IT Manager's Handbook: Getting Your New Job Done (53 page)

Passwords

These should be at least six characters in length (many organizations now insist on passwords of eight characters), should be forced to be changed regularly (but not so often that a user has to write down her current password on a Post-It note attached to the monitor), and shouldn't be the same as the user's ID, nor be a common word. When it's time to change passwords, users should not be able to reuse the same one.

“Strong” or “complex” passwords are becoming increasingly popular. While the definitions of these terms vary, it's easy to understand them in comparison to “weak” passwords, which are easily guessed. A password that is blank, is the word “password” or a string of characters (e.g., 12345, or zzzzz), or that matches the user's ID, is considered a “weak” password. Similarly, a password that is the user's date of birth or pet's name is considered a weak password. Strong or complex passwords are those words that can't be found in the dictionary, often because they include special characters, numbers, and both upper- and lowercase letters.

A 2009 survey by Elcomsoft (
www.elcomsoft.com/survey/survey2009.pdf
) showed that 50 percent of respondents use more than 10 different passwords across their various IDs and accounts. But, 11 percent use only 1–3 different passwords. It is likely that this is leading to behaviors that could jeopardize IT security, as well as compliance initiatives. This was confirmed in a 2010 survey by Webroot (pr.webroot.com/threat-research/cons/protect-your-computer-from-hackers-101210.html), whose findings included:

•
Four in 10 respondents shared passwords with at least one person in the past year.

•
Nearly as many people use the same password to log into multiple websites, which could expose their information on each of the sites if one of them becomes compromised.

•
Almost half of all users never use special characters (e.g., ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.

•
Two in 10 have used a significant date, such as a birth date, or a pet's name as a password—information that's often publicly visible on social networks.

•
50 percent of people feel their passwords are very or extremely secure, yet:

•
86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers.

•
14 percent never change their banking password.

•
20 percent have used a significant date in a password.

•
30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer.

•
41 percent use the same password for multiple accounts.

•
Only 16 percent create passwords with more than 10 characters.

•
Four in 10 people (41 percent) have shared passwords with one or more people in the past year.

•
Almost half of Facebook users (47 percent) use their Facebook password on other accounts and 62 percent of Facebook users never change their password.

Configure your system to automatically lock out an account after so many failed log-in attempts. Many systems will automatically lock out an account after three failed attempts within a five-minute period. The system may then be set to automatically unlock the account after another few minutes. While these two steps may seem to be contradictory, the idea is to halt any brute-force attempts to guess a password, while still allowing a legitimate user to eventually gain access. Brute-force attacks are done with programs specially designed to try every character combination until the right password is found. Unchecked, a brute-force attempt can try tens of thousands of combinations in a single hour. With these account lockout parameters, the program might only get a handful of attempts.

Special Privilege IDs

Network and system managers usually have special IDs and passwords that provide carte blanche access to systems. These are often called “root,” “supervisor,” or “administrator” accounts. Because of their special access, only a handful of people should have accounts like this. System administrators tend to ignore their own security rules and often set these passwords to never expire. It's important that these passwords be changed regularly and changed immediately when someone who knows them leaves the company.

It's a common best practice for IT Managers and administrators to use two IDs. One of them has the special privileges they need for certain types of activities. The other isn't privileged and is used for routine tasks such as their own e-mail. The reason for two accounts is to minimize the amount of time an IT administrator makes use of privileges, thereby reducing the risk of their impacting the entire system by accident.

Administrators shouldn't share a common privileged account, and each should have their own non-privileged account. This helps identify actions and tasks with specific individuals and is particularly helpful when examining log entries.

Another common practice is to rename, delete, or disable the default privileged account that's installed with operating systems and applications. Since hackers assume these accounts exist on your system, they're usually one of the first paths they try to use to gain access. At a minimum, you must change the default password associated with these accounts.

Access Reviews

Large environments may have thousands of users and hundreds of thousands, if not millions, of files on their computer networks. Usually, groups of files are set up that can only be accessed by certain groups of users, and vice versa. It's important that some type of user administrator review these access privileges periodically (perhaps twice a year) to ensure that unauthorized users haven't mistakenly been given access to the wrong files.

Authorization Levels

Security administrators who process the requests to grant and revoke privileges, change access, and create IDs need to know who is authorized to make these requests. For example, the payroll manager may be authorized to determine who has access to the payroll files, and the VP of sales may be authorized to determine who has access to sales figures. It's up to the IT Manager and the security administrator to make sure it's clear who has authority over what and that these requests are documented. Most companies now require that IT be formally sent an e-mail—a trouble ticket in the IT Help System, for example, for any kind of request. A manager's request for an employee's new software upgrade, a user's request for a new printer, or a request for access to a new part of the network all now need to be formally requested, documented, and tracked. HR should alert IT of new employees in advance of their start date so that IDs with basic privileges (e-mail, etc.) can be created.

Authentication

Authentication is the process for determining if someone is authorized for access.

