. Insist that employees that have the flu stay home. No matter how important an employee is to the business, find some way to work around them or use their services remotely. And finally, make sure that your business has good written operating procedures in place, and that your employees cross train with each other on a regular basis. This will be a real help in times of great absenteeism.

The Flu Season is Upon Us Again!

Posted on October 30, 2008 by John Davis

Officially, the flu season begins on the first of October and runs until spring. Even though the CDC says that this year’s flu is starting out a little bit milder than the two previous years, I know several people that are suffering through a nasty type of flu already this year. This stuff starts out with the usual fever and aches, and then turns into “cold” symptoms that hang on for weeks! We all know how nasty this is on a personal level, but a virulent long lasting flu like this can also really stress your business as well. So, let’s take a look at how the flu really works and what we can do about it.

First off, there are few real defenses against the flu if you are going to interact with other people. “Flu’s” are viruses that can infect you in several different ways and that mutate often and rapidly. The flu vaccine that is produced every year is really only devised to have some effect on the top three dominant flu strains of the year. The amount of effect they really have also depends on just how and how much each virus strain has mutated by the time you get the flu shot. So, although it is liable to help, don’t put too much faith in the flu vaccine.

So how can flu infect you? The most insidious way for the flu virus to spread is through the air in the form of “droplets”. When persons with the flu cough or sneeze into the air, large and very small droplets of liquid filled with virus travel through the air and can easily make their way into lungs or onto hands. Large droplets generally do not travel more than six feet but small “micro-droplets” can float through the air for some time and travel greater distances. Flu virus can also enter your body through your digestive system or eyes. If there is flu virus on your hands or food and you put them in your mouth, you can get the flu. If you have flu virus on your hands and you rub your eyes or nose, you can get the flu. So, what can you do to protect yourself from getting the flu or giving it to others?

So how do you protect your business from the flu? When the flu is rampant in the community, protect yourself when you are in close public areas such as grocery stores, automobiles, airplanes or malls. Have your workers do any work remotely that they can. If they can VPN into the network securely and work from home, have them do so. If you are a financial institution, consider closing or restricting access to the lobby and doing as much business as possible via the drive up windows. Insist that employees that have the flu stay home. And finally, make sure that your business has good written operating procedures in place, and that your employees cross train with each other on a regular basis. This will be a real help in times of great absenteeism. Expect the best, but plan for the worst – the height of the flu season is just two or three months away!

What Is A Good Password?

Posted on September 26, 2008 by John Davis

What is a good password? Well, that depends who the password is for and what the password is protecting. For a normal system user that only has access to limited amounts of information, services and software, the most important thing about a password is that it’s hard to guess and that they protect it properly. What can an outsider really get at, anyway, if they have a user level password? If the network is set up properly, an attacker can’t get to the internal network from the Internet. All they can get at are things in the DMZ like e-mail and web servers, right? And if the users are doing things right, any private sensitive information in their e-mail messages is strongly encrypted, so even if an attacker gets into the DMZ servers all they get is some information that is ancillary at best. So, for a normal system user the old eight digit password that uses all the different types of characters, isn’t a dictionary word, isn’t your wife’s middle name, etc. is just fine.

But, how about the folks who have system admin level access or who are granted remote access privileges? What is a good password for them? In my opinion, there is no such thing! No user name and password on their own, with no other authentication mechanism, is good enough for these levels of access. All the passwords in the world are still just something you know. You must use something you are or something you have to further authenticate yourself.

If a user has remote access privileges and their only authentication mechanism is a user name and password, what happens if it is intercepted or stolen? The attacker suddenly has a way into the internal network! Then they can use that password to get at juicier tidbits of information than they could find on an e-mail server. We all know that internal networks are never as well set up and secure as external networks. But even then the attacker will be limited to the information and services available at the user’s privilege level. Maybe the attacker can run some exploits or elevate their privileges a bit; that depends on just how poorly the internal network is secured.

But what if an attacker gets their hands on a system admin level user name and password, gets into the internal network, and there is no other authentication mechanism needed? Well, then, it’s pretty much game over! They can grab the password hashes, get at private information, set privileges, install Malware, erase records of their presence; pretty much anything they want!

So, if you are a normal user, make difficult to guess passwords and don’t let anybody else at them. If you are a remote user, use a strong password, but also use a token or something similar. If you are a system admin, you can’t use too many authentication mechanisms and they can’t be too strong! Use strong and long passphrases instead of simple passwords, change them every 30 days, use tokens, use positive IP checking, use software clients, use whatever you can get. But don’t just rely on your user name and password!

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: John Davis