Tuesday, 21 November 2006

Securing the Network: 3

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Used ID
                Passwords

User ID
Traditionally access to many computer systems has been via a ‘username’. Some examples are shown below:

Bilbo
Bilbobaggins
Bilbo.baggins

The problem with this of course is that an attacker can utilise employee information gained from many sources to guess the logons names to the computer system. If they know the logon name they are 50% of the way there to getting access.

Even worse, many people use the same ‘username’ as their email address, see below:

Bilbo@hobbit.com
Bilbobaggins@hobbit.com
Bilbo.baggins@hobbit.com

This means that an attacker has only to learn the name of an employee to have a good idea as to both their computer logon and their email address, or alternatively they only need the email address to learn an individuals computer logon and name.

TECH NOTE: Email SPAM: An additional problem with using name as an email address is the fact that some spammers now use code to churn out millions of emails to a domain name ie: hobbit.com using variations of peoples names. This in itself is a potentially massive problem.

My suggestion is that systems designed or re-engineered nowadays should use logons and email addresses that bear no relation to the name of the individual. For example:

M7071@hobbit.com

This may not be as simple or as intuitive as previous methods but it is a lot more secure, and anything we can do to secure ourselves that little bit more, is worth doing.

Passwords
User passwords should conform to the following criteria:

        Minimum Length, 9 Characters
        Combination of Letters, Numbers and Special Characters
        Mixed Case
        Does not form Proper Word

To ensure that the user remembers her password and does not stick it underneath the keyboard on a Post-It note, you may implement the following suggestions:

        Let the user choose her own password
        Build the password from a phrase, such as a line from a song.

The system should be setup so that after a given number of password attempts the account is locked, this helps prevent against Brute Force password attacks.

In addition the policy should be enforced so that passwords are changed at least twice a year, quarterly or more often would be better.

"If you're creative, if you can think independently, if you can articulate passion, if you can override the fear of being wrong, then your company needs you now more than it ever did. And now your company can no longer afford to pretend that isn't the case." - Hugh MacLeod

No comments: