Administrative Security Controls

Administrative controls are perhaps most important, because they most directly impact your people.  On the one hand, they are the simplest, since all it takes is education.  On the other hand, education about the hazards of smoking or the possibility that having sex causes pregnancy hasn’t done much to change behaviors in those realms.  Well, rather than throw up our hands and give up, let’s tackle administrative controls anyhow.

Administrative controls are the hardest to implement because people must understand them, accept them, and implement them correctly—again, and again, and again.

Like the previous day’s entry, there is SO MUCH to talk about.  So I will limit this entry to a topic we all can relate to: passwords.  If there is anything that causes grief in corporate America—aside from blocking access to XM Radio—it is the familiar monthly give-or-take ritual: I have to change my password again?  I think we are all well versed in the basics of what makes a good, “strong” password: the more characters the better, include numbers and special characters, don’t allow words found in a dictionary, etc.

But why do I have to change it?

When teaching an information security course, I shock, amaze, impress, and horrify participants by demonstrating how easy it is to crack hashed passwords using a freeware program that is downloadable from the Internet.  (I will not name it, but if you perform an online search for “password cracker,” it probably will come up, along with another 482,375 hits.)  The file I employ contains four hashed (hashing is a function which, quite simply, takes a string of text and changes it into a fixed-length string which bears no resemblance to the original) passwords:

TESTING
TESTIT2
2TESTIT
21_TEST

Take a minute to think about the passwords.  “Testing,” obviously is a word found in the English dictionary.  Password-cracking tools typically include a dictionary of all words in the English dictionary, and other language dictionaries.  Those words are the first it tries.  Because of this, no one should expect a password that contains a recognizable word to be a secure password.

When I first did this exercise, way back in grad school, using a Pentium 4, running at 1.69GHz, with 256MB of RAM, it cracked the first three in record time:

TESTING: About one second.
TESTIT2:  A little over three minutes.
2TESTIT: Two hours.

I never did crack the last one, 21_TEST, because I had to shut down my computer and go to a job interview.  But the person who showed me this tool claimed in took about three days, using a comparable system.

So, if a cracker gets his hands on your organization’s PASSWORD.TXT file, he can fire up the cracking program and check it every few days for the results.  If your organization does not require strong passwords, he would not have to wait long.  But a sufficiently complex password—one that does not include any word found in any dictionary—will take longer…a lot longer.  The problem is, “a lot longer” is not defined in years, but in months or even weeks.  That’s why the security-savvy organization’s password policy requires that passwords be changed every 30 to 45 days, so that by the time the cracker gets his results, the passwords he has at his disposal will have expired.

And that is why you have to change your password.

I would like to leave you today with one final tip.  I’m sure (too) many of us have seen the sticky-note-on-the-monitor method for “remembering” passwords.  Closely related to this oh-so-clever technique is the sticky-note-under-the-keyboard method.  It doesn’t work.  Just as a burglar knows to look for a house key under the doormat, information thieves know to look under keyboards.

Technorati Tags: infosec, michael seese, password, password cracking, Scrappy, scrappy information security, strong passwords