Challenge–Response

The most familiar and traditional form of authentication is known as challenge–response. The challenge is asking the user a question, and the response is the answer provided by the user. When you are prompted for your user ID and your password, you are participating in a challenge–response protocol.

Two-Factor Authentication

Typically, access is based on what a user
knows
—usually their ID and password. Two-factor authentication bases access not only on what the user knows, but also on what they
have
. The what-they-have component is generally a 6-digit token provided by a device that users carry with them (small enough to fit into a wallet or on a keychain). The device operates by displaying a number that changes every minute. The user types in the number when logging in, and the number is validated by a corresponding authentication server.

Two-factor authentication helps prevent unauthorized access resulting from the user telling someone else their password or by having their password guessed. Many companies use two-factor authentication for their remote access security as a way of reducing the exposure associated with connectivity from the public Internet. The SecurID solution from RSA Security is the most popular solution for two-factor authentication. (But even RSA was hacked in early 2011, although there has been no detail as to what the hackers may have done, and what information, if any, may have been stolen or compromised.)

Single Sign-On

Although the situation is slowly improving, users are still burdened by having to remember a variety of different IDs and passwords. Single sign-on (
SSO
) is a solution that allows users to authenticate once to the network and then have access to all applications and resources for which he has been granted permission, without having to enter additional IDs and passwords. SSO is a convenience for users as it reduces the number of IDs and passwords to remember, and it's a convenience for system managers as it greatly simplifies administration. Perhaps one of the most valuable aspects of SSO is that once an employee leaves the company, all their access can be removed by disabling their SSO ID.

The challenge with SSO is that the business applications may have to be altered to incorporate the technology. For in-house developed applications, this may be a relatively straightforward change. However, with third-party applications, it may be much more complex. A host of SSO-ready applications have sprung up, and standards like OpenID and Security Assertion Markup Language (SAML) have been developed and adopted to help facilitate SSO.

This technique is a classic case of user convenience versus security trade-off discussed in the beginning of this chapter. (See the section
“Security versus Privacy versus Convenience”
on
page 207.
) Certainly the fewer things to remember, the happier most users are, but should a hacker gain access to an SSO ID, they then have access to
all
the systems the user is authorized for.

Identity Management

Identity management encompasses a variety of solutions and technologies related to user authentication. These include:

•
Single sign-on.
This option is discussed in the previous section on
page 219.

•
Self-service.
Allowing users to reset their own passwords.

•
Password synchronization.
When a user changes a password in one system, the new password is automatically replicated to other applications and systems.

•
Account provisioning.
The process of creating new accounts and revoking them when they're no longer needed.

•
Federated identity.
This is a single-user ID that can be used for different websites because they all belong to a common “federation.” While similar to SSO, federated identities are useful when trying to manage authentication to external, in addition to internal, sites and applications. This allows organizations to share user credentials across the network boundaries that normally separate them.

Other User Authentication Methods

New methods of confirming a user is who he or she claims are being created all the time. In addition to the tried and true but sometimes fallible passwords, more advanced techniques include fingerprint and retinal scanning; and speech, signature, and face recognition. Another method gaining in popularity is referred to as “knowledge-based access”; this system is based on what information the user knows. Unlike passwords and other mechanisms, this information is not prone to being forgotten or lost. With knowledge-based access, users will provide the system with answers to various questions (e.g., favorite pet's name, mother's maiden name, place of birth, first school attended, favorite sports team). Many websites use knowledge-based access for password recovery.

Security Defenses

There is an entire industry selling security solutions—hardware, software, utilities, processes, and so on. The following are some of the more common solutions being implemented, but note that this list is certainly not comprehensive.

Firewalls

Firewalls are used to control access between networks. While firewalls initially existed just in corporate networks, they are now used on individual devices, and Microsoft Windows itself has a built-in firewall. While used mostly to protect your internal network from the public Internet, firewalls are often also used between private networks. For example, you may have a connection with a vendor or subsidiary and use a firewall to ensure that their access to your network is restricted. Firewalls are configured with rules to specify which devices can connect to each other, using which protocols and ports, and sometimes even specifying the times that the connectivity is allowed.

Intrusion Detection and Prevention

Intrusion Prevention Systems (IPS)
and
Intrusion Detection Systems (IDS)
offer a layer of protection in addition to firewalls against the exposures of the Internet.

•
An Intrusion
Detection
System identifies suspicious traffic based on patterns of activity. Similar to the way antivirus software works, an IDS compares traffic patterns against various known malicious signatures (which are updated frequently). Essentially the IDS is evaluating traffic to see if it matches known attacks. When it detects suspicious activity, the IDS system will alert the network administrator.

•
An Intrusion
Prevention
System takes an IDS a step further. Not only does it detect the malicious activity but it takes action (in addition to notifying the administrator). The IPS may drop a packet from the suspicious traffic, close a port automatically, or refuse further traffic from that particular IP address. In the millisecond world of network activity, a network administrator may not be able to react fast enough to a notification from an IDS about a possible attack. An IPS can take preventive action (based on how it's set up and configured) instantly after it detects any suspicious activity.