Choosing a good security policy is always working out a
tradeoff between price, security and convenience, picking any two
of the three parameters. Passwords are often the cheapest method of
authenticating users as compared to smartcards or biometric
solutions. By using passwords alone, it is still possible to
achieve an acceptable level of security if an appropriate password
policy is in place, writes Olga Koksharova, marketing director
at
Elcomsoft.
Assigning employees long, random-character passwords every few
weeks is as bad for security as allowing them to choose passwords
freely without due audit. Passwords too long and too difficult to
remember end up on infamous yellow stickers, doing more harm than
good to overall corporate security. This article discusses the
various aspects of corporate password policies, and discovers
common mistakes in corporate security.
No password policy
This 'policy' is the largest mistake a corporation can make in
security. Typically, the 'no security policy' approach implies that
other security measures such as security cameras, surveillance
systems, locks and security guards are sufficient to protect
corporate secrets. However, in reality information is only as
secure as the weakest link in the security system.
In practice, this simply means that the real information
security is unknown, and information is anything but secure. At the
same time, employees occupied in security and security equipment
come at an additional cost, giving a false sense of security
without providing any real security.
Poor password policy
Allowing employees choose their own passwords without the rules
and without due audit most often results in weak, easy to guess
passwords being selected. In cases of poor password policies, just
one or two passwords tend to protect all documents and network
resources in the entire organization. Even if passwords are set to
expire, employees just switch between a couple of passwords.
The easy-to-remember approach results in passwords being common
words, telephone numbers, dates of births, pet names, and alike.
Such passwords are easy to break with a simple dictionary attack.
As security is only as strong as its weakest link, a single
password is enough for an attacker to compromise the entire network
by allowing the attacker to work from the inside and opening
endless possibilities for social engineering.
Overall, poor password policies provide no better security than
no password policy.
Too strict password policy
Assigning or requiring employees to set cryptographically strong
passwords that are long, complex and consist of a random mix of
alphanumeric characters and symbols as well as setting too early
password expiration times has its own downsides. Password policies
that are too strict result in passwords being written on the
infamous yellow stickers that are stored on the desk, under the
keyboard, in notebooks, or even placed on top of displays.
Needless to say, this kind of 'security' can be easily
compromised. Outlawing the stickers results in a great deal of
calls to the company's helpdesk, which, according to surveys, can
cost $25-30 per call. Either way, too strict a policy can be both
counterproductive and expensive to maintain, or easily
compromised.
Inadequate password policy
Using strong passwords for weak encryption gives company's
officials a false sense of security. Many commercial products on
the market feature merely nominal protection that can be removed
instantly.
While providing nothing more than a false sense of security, the
use of such products can be dangerous as the passwords used to
protect documents are easily exposed to an attacker, and can be
attempted by the attacker on other resources such as documents with
stronger protection and network resources.
Even Windows is insecure in this respect. Featuring two
authentication methods, LM and NTLM, systems using the older LM
authentication are vulnerable to attacks if passwords are shorter
than 14 characters, which is the majority of all system passwords.
As a result, enforcing strong passwords is not enough to create a
secure environment.
A complex approach is always required to secure important
information.
Weak link
Different products have different levels of protection. Older
authentication methods, cryptographically weak encryption or merely
symbolic protection is used in the majority of products with very
few exceptions.
Even modern versions of Microsoft Office fall back to using weak
encryption when saving documents in legacy formats for the sake of
compatibility with earlier versions of the product.
Even the strongest passwords protecting documents and resources
encrypted with weak algorithms are useless and can be removed
instantly or in a matter of minutes.
If the same password is used to protect resources with both
strong and weak protection, it is easy for an attacker to obtain
full control over all protected resources. The entire system is
only as secure as its weakest link; therefore, performing regular
security audits is crucial to ensure security.
No security auditing and outdated security
imperatives
Penetration testing helps timely detect vulnerabilities in
corporate password security. Even if an adequate password policy is
in place, and there are no insecure products used in the company,
the exact level of information security remains unknown until fully
audited.
Various changes in the company, employees who quit their job a
long time ago, changes in security policies and leftovers of
documents stored in insecure formats are just a few examples of
possible vulnerabilities that an attacker can take advantage of.
Algorithms and methods of encryption can be compromised in time; as
an example, DES, once a US government security standard, is not
considered secure for a long time now.
Periodic audits of the corporate network are required to ensure
corporate security.
Conclusion
A good password policy is only one requirement to making a good
corporate security policy. Being aware of how secure passwords,
applications and methods used to protect documents and various
system resources really are is a must for building an appropriate
security policy.
Regular security audits are required to ensure network security.
ElcomSoft manufactures various tools to help IT administrators and
security officers test security of corporate networks, and locate
various vulnerabilities and potential issues with their
security.
ElcomSoft is exhibiting atInfosecurity Europe
2009on 28-30 April 2009 at Earls Court,
London.
Read more articles from Infosec 2009 >>