Archive for the ‘IT Policy’ Category

2-factor authentication doomed.. and the future of internet use.

Wednesday, March 16th, 2005

2 factor authentication obsolete?

Well.. I cant argue with the arguments of the article above, but its inportant to keep things in perspective.

I see a clear distinction between home users and their security needs, and corperate security needs. (but what about dial-in corp users?!)

For corperate IT, where the network infrastructure and local pc’s can be tightly controlled, passive attacks like password guessing are gonna be the choice avenue of attack. 2–factor is good in mitigating this one.

Home users and their infected pc’s face different problems, and I feel will evenutally have to result in drastic meassures to contain the ever growing menace that these systems and their clueless users represent.

Corperate dail up? Well ffs, dont use people’s own pc’s to do it.. give them cheapo laptops, something you as an IT department can at least control!

In the end, whenever a secure connection has to be made over an insecure line, Man-in-middle attacks are gonna be a problem. Whenever you cant control the configuration or the security of the connecting pc, piggy-backing is gonna be a problem.

The awnser is partly a highly-guarded public infrastructure, , better security protocols that combine more than one authentication system in ways that are very hard to spoof, and all other vectors being as closed as they can possibly be.

So how about stuff like online banking, online shopping, zombie-networks, etc.

For home users,  I see a grim future. I imagine a not-so-far future where you have to register your computer, and all its software, just to get online at all. Your system and its software will be constantly vetted and monitored, and kicked off the netwerk at the first sign of trouble. The ISP’s will play a major part in this, as part of the responsibility for keeping the network secure and clean overall, will fall on them. The kind of technologies that we are beginning to see in the corperate arena, such as isolation VLAN’s, security-policy enforcement, are gonna shift towards the home user at some point.

You will have one side of the internet, where not only to ensure people’s safety online, but to ensure the health of the network itself, you will be forced to connect to a DRM managed, policy controlled, security-enforced internet, where you and your activities are constantly subjected to scrutiny, and you have very little freedom on your own pc. You might even have one pc for this ‘clean’ internet, and a seperate one for…

…The “shadow internet”; it looks a lot more like the internet we have today, where anarchy rules and security is a joke. A digital bad-lands. Connect any and all pc to that one if you dare, but security is all your own responsibility.

On which sides companies will do their business, and where most users will be forced into by PC manufacturers, software companies, content providers and their IP, and ISP’s, seems obvious. I hope it wont come to that extreme, but its already starting to happen. Look at SP2 and Automatic Updates… look at all the extra agents that get installed on your pc these days… and that stuff is legit! We are slowly but surely loosing control of our own pc’s. We cant even call them those anymore.

Oh yes.. that IT thing… I have heard of it, its central to our policy actually.

Wednesday, February 9th, 2005

Two articles got my attention tonight, and both related to a similair theme.

First off is this from the Register, on Tony Blair’s apparent lack of IT skills.

Now personally, who cares if the man uses his mouse as a remote control or something, but its this following article from Working Smarter (or is it Thinking Faster??) that actually underpins the danger of managers, or in this above case a politician, not knowthing the first thing about something, that might be central to some of the policies they are trying to enact.

I myself can certainly relate to this feeling of IT not being taken seriously at all by most people in charge. Until an actual dialogue is established between the IT orginasation and the management, IT will always remain the underdog of companies, the department to blame, the department that only costs you money. But in order to do this you also need strong departmental mangement in your IT enviroment, and as far as I have seen, this is very very rare.

Techdirt:Companies Find IM Saves Them Money

Saturday, January 8th, 2005

Techdirt:Companies Find IM Saves Them Money

While companies that promote IM monitoring software have been going around trying to convince companies that using IM at work is bad, it appears that most companies know better… or simply don’t know enough to care. It’s now estimated that 85% of businesses use instant messaging in some manner, though, that seems quite high. Does that apply to things like Mom & Pop retail shops? However, more interesting is the fact that some are actually trying to measure the impact it has, including a study that Intel did, where they found that using IM at work is leading to time savings worth approximately $25 million. Obviously, there are good and bad sides to IM. It often makes quick communications easier, but it can also be a distraction. Teaching people to better manage their IM presence can go a long way towards helping with that issue — but for now, it appears that enough businesses are realizing that IM seems to help, not harm, their productivity.

