TechVirtuoso

Quit checking the audit “check box”!

April 25th, 2016 at 10:12 PM  No Comments

I am fortunate in my new role to have a lot of freedom.  There wasn’t a lot of structure in place when I started so I can mold the IT policies as I see fit.  This has been a blessing, and a curse as I try and navigate the standard IT policies that I have been pushed to enforce in my previous roles.  Back then people would ask me why we need to change passwords so often.  “Because it keeps us secure, and the company policy says so” would be my response.  I never stopped and asked myself why things like this were put in place, and ultimately, does it really keep us secure?

Lets break down the common rule sets that have been the cornerstone of just about every password policy put in place.

8 Character Minimum Passwords

This has been common practice for quite a long time but I don’t think this requirement has kept up with the times.  Is 8 character passwords really enough?  Having passwords that are at least 8 characters will check the box when the auditor comes around but is that what we really should be focused on?  Why aren’t we trying to push people to longer (simpler, easier to remember, more secure)  passphrases?

Complexity Requirements

Everything from special characters, to numbers, to upper or lower case digits fall under password complexity.  And with an 8 character password, I think they are necessary.  If we start pushing people to phrases, and spend a little time educating people on choosing a simple secure password, why do they need to be enforced?

Password Expiration

This along with Length I believe are the two most used “Audit Check” boxes that are out there.  This setting is the amount of time a user can have their password before the system forces them to choose a new password.  The standard just about everywhere is 90 days.  Most users who feel their password is a burden and hard to come up with will write down their password on a sticky note, leave it under their keyboard (or worse, attached to their monitor) and it will take them 30+ days to remember it without looking (just because we always have to look to “Double Check”) and then 30 or so days later the dreaded password expiration countdown starts.  Personally I think I do a good job at password management, but 90 days still annoys the hell out of me.  If you are in IT and you are reading this thinking “WAAAAHHHH you need to change your password every 3 months” take the “Password never expires” check box off your account for 6 months, and I have a feeling your thought process may change.

Enough ranting about it, but why do we need to change it every 90 freaking days?  How is this going to keep me secure?  This only helps if your password db gets stolen, and with our 8 character limit above and our modern hardware, it doesn’t matter if you change your password every 30 days, you are screwed.  According to this article (I didn’t fact check) 90% of 8 character “complex” passwords are cracked in seconds in this case.

Password History

This setting usually sets the number of times you need to create a new password, before you can use the old one again.  I don’t understand why this is even an option to leave off if you are setting your passwords to expire after a specific amount of time.  If I make my users change their passwords (no matter the interval) shouldn’t I require that each password is unique?  If I don’t, they fall into a pattern.  IE:  I set my first password to Penelope!1 for Q1, Penelope !2 for Q2, and so on.

We need to stop trying to “check the audit checkbox” and start looking at the business requirements, and designing our password policy around those.  In my opinion, these items should be key for building a good password policy.

  • End user education is paramount.  Show them how easy it is to create a longer passphrase and give them benefit to doing so.
  • 8 Character limits with forced complexity is not enough, try and push people to 15+ character passphrases.
  • Don’t just set password expiration to 90 days, depending on your other requirements (length, complexity, etc.) push it out to 6 months.  I think you will find far less sticky notes under keyboards!
  • One size does not fit all.  Look at a solution like Specops Password Policy and give your end users options.  They want a 8 character password, fine.  It needs to be complex and you are changing it every 30 days.  You have a 20 character passphrase, your password doesn’t expire for a whole year.

Lastly, don’t be lazy.  If your users have a 90 day password reset requirement being in IT you should have AT LEAST the same.  Get out and talk to the people who need to follow this policy and figure out what their feelings are.  Find out what bad security practices they do, and figure out how to solve that issue for them.  I think you will get a lot more out of it instead of just reviewing your audit checklist.

Can you have too much security?

August 29th, 2011 at 8:35 AM  No Comments

I started a new position this year and have many challenges to overcome.  There are a lot of things that have been neglected and many changes to be made.  One of the changes I was looking at implementing is enabling Windows Firewall locally.  I started on a few new servers that I was rolling out and the regional IT staff that support some of our internal systems started to disable these firewalls.  When I brought this up they thought I was nuts.  Just wait until I start restricting services by IP.

Fast Forward to today and the “Morto” internet worm is spreading via RDP.  We don’t have any RDP hosts local that are open to the dangerous world we know as the internet but I can’t vouch for the other dozen sites that are connected at the other end of our MPLS.  Now, most of our PC’s don’t have RDP enabled, but PC’s used by management and more importantly the majority of our servers may be susceptible if one PC out of thousands are infected.

I realize more security means more administrative overhead and makes admin jobs harder, but what happens when something like this hits and all of these machines are infected?  how much work is that going to take to remedy?

So, what are your thoughts?  How far do you go to keep your infrastructure safe?

Is there such a thing as security in the cloud?

May 6th, 2011 at 5:22 PM  1 Comment

Unless you have been hiding under a rock you have heard about Sony’s PSN getting hacked.  Apparently I was hiding under a rock yesterday as LastPass, a cloud password storage company, also had a possible security breach and I didn’t hear about it until about late yesterday evening.

I am not going to act tough, although at first I freaked out a little bit.  Immediately rushing to conclusions, imagining all the passwords I would need to manually go through and change. Fortunately after reading their blog post and Last Pass CEO’s interview with PC World I felt a little more at ease.  I used a strong master password so I should be OK.  I am very impressed at how they handled the situation  and how open they were from the beginning.  I think I will be keeping the majority of my passwords with them.

