A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
August 11, 2009 at 12:29 pm #77546
RELATIVELY good blog posting which at least brings the “issue” to the table
From Channel Insider
Poor Password Management Eclipses Virus Problem
Posted by Larry Walsh on August 7, 2009 8:30 AM
Everyone seems to want to harp on malware as the most serious threat to business data and networks. Security vendors are producing a steady stream of evidence to this point. But is this really the worst threat out there?
In the first half of 2009, McAfee detected 1.5 million malware samples in the wild. That’s 300,000 more than in all of 2008 and an increase of 1,800 percent over 2006. Malware creators have produced more viruses, worms and Trojans in the last 18 months than in all of the previous 10 years combined.
We presume that antivirus software – client or network – is a staple of any computing platform. Market studies has noted AV deployment base being above 90 percent for years. But Symantec recently produced a report that found one in three small businesses have no antivirus protection.
And, most recently, in a security study conducted by Channel Insider and CompTIA, solution providers say out-of-date antivirus applications and signature files are the most common problem in 38 percent of the security assessments they conduct.
Scary stuff, eh? Perhaps, but there’s a bigger problem.
In the same Channel Insider/CompTIA survey, solution providers say there’s one problem bigger than the out-of-date antivirus. That’s poor password management. In 43 percent of security assessments, solution providers say they find poor password policies, enforcement and practices.
During a security panel I conducted at Breakaway, one of my panelists said that one medical practice he serves recognized the need for strong password policies and required each user to have a strong, mixed alphanumeric password for different applications and resources. The only problem was that this led to “sunflowers,” or users—including the practice’s owner—adorning their monitors with Post-it notes with scribbled passwords.
I agree with the panelists that passwords are a nuisance and, therefore, overlooked problem in businesses. Businesses have multiple applications, many requiring unique identities. Who wants to have three, four or five unique passwords like “Pz7t49*q” (not a real password, trust me) to remember. Even worse, good password management requires frequently changing passwords – every 30 to 60 days is the standard. Rotating passwords more frequently—every 15 days or so—is possible, but the panelist say it creates more of management and user headache that leads to more sunflowers by users who’s memories can’t keep up with changes.
What many end users don’t realize is that poor password management has a direct cost beyond security. Forgotten or mismanaged passwords often lead to help desk calls, which have a heavy price. In the early 2000s, the cost of password resets through help desks lead to the creation of automated, self-service systems that typically changed or updated passwords with challenge/response questions, such as “what city were you born?” While those systems are good for large enterprises, few SMBs can afford such luxuries.
And even the automated systems are showing signs of weakness in the age of social networks. Users are publishing so much personal information about themselves that all hackers have to do is troll Facebook, MySpace and Twitter for the answers to questions like “favorite pet’s name” and “mother’s maiden name.” This is precisely how Twitter CEO Jack Dorsey had his email compromised; a hacker guessed the challenge response on a Twitter employee’s Google Apps account, which lead to access of the Twitter network.
Password management isn’t trivial. In fact, it’s hard because it’s both a technical and a human issue. As the solution providers on my CompTIA panel said, it’s up to solution providers to provide the guidance and tools to end users on how to improve their password management. Sometimes it’s just simple common sense – like never write down a password on a Post-it note and stick it to your monitor – or establishing policies and automated systems for forcing password rotation. Of course, password management is also a good excuse to talk about such things as single sign-on and multifactor authentication systems.
You must be logged in to reply to this topic.