85% percent of businesses?? Where, on planet Spathi?

I only wish so many businesses did! Of the 30–odd companies I have worked for, which includes all maner of sizes, I have only seen Nokia employ Instant Messaging, using Lotus Sametime in that case.

I have often mentioned the idea to IT mangers and senior administrators, but the idea is often dismissed out of hand, usually because of productivity-loss concerns (people start chatting to eathother about non work related subject matter). My counter to that argument is that they are gonna do that anyway…  on the phone, or over coffee.. if they do it at all.
And even if they do.. is that such a bad idea?  Sometimes the best kind of meetings are the informal ones, where idea’s are spontainiously produced during conversation.  I think the possible benifits of corperate IM outway the possible downsides, especially the notion of presence is very very valuable in especially large and distributed companies.

A slighty different take on password policy

Wednesday, January 5th, 2005

Life of a one-man IT department – Mike McBride

After my experiences today I’m reconsidering the way I look at password policies. I had to go around and install the new drivers for that Canon copier/printer today on about 15 machines. The install involved installing the Canon LPR port, installing the print driver, restarting, and then entering the Department ID information for the print job accounting functions. So I would sit down at a PC, run the installers, and ask the user to enter their password when the PC restarted. Most of them would just tell me what the password was instead of getting up from where they had settled to type it. A couple of these folks had to get up and type it in because they couldn’t remember it. Typing it in had become such a routine that they couldn’t tell you what it was, but they could type it. That told me two things:

1) I’m obviously not making them expire often enough. (I already knew that, but since there are no direct internet-facing PC’s, everything sits behind another company’s whole network infrastructure, and it’s a small enough environment that I can keep a pretty close eye on things, I have been more lax than I would be in any other situation. I don’t make them change it as often as most of you probably do with your users.)

2. You could never use social engineering to get these people’s passwords. They can’t tell you what they are! Maybe there’s something to be said for letting people type in the same password for long periods of time, making it such a routine that they can’t give it to anyone else. 🙂

Interesting take on things. I think definitely a lot can be said for non– , or long-expiring passwords.. but this would only work effectively from a social-engineering standpoint, if the passwords used where quite strong, causing users to be able to memory-type them.. but not be able to verbalise them easily. Of course the way a particular person remembers a password will differ from person to person.. so no guarantees. The upside is that people are less likely to write passwords down, as they do more often with high-rotation password expiration policy.

I think its a good approach in certain circumstances, depending heavily though, on risks associated with exposure of your system to the outside, as he already mentioned. The entire reason for password expiration is to help minimise the risk of a password being cracked, or when cracked, being abused for very long.

I have to wonder however, how difficult it would be to push strong-password policy though the organisation, as the initial time to learn the passwords are going to be (to) frustrating to users, and often also to the very managers/directors that control your policy/budget, possibly leading to the abandonment of the policy.. as I have seen happen quite often.

In the end, its all about educating users and management about the importance of passwords.. why they exist, why your policy is the way it is. Try to have an open discussion about it with the organisation as a whole, not just within the IT department. And this extends to all policy really.. people are better at following policy if they themselves understand the reasons behind policy and security.

If, despite your best efforts, you cannot get a proper password policy enforced or adhered to by the user base, try an external security audit as a way of making the risks transparent. Managers and directors on the whole pay a lot more attention to external parties advice when it comes to this kind of thing, and an audit can in fact be a good tool to build trust with partners and customers, if you advertise that you have been though such a process (and have made changes based on the outcome and advice). This is especially true for public-traded companies.

But the keyword here remains education. I identify a lack of understanding of the (root) problem (and its possible consequences) as the biggest reason companies don’t manage to get good security policy though.

Passwords are dead.. tell me something I don’t already know!

Wednesday, November 17th, 2004

Dave over at alerted me, via his podcast, to a keynote adress (link to by Bill Gates, in which he says: “The move towards smart cards is the way forward,” said Gates in his keynote at IT Forum, in Copenhagen this morning. “The idea is to have a smart card that connects up in the best way – a .Net based smart card.”

Well Duh.

I mean Duh on Smartcards in general, and the idea that passwords are dead, (I’ll have to dig in a little deeper to get what the difference is between a .net based smartcard, and the ‘classic’ one you can use today.)

