Blogs

RSS FeedBlogs
RSS FeedSubscribe to this blog
About Author
Security spotlight

Contact

Email

Mature IT: It's time for IT departments to enforce grown-up passwords and intelligent monitoring

To ensure security through variation, IT should not enforce just one syntax across the whole company

Article comments
Organisations have a continuing problem with password management. Users don’t like complicated passwords; helpdesks don’t like resetting forgotten passwords, and managers don’t like seeing them stuck to the PC monitor.

There’s no way round it, it’s essential to create strong passwords in a world where millions of codes of the most common passwords are already compiled in crackers' word lists. Moreover, today’s readily-available raw computing power means that brute force attacks are getting easier all the time. Because of these two factors passwords really need to be nine characters or more in length, and as random and personal as possible - since recognisable phrases and patterns can be easily cracked.

So how should the IT department help make a secure password that a user will actually remember? Here’s just one method. Used in conjunction with best practices on the infrastructure side, this policy can help simplify things for all everyone: users, helpdesk and management - and enhance security.

It’s a fact that the average user only wants to remember one password for their different online resources. This means our ‘average user’ would much rather use a password that is NOT unique across their sites. What they really want is not to tax their memory and, with a little intelligent password practice, they don’t have to. The key to this is to move the individual away from remembering a password to developing and remembering a syntax instead. 

Let’s consider an example. The IT department want users to create a unique yet easily remembered password across three different resources: Outlook, the sales database and a modelling tool, all accessible online. One suggestion to enforce password creation through a syntax is below. However, to ensure security through variation, IT should not enforce just one syntax across the whole company, but should encourage users to create their own, using the below as an example of the process. In this way the individual has to remember:

  • How a phrase opens
  • The number of characters in the resource
  • The number for an offset step
  • How the phrase closes

In company A the example syntax is set in this way: [open phrase] + [domain-resource] + [extended char] + [close phrase]. As a whole the parts form a single phrase that’s easy to remember. Let’s break this down by step:

Step 1: [openphrase]. Our example phrase is ‘Y0ur', and all person B’s passwords will start with it. This opening phrase could be anything. It could equally be 'Th3' or 'L33', as long as it’s unique to the user and it remains consistent for effective memorising. 

Organisations have a continuing problem with password management. Users don’t like complicated passwords; helpdesks don’t like resetting forgotten passwords, and managers don’t like seeing them stuck to the PC monitor.

There’s no way round it, it’s essential to create strong passwords in a world where millions of codes of the most common passwords are already compiled in crackers' word lists. Moreover, today’s readily-available raw computing power means that brute force attacks are getting easier all the time. Because of these two factors passwords really need to be nine characters or more in length, and as random and personal as possible - since recognisable phrases and patterns can be easily cracked.

So how should the IT department help make a secure password that a user will actually remember? Here’s just one method. Used in conjunction with best practices on the infrastructure side, this policy can help simplify things for all everyone: users, helpdesk and management - and enhance security.

It’s a fact that the average user only wants to remember one password for their different online resources. This means our ‘average user’ would much rather use a password that is NOT unique across their sites. What they really want is not to tax their memory and, with a little intelligent password practice, they don’t have to. The key to this is to move the individual away from remembering a password to developing and remembering a syntax instead. 

Let’s consider an example. The IT department want users to create a unique yet easily remembered password across three different resources: Outlook, the sales database and a modelling tool, all accessible online. One suggestion to enforce password creation through a syntax is below. However, to ensure security through variation, IT should not enforce just one syntax across the whole company, but should encourage users to create their own, using the below as an example of the process. In this way the individual has to remember:
€¢ How a phrase opens
€¢ The number of characters in the resource
€¢ The number for an offset step
€¢ How the phrase closes

In company A the example syntax is set in this way: [open phrase] + [domain-resource] + [extended char] + [close phrase]. As a whole the parts form a single phrase that’s easy to remember. Let’s break this down by step:

Step 1: [openphrase]. Our example phrase is ‘Y0ur', and all person B’s passwords will start with it. This opening phrase could be anything. It could equally be 'Th3' or 'L33', as long as it’s unique to the user and it remains consistent for effective memorising. 

Step 2: [domain-resource]. If the IT department is encouraging users to set a password that can be remembered across multiple resources, it makes sense to mask it. One technique would be to obfuscate the first 3 characters of the individual resource. This is for the individual to decide how many characters they use, as long as they remain consistent.

This solves the problem where someone nefarious has one password and then guesses what resource it is tied to. To obfuscate, one technique is a simple 'offset-step' in the resource name. And if all users mask in their own way, a hacker can’t ‘roll them all up’ following the same rules.

So for example the user can step the characters by one - i.e. ’a’ becomes ‘b’,’ b’ becomes ’c’ and so on - and in the process obfuscating the resource name.

Step 3: [extended character]: The hyphen is not optional but not limited to this extended character - it could equally be ‘@’ or ‘!’, but the aim is to enforce an extended character requirement.

Step 4: [close phrase]: Pick a word, e.g. ‘p@55w0rd’. The end results of following this example syntax is as follows:
€¢ Outlook : Y0urPvu-p@55w0rd (note Out becomes Pvu)
€¢ Sales : Y0urTbm-p@55w0rd
€¢ Modelling : Y0urNpe-p@55w0rd

So it is readily apparent that this is not complicated, because all a user needs to remember to access their Outlook account is asking themselves “What is ‘my Outlook password’? Such a system is easy to remember, it's built from something someone can remember for every resource. By not using a plaintext common password it enforces that every resource will be different, and complies with complex password criteria. Crucially, it’s difficult for a hacker to unroll everyone’s passwords if they find just one.