It seems like every other day there is another company sending out emails notifying their customers that their personal information may have been compromised.  All of this has gotten me to think, with the growing number of companies learning everything it possibly can (looking at you Facebook and Google) is any information we give out on the computer really safe?  Do these cyber crimes continue to rise because the consumer is more at ease to post their private lives and information on the net?

Two factor authentication now available for your Google accounts

February 10th, 2011 at 1:35 PM  5 Comments

Google has now set the bar a little higher for Internet account security. Now the super-paranoid (like yours truly) can further secure their Gmail through the use of Google’s new two factor authentication system.

While not as cool as as using YubiKey for LastPass you can now use your phone to generate a one time password to gain access to your Google account. As I’ve covered before, you shouldn’t be using the same password for multiple online accounts, but you really shouldn’t be using your main email password for anything else, as it is the go-to place for account recovery. But even if you are, this additional layer of security will make compromising your account nearly impossible. (more…)

Using LastPass and YubiKey to secure your online life

December 29th, 2010 at 9:43 PM  7 Comments

If the recent Gawker password breach (re)taught us anything, it’s the old and valued lesson of “don’t use the same password everywhere” — but as often as I repeat that phrase and cringe a little bit when I find out someone else did it, I’ve been just as guilty of this cardinal sin of network security myself… from time to time. It’s hard not to.

When you’re as active on the Internet as I am, it’s impossible to resist the urge to duplicate passwords, especially if you’re against writing them down. So you’re left to memorize them all, hope you don’t forget, and hope that you can later rely on the splendid password reset via email later on.

All of the Gawker fun also taught (or should have taught) website administrators like myself to take better care of their users. Gawker fouled up in a huge way (beyond simply exposing user data) by not taking proper steps to secure the information in their database once it was exposed. Gawker used an easily crackable cipher system (DES) which was depreciated by a new industry standard (AES) long ago.

(more…)

Companies react to offering up Security Essentials through Microsoft Update

November 6th, 2010 at 12:12 PM  1 Comment

You know you’re probably doing something right when three of your biggest competitors start acting like the world has come to an end. In this case, it’s Microsoft versus the anti-virus world.

While we like to stress the importance of anti-virus products on all platforms, they’re sort of like insurance companies. Their products are usually expensive and bloated, and when you really need them most of the time they’re not that effective. Microsoft’s Security Essentials product is arguably one of the best anti-virus products on the market, and it’s free, and it’s got traditional vendors like Symantec, McAfee and Trend Micro scared. Even more so now that Microsoft has begun distributing the software to users directly through it’s Microsoft Update service.

(more…)

Google sues the federal government for wanting to use Exchange

November 1st, 2010 at 6:35 PM  1 Comment

So the US Department of the Interior decides that it wants a new email system, and after consideration decides it wants to use Microsoft’s hosted Exchange platform.

Pretty straight forward, right?

Well, until Google decides that the DOI should have used Google Apps instead, and goes to sue the government for wanting to use Microsoft’s products. Nevermind the fact that Google doesn’t even have a GSA contract and cannot actually sell products to the federal government without one.

Google’s case makes it sound like they’re trying to protect the government from disaster by going with Microsoft’s product, providing a filing full of reasons why their platform is superior and Microsoft’s is run by idiots. Nevermind the fact that Google Apps has had it’s fair share of issues in the last few months (even in the last week) and that they’re constantly adding/changing/removing features that would probably not be welcome in a government setting.

via TechDirt

(more…)

Is imitation always a form of flattery?

October 25th, 2010 at 9:52 PM  No Comments

I have seen many different viruses pose to be a security suite on a users machine, requesting them to put in their credit card info and preventing them from surfing the Internet until they do.  This practice is not new, but I think this is the first time I have seen a virus mimic a current security software to instate some credibility into their scam.

At the Windows Team Blog Eric Foster is reporting about a trojan that takes a page from these other well known scams and puts it’s own twist on it.  It actually mimics Microsoft’s free AV Solution, Microsoft Security Essentials except it prompts the user to install other security software and requests a credit card number.

Has Microsoft reached general acceptance of their security suite, enough for malware writers to start exploiting the name and the design?  Should companies like McAfee be worried?  I think so.

Intel buys McAfee, way overpays for an ineffective engine

August 19th, 2010 at 11:18 AM  No Comments

I’m not sure I would have paid $29 for a copy of McAfee, but Intel decided it was wise to go all in and spend almost $8 billion to acquire them.

Of all the security companies out there Intel had their choice of, they picked one of the most bloated and ineffective scanning engines, and the one that has one the worst track record when it comes to false positives that eat your computer alive.

I can say that having spent almost 4 years managing their corporate suite, and having their software updates crash my systems (I eventually dumped their software for Microsoft Forefront) and rebuild my configuration multiple times, I’m not looking forward to them integrating their technologies on Intel chips.

(McAfee Press Release)

Why lazy sysadmins and IE 6 make the net unsafe

January 16th, 2010 at 11:14 AM  3 Comments

The number of businesses still using Internet Explorer 6 is painful to see. Coupled with the fact that all of them are on Windows XP or Windows 2000, it turns from pain into terror, especially when it comes to security.

For a lot of system administrators, the reasons to stay outweigh the reasons to upgrade. Websites that break, plugins that won’t load, old software that isn’t updated anymore. Trust me, I’ve been there. However, a lot of it boils down to lazy and poor practices of system administration.

Yes, you’re lazy and you’re bad at your job. Internet Explorer 6 was released in 2001. Yes, 2001, most of us don’t even drive cars that old, let alone unleash people on the “information superhighway” with a browser that old. It was designed at a time when security was not the issue it is today. It was designed to work on operating systems like Windows 98 and Windows ME. Would you let people use Windows ME on your network? No! So why are you letting them use a browser that was built for it?! (more…)

Older Posts »