|
| |
Using Passwords
Effectively
By
Phil Guillen
President, OMEGA, Inc.
E-mail: eric1com@chicagonet.net
P.O. Box
964, Tinley Park, Illinois 60477 Telephone: 708-429-1563
Copyright © 2002 OMEGA, Inc., All Rights
Reserved.
INTRODUCTION
A vital part of any basic security program, and one that is especially
critical in today’s aggressive and computer-based business environment, is the
effective and regular use of a properly maintained computer security Password
program. Yet, this is also one the most-ignored and least attended-to
security considerations.
A properly deployed and maintained Password program not only helps to
prevent the unauthorized access of computer files by outside personnel, but also
by internal company employees which may be attempting to gain entry to computer
files and areas which they are not authorized or cleared to access.
Whether due to simple curiosity, or to more ominous reasons such as the
possibility that they are selling or using critical information for their own
personal monetary gain, an effective password system will help to avoid many
types of serious problems -- before they occur!
As we have said many times before – Fire
Prevention is far less costly than Fire Fighting!
THE PROBLEM
As with many other programs and procedures designed to secure a company’s
proprietary information from competitors and other potential aggressors, many
personnel tend to view the efforts as tedious and unnecessary. Thus, they
often disregard the proper use of these protective regimens.
It is when these procedures are ignored that trouble begins. Unless
management has a system in place to detect the improper or non-use of important
security precautions, numerous avenues for computer violations will become
available as more and more employees begin to disregard the proper use of
password protection.
When these programs are ignored or discontinued, it is all but guaranteed
that serious computer violations WILL result – the only question is when. The
very common human characteristic of disregarding procedures which do not appear
to be clearly necessary (especially if they are deemed to be time consuming or a
nuisance) is well known to the professional operative, as well as to many
advanced amateurs and hackers. As such, lax password use is an
often-exploited avenue for the unauthorized and undetected access to highly
sensitive and confidential computer files and records.
It is important to note that this invitation to loss is not just a general
employee-level problem. We have been involved in many security program
implementations and existing program verifications and analysis, where we have
identified executives and even computer-system administrators who were guilty of
disregarding the proper use of password and other security routines!
When such disregard for appropriate security is practiced at the executive
and administrator level, then greater, more serious losses can result, because
more critical and sensitive files and documents are being left unprotected.
THE SOLUTION
Maintaining an effective and on-going computer password program is not
only a valuable and proven method of reducing computer file violations, but is
also one of the more cost-effective and easily-implemented routines in a company’s
security arsenal.
There are, however, certain pitfalls which you should know about and
avoid.
Below is a ten-point checklist of some of the more common and
often-introduced errors, which would seriously compromise an otherwise-effective
program.
Review this checklist against your own current security program:
-
Never use such easily guessed and commonly
used passwords as; "Love", "Password", "Hate",
"Me", "911", "Open", "abcdef",
"NCC1701", "Abra-Cadabra", "007",
"xxxxx", "4wheeler", "12345" (to name just a
few) or any of their numerous variations. There are whole lists of popular
passwords (and obscenities!) which are well known and used by even amateur
hackers.
-
Never use telephone numbers, social security
digits, license plate numbers, addresses, pets' names, dates, nicknames,
boy/girl friends' names, etc., for your passwords, as these too are often
exploited.
-
Use at least eight character
passwords. Longer passwords greatly increase the level of security,
whereas short passwords increase the likelihood of being cracked or readily
guessed.
-
Never leave your password "hidden"
under your keyboard, Rolodex file, written on a "sticky note" or
taped to your monitor (yes, we even see this done quite often!), taped
inside a desk drawer, under the mousepad (or mouse), under a desk pad,
written somewhere in your desk calendar, written under a desk curio or
figurine, etc. You are only kidding yourself – they WILL be found!
-
Never use a "universal"
password! Each person should have his or her own unique password,
which will restrict that person to only those computer areas necessary for
the execution of his or her particular job.