The syntax can be simple or complex. For example, here’s one which is simply a pet’s name mixed up backwards with a domain, and the obligatory extended character. Can you find the pet’s name?
€¢ eBay: ReABCaSyO!1
€¢ Paypal: RPAaCySpOal!1

Such systems are easy to learn, are far more secure than the traditional passwords that most users are wedded to, and don’t cost anything to implement. However, those organisations that require even higher standards of password strength might consider a password manager.

Even so, no password is guaranteed to be 100 percent secure and private. After such password hygiene is put into practice, the best way for an IT department to check on how well they've held up is through intelligent monitoring of the IT infrastructure via Security Information and Event Management (SIEM) tools to flag when a user’s behaviour deviates from the norm.

Making sure all parties with access to your network have only the appropriate rights is a difficult process. The most successful Identity and Access Management (IAM) solutions make use of identity-enriched log events to see what different types of users are actually doing, establishing baselines to detect anomalous, risky activity and improve access governance. If the business can monitor user activity across all accounts, applications, and systems, it enables organisations to understand who is on the network, what data they see and their actions. The result is greater security, better governance, and faster forensic investigations.

The most intelligent solutions combine the broad activity collection and correlation of SIEM with user and role data from identity and IAM and directory technologies. By enriching log events with user information organisations get a complete picture of user activity, including monitoring high risk privileged and shared accounts. Making sure employees, contractors, and third parties have only the access they need is a difficult process. IAM solutions typically used to take a top down ‘role modelling’ approach. Now, using identity-enriched log events, organisations see what different types of users are actually doing, establishing baselines to detect anomalous, risky activity and improve access governance.

But by tacking security from the top and the bottom, organisations can create security in the centre.

By Simon Leech, CISSP, CISM, CRISC, Pre-Sales Director EMEA, HP Enterprise Security
[domain-resource]. If the IT department is encouraging users to set a password that can be remembered across multiple resources, it makes sense to mask it. One technique would be to obfuscate the first 3 characters of the individual resource. This is for the individual to decide how many characters they use, as long as they remain consistent.

This solves the problem where someone nefarious has one password and then guesses what resource it is tied to. To obfuscate, one technique is a simple 'offset-step' in the resource name. And if all users mask in their own way, a hacker can’t ‘roll them all up’ following the same rules.

So for example the user can step the characters by one - i.e. ’a’ becomes ‘b’,’ b’ becomes ’c’ and so on - and in the process obfuscating the resource name.

Step 3: [extended character]: The hyphen is not optional but not limited to this extended character - it could equally be ‘@’ or ‘!’, but the aim is to enforce an extended character requirement.

Step 4: [close phrase]: Pick a word, e.g. ‘p@55w0rd’. The end results of following this example syntax is as follows:

  • Outlook : Y0urPvu-p@55w0rd (note Out becomes Pvu)
  • Sales : Y0urTbm-p@55w0rd
  • Modelling : Y0urNpe-p@55w0rd

So it is readily apparent that this is not complicated, because all a user needs to remember to access their Outlook account is asking themselves “What is ‘my Outlook password’? Such a system is easy to remember, it's built from something someone can remember for every resource. By not using a plaintext common password it enforces that every resource will be different, and complies with complex password criteria. Crucially, it’s difficult for a hacker to unroll everyone’s passwords if they find just one.

The syntax can be simple or complex. For example, here’s one which is simply a pet’s name mixed up backwards with a domain, and the obligatory extended character. Can you find the pet’s name?

  • eBay: ReABCaSyO!1
  • Paypal: RPAaCySpOal!1

Such systems are easy to learn, are far more secure than the traditional passwords that most users are wedded to, and don’t cost anything to implement. However, those organisations that require even higher standards of password strength might consider a password manager.

Even so, no password is guaranteed to be 100 percent secure and private. After such password hygiene is put into practice, the best way for an IT department to check on how well they've held up is through intelligent monitoring of the IT infrastructure via Security Information and Event Management (SIEM) tools to flag when a user’s behaviour deviates from the norm.

Making sure all parties with access to your network have only the appropriate rights is a difficult process. The most successful Identity and Access Management (IAM) solutions make use of identity-enriched log events to see what different types of users are actually doing, establishing baselines to detect anomalous, risky activity and improve access governance. If the business can monitor user activity across all accounts, applications, and systems, it enables organisations to understand who is on the network, what data they see and their actions. The result is greater security, better governance, and faster forensic investigations.

The most intelligent solutions combine the broad activity collection and correlation of SIEM with user and role data from identity and IAM and directory technologies. By enriching log events with user information organisations get a complete picture of user activity, including monitoring high risk privileged and shared accounts. Making sure employees, contractors, and third parties have only the access they need is a difficult process. IAM solutions typically used to take a top down ‘role modelling’ approach. Now, using identity-enriched log events, organisations see what different types of users are actually doing, establishing baselines to detect anomalous, risky activity and improve access governance.

But by tacking security from the top and the bottom, organisations can create security in the centre.

Posted by Simon Leech, CISSP, CISM, CRISC, Pre-Sales Director EMEA, HP Enterprise Security

Enhanced by Zemanta

Share:

Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open