I’ll tell you something else.. I dont think passwords ever had any life to them to begin with.

People just dont take passwords seriously. I see this is in every aspect of computer use, from the postit-sticking end user, to the password-printout toting sysadmin. Most companies i have been at dont have any kind of password policy in place, and those who do usualyl stick to the 3-month, strong password policy, which is usualy a faliure because some, if not most uses, will write down there hard-to-remember passwords somewhere nearby their pc’s..  and sometimes on the good ole post-it on the screen.

Not only do these people often not realise why passwords are used to begin with, but stringent password policy is usally such a pain-in-the-ass for users, that they start to work around it in these kind of manners.

On the IT department side, things are usually not much better. Often have I run situations where either the password policy, and I use the term policy lightly, is to have a single administrator account+password, that is used everywhere, or to have so many passwords for so many different systems, that administrators have to go around with printed lists of passwords (which get lost and may fall into wong hands, I have seen exaples of this often)

Of course both methods are as incorrect as you can possible imagine. The correct way security should be handled in with single sign-on, as much as possbile. Give admins their own, private, admin account, and give them the rights to do their work, no more, no less.
Audit them, have a good audit policy in place, disallow use of general accounts like the administrator account, in fact accounts like this should be disabled or at least renamed.

Across disparate systems, one should try to impliment single sign-on technologies, with products such as Microsoft Identity Integration Server (MIIS), and/or other federated directory syncronisation services. A good security infrastructure is only succesfull if its not a burden, if it is transparent to those who use its services.

MIIS 2003 manages information by receiving identity information from the connected data sources and storing the information in the connector space as connector space objects or CSEntry objects. The CSEntry objects are then mapped to entries in the metaverse called metaverse objects or MVEntry objects. This process allows data from separate connected data sources to be mapped to the same MVEntry object.

For example, an organization’s e-mail system can be linked to its human resources database through the metaverse. Each employee’s attributes from the e-mail system and the human resources database are imported into the connector space through management agents. The e-mail system can then link to individual attributes from the employee entry, such as the employee telephone number. If an employee’s telephone number changes, the new telephone number will automatically be propagated to the e-mail system.

When it comes to loging on in the first place, like I said, passwords are basicly useless in my eyes.. i have seen many kind of password security basicly made useless by human nature, and the associated lack of interest in security, or an understanding of why it is nessesary.

Two or Three factor authentication scemes are the way to go of course, like our dear friend Bill says, but this technology is by no means new. Here is a copy-paste from the Server 2000 resource kit:

Windows 2000 supports logging on with a smart card for the network logon process by using extensions to the Kerberos v5 protocol. For logging on to a network, users usually press CTRL+ALT+DEL to initiate the Windows 2000 secure logon sequence. When the smart card logon process is enabled, a user inserts the smart card to initiate the Windows 2000 secure logon sequence. The user is then prompted to enter the PIN for the smart card. If the user’s PIN and smart card credentials are valid, the user is logged on and granted rights and permissions for the user account.

When an administrator enrolls for a smart card logon certificate on behalf of the user, Windows 2000 automatically maps the smart card certificate to the user’s account in Active Directory. Therefore, smart card certificates for logging on to the network must be issued by a trusted enterprise CA.

If you deploy smart cards for logging on to the network in a domain and allow some users to log on without smart cards (for example, with CTRL+ALT+DEL for Windows 2000–based clients or with NTLM for clients based on Microsoft® Windows® 98 and Microsoft® Windows NT®), the security of the network becomes only as good as the weakest password in the system. For maximum network logon security, deploy Windows 2000 and smart cards for all users and require that smart cards be used for logging on to all computers in your domains, including logging on from a remote location.

In every single way, smart cards are better. They are far more user friendly than having to come up with strong passwords every other month, and they are of course more secure.. because of the two-factor method of authentication.. something you have: Your smart card (with a digital certificate on it), and something you know: Your pincode.  Without both of these coming together at the right time, you cannot log in.

Combine this with the optional, but encouraged third factor, something you are: Retinal scan, fingerprint, face scan, etc, and you can now start talking about security seriously.

Of course… if the local admin password on, for example, your SQL server is weak, the whole excersise is probably for nought.