-
Do not use words which relate to your
favorite brand of music, bands, movies, favorite books, hobbies, cars, CD’s,
favorite actors, former schools, your job title, employer's name, etc.
-
Use passwords which require both upper and
lower case characters. Never use a password that consists of all lower or
all upper case letters or numbers, characters, etc. Mix them up!
-
Supplement passwords with effective
encryption programs which scramble critical files, turning them into
"Digital Confetti," and making them unusable (without entering the
proper second password). Thus, one password restricts access to the
computer system, while the second restricts access to the individual file or
document which is securely encrypted. This is an ideal combination.
-
Ensure that you are not being watched when
you type in your passwords. Although a simple procedure, watching as one
types is an effective manner with which to compromise any password.
-
Use passwords which do not duplicate any of
the characters. The more often a character is repeated in a word, the easier
the password is to crack or guess.
Retain the services a competent intelligence security agency to run a
comprehensive assessment of your firm's particular threat exposures and
required levels of security assurances. Password programs are only a
small part of an overall business security package – not a
stand-alone cure-all!
A risk assessment survey will provide a detailed listing of other
program requirements. Supplemental analysis will insure that existing
"Hazards in Place" will not negate the benefit of your newly
implemented security program.
For an example of what could happen to an improperly-planned and
executed security effort (and of undetected examples of "Hazards in
Place"), take the lessons learned from a client who thought that their
self-designed and implemented password program was the sole precaution needed
to properly protect their sensitive computer files from compromise:
CASE STUDY:
After experiencing repeated violations of some of their most sensitive
and confidential computer files, the client called for expert assistance.
Several serious deficiencies were promptly identified, and explained why they
were having ongoing problems that they just could not seem to solve. The more
notable problems found included:
[a] The passwords were never changed. Their risk exposures required no
less than a WEEKLY password change.
[b] Each password was assigned to a department, and all of the employees
of that department used the same password.
[c] The system administrator casually gave out his universal master
access code to employees who forgot their passwords, so they may log back into
the system – rather than doing the work himself and retrieving their
forgotten password from the system. And the most serious issue of all...
[d] Several of their computers were found to have "Logger"
systems in place, which recorded every keystroke typed on the computer. This
made it easy for unknown individuals to later obtain a complete download of
everything that was typed into the computer – including the passwords!
Note: The logger system that was used on their computers cost only about $50
each, but cost them tens of thousands of dollars in sustained losses before
they decided to call for expert help!
SUMMARY
Many factors must be considered before effective solutions
and protective protocols can be selected and implemented. Further, any
security program -- including password systems -- must be periodically audited
to insure that they are still effective and updated, and that all employees
are complying fully in the program's use and procedures. These programs cannot
be simply installed and forgotten.
Start with having an initial detailed risk assessment performed of your
business and offices. These inexpensive first steps will provide you with a
"map" of your current exposure risks, along with recommendations for
properly addressing the identified open avenues of compromise.
Our recommendations are inexpensive and worthwhile precautions when one
considers the losses that can be avoided by securing against them before the
fact. Once losses occur, recovery can be difficult, expensive, or even
impossible.
Many otherwise excellent business plans have been lost to acts of theft
and undetected espionage. These types of crimes are rapidly on the increase.
Don’t be the next addition to the growing list of victims, many of
which never even knew that their failure was attributable to the underhanded
works of unethical individuals. Be pro-active and install protective
programs and protocols designed to detect and counter any such affronts –
before they are allowed to occur.
Like vehicle alarms, these programs might not be able to stop every act
of business espionage or theft, BUT a good security system may make thieves
decide to instead target the unprotected vehicle parked next to yours!
Click here to read Phil Guillen's
and Omega's intro page.
FOR ADDITIONAL INFORMATION: The author can be contacted
as follows:
Phil Guillen
President, Omega, Inc.
eric1com@chicagonet.net
P.O. Box 964
Tinley Park, IL 60477
708-429-1563
Copyright © 2002 OMEGA, Inc., All Rights Reserved.
W
|
