170 likes | 308 Views
Keeping the Kingdom’s Keys. Is it really who you think it is?. Jaret D. Chiles, CISSP Enterprise Cyber Security Team Lead, Rackspace Hosting Inc Jaret.Chiles@gmail.com. Agenda. Introduction Protecting access What’s the big deal? Strong passwords Multi-factor authentication
E N D
Keeping the Kingdom’s Keys Is it really who you think it is? Jaret D. Chiles, CISSP Enterprise Cyber Security Team Lead, Rackspace Hosting Inc Jaret.Chiles@gmail.com
Agenda • Introduction • Protecting access • What’s the big deal? • Strong passwords • Multi-factor authentication • Password management • Account management • Identifying weaknesses • Implementing solutions • Security awareness • Q&A
Protecting access Passwords have been used since ancient times to identify authorized persons or groups of people prior to letting them pass through gates. These were known as “watchwords” exercised by watchmen, or sentries. Password defined • “a secret word or expression used by authorized persons to prove their right to access, information, etc.” - dictionary.com What is the purpose of passwords? • Provide the ability to authenticate if a source is authorized for access to a system or data. Authentication is critical to maintaining the confidentiality, integrity and availability of that system or data.
Strong Passwords Does it really make a difference? There are 26 letters in the English alphabet, meaning for a 6 character password in all lowercase (or all uppercase) letters there are only 306 million unique password combinations. p=266 Using uppercase and lower case letter in the same length of a password doubles the possible characters to 52, resulting in 19.7 billion unique password combinations. p=526 The complexity of a password is CRITICAL in a world of parallel processing. Hackers are known to use numerous techniques to gain access to powerful computing resources to crack passwords. SANS Institute: http://www.sans.org/reading_room/whitepapers/authentication/passwords-dead-long-live-passwords_1144
Strong Passwords Many password cracking tools are available to brute force attack authentication systems. Developing complex passwords impacts the effectiveness of automated cracking tools. 2007 chart Lifehacker, How Passwords Get Cracked - http://lifehacker.com/247355/how-passwords-get-cracked
Strong Passwords • Strong passwords have characteristics contain at least three of the five following character classes: • Lower case characters • Upper case characters • Numbers • Punctuation • “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc) • Contain at least fifteen alphanumeric characters • Strong passwords should not include dictionary words, