Thursday, February 21, 2008

Passwords are the root of all evil

The Security Catalyst Community is a group of information security practitioners, designed to support those responsible for protecting information by providing a professional, supportive environment to ask for help, foster a culture that welcomes ideas; share your experiences and insights regardless of your experience, and share your passion and blend your energy with others.

A recent topic (registration required) that sparked my interest is Eliminating Bad Passwords. I think that topic should have been: Eliminating Passwords.

Passwords have always been a bit of a sore point with me. Everyone who knows a little bit about information security knows that they provide a bare-bone level of security. Passwords are like a lock: they do not keep attackers out, they merely delay them from getting in.

Yet, knowing that passwords are a weak form of protection, it does not seem like the industry is moving away from them. Partially this is with a very good reason: passwords are easy to remember and easy to explain to users, and not all resources need high levels of protection. It does not make sense to implement a highly secure authentication mechanism if you are only accessing non-critical resources.

However, we see a proliferation of Enterprise Single Sign-On. Information Security Magazine studied what enterprises considered to be their priorities for 2008. 36% of the respondents said that they will evaluate SSO and 11% will implement it. Add to that the organizations that already deploy some form of SSO and the numbers should be well over 50%.

In other words: 50% of the enterprises use a mechanism that in theory is weak.

To mitigate the risks of using a flawed mechanism, we come up with silly things, such as password complexity requirements, account lockouts, expiration, etc. All of these are inconvenient and, in practice do not add much security. Password complexity especially protects against bruteforce attacks. Yet, especially when looking at insider jobs, bruteforce attacks are relatively uncommon. The reason for this is that most users do not take care of their passwords: they are shared more easily than a pencil, and they are generally less well protected than the bag of candy in the locked top-drawer of the secretary. Why bother bruteforcing them if Social Engineering is so much more effective?
Account lockouts can be useful, but they can also be abused to launch a denial-of-service attack.

What then, is the real answer? Should organizations not implement single sign-on? For some systems, which require a high level of protection, that is indeed the case. For systems that hold less critical data or facilitate less critical processes, single sign-on is fine.

The first part of the real answer is simple: stop using passwords.

Of course no mechanism is fool-proof, so whatever approach you adopt, make sure it produces reliable logging.

Those logs should be kept well and protected properly. Logs are an important resource, yet many administrators routinely clean out logs to regain disk space, or they turn of logging completely. Both are very poor practices. Also; make sure that everything you do produces some form of logging; just basic OS-level logging is not sufficient. Application need to product logging too, and so do appliances.

The second part of the answer is: Start keeping proper logs properly.

Logging can be do so more than just provide a debugging tool. It can be used to assist in a forensics investigation, but it can also be used to point out trends and pre-emptively detect problems. Logs tell you how well an organization is doing.

The third part of the answer is: Look at your logs, and analyze them thoroughly.

You might even get some nice metrics from them :)

Now; how I started at passwords and ended up at metrics is not entirely the outcome that I expected, but I don't feel like rewriting this post.

So it goes.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.