Monday, December 26, 2005

Implementing a Secure Password Policy

This article is for network administrators but the tips are
useful for home users, too, especially with the popularity of
home networks increasing.


By Stephen Bucaro

I don't need to tell you the importance of good network security
- but I will. If your network is compromised, competitors could
obtain information about where your company gets their
resources, steal your company's research, learn your company's
marketing plans, and other sensitive information that could
destroy your company's competitive advantage. The loss of
competitive advantage could require your company to reduce its
labor force - in other words you could lose your job.

If your company's network is compromised, identity thefts could
use your company's customers credit card numbers and social
security numbers to steal their identities and destroy their
lives. And it's not only your company's customers who are going
to suffer. When the source of the security breach is traced to
your company, the result will be a negligence lawsuit. And after
you get a reputation for being incompetent in the area of
network security, try to get a network administrator job at
another company.

Having a secure password policy is the front line of network
security. What good is a firewall and ant-virus protection if
hackers can easily log on and have their way with your network?
A secure password policy requires the following steps:

- Require users to create secure passwords - Configure your
system for password security - Disable default administrator
accounts - Create a Written password security policy -
Continuously communicate the password policy

How a Password Cracking Program Works

Hackers trying to break into your company's network will use a
"password cracking" program. The program runs continuously on
one or more computers. At predefined intervals it attempts to
logon to your company's network using the next username and
password in sequence in its dictionary. After a predefined
number of failed attempts, it will wait for a predefined
interval before making another attempt.

A password cracking program is not so aggressive that its
activities are easily detectable. You'll never know about the
hacker's activities unless you carefully analyze your server
logs. A hacker will continue to run the password cracking
program for years. They have lots of patience because, after
all, they are just sitting watching TV while the password
cracking program trys to break into your company's network. And
when it finally breaks into your system, the hacker can sell
your company's customers personal information for hundreds of
thousands of dollars.

Require Users to Create Secure Passwords

Your job, as network administrator, is to force users to create
passwords that are very time consuming for the password cracking
program to discover. In order to do this, users must create
passwords that are not at the beginning of the password cracking
program's dictionary. If one of your users thinks it's cute to
use the name of their pet as a password, I can assure you that
the word "scooter" is very close to the beginning of the
cracker's dictionary. Your networks security might not last the
week.

Require you users to create passwords that comply with the
following rules:

- Don't use a persons name, pets name, street name, or name of
an activity, event, place or thing - Don't use any word that
would be in the dictionary - Make the password long, the longer
the better (some systems have a maximum password length) - Use a
combination of letters and numbers - Use special characters,
like underscore or exclamation mark (if your system allows
special characters) Use a combination of uppercase and lowercase
letters (if your system's passwords are case sensitive).

Configure Your System for Password Security

A hacker's password cracking program can be thwarted by the
following system configurations:

- Lock out a user's account after a certain number of failed
logon attempts. Sure, a user might arrive in the morning with a
hangover and screw up their password two or three times, but
more failed attempts than that is probably the result of a
hacker. Configure the system to lock out a users account after
an unreasonable number of failed logon attempts.

- Configure the time interval of the failed logon attempts lock
out. If users understand that after they mistype up their
password x number of times, they need to wait 30 minutes before
making another logon attempt, they shouldn't be too annoyed. The
longer the time interval of failed logon attempts lock out, the
more it thwarts hackers. Unfortunately, long lock out periods
can occasionally be a problem for a legitimate user.

- Configure Your System to expire passwords periodically.
Imagine a password cracking program that has attempted millions
of passwords from its dictionary and is getting closer every day
to the actual password - and then the password changes. The more
frequently passwords change, the more secure the system is.
Configure Your System to expire passwords every 60 days or more
frequently.

Disable Default Administrator Accounts

Upon installation, many operating systems and software
applications have default accounts. Everybody knows the default
administrator user name for a Windows server is "Administrator".
Everybody knows the default administrator user name for SQL
server is "sa" and that, by default this user name requires no
password. Perform an audit of the all software and hardware
(routers, switches, etc.) on your network to make sure they are
not using a default account.

Create a Written Password Security Policy

Put your password security policy in writing. In addition to the
items already discussed in this article, put the following rules
in your written security policy:

- Don't reveal your password to ANYONE - not a fellow employee
(who may quit or get fired and then use your password) - not a
service technician (A hacker might call pretending to be a
technical support person who needs a password to troubleshoot a
problem). If a legitimate technical support person needs your
password, change your password immediately afterward. Many
security breaches occur when a user purposely reveals their
password.

- Don't let anyone look over your shoulder while you log on, and
in return don't look over anyone else's shoulder while they log
on.

- Don't leave your computer unattended while logged on. Log off,
go for coffee, log on.

- Don't leave paper or digital media containing sensitive data
laying around. You can't be sure that outside visitors won't
enter your area. You can't be sure that a fellow employee isn't
out to cause damage to your company.

- Don't discard paper or digital media in public waste
containers. "Dumpster diving" is a common way for thefts to
acquire sensitive information.

Continuously Communicate the Password Policy

many users hate password policies. They prefer to create a
password that is cute and memorable, and never change it. They
prefer to be friendly and cooperative with fellow employees and
outsiders and share their passwords. They don't understand the
value of the company's information and don't like to take the
time to be vigilant about not leaving it laying around, or
disposing of it properly.

As network administrator, it's your responsibility to
continuously communicate and promote the password security
policy. Use the company newsletter and meetings to reiterate the
password security policy. Also communicate WHY the password
security policy is necessary. WHY do employees need to comply
with the company's password policy? What will be the inevitable
result of failure to comply with the policy? Employees will
demonstrate much better conformance to any rules if they
understand WHY the rules are necessary.

----------------------------------------------------------
Resource Box: Copyright(C)2005 Bucaro TecHelp. FREE ebooks,
software, graphics, certification self tests, Java Script and
CSS cut-and-paste code. Learn PC Anatomy, find FREE diagnostic
Tools and technical assistance. Learn how to start your own
online business and much more! You never know what you'll find
at bucarotechelp.com

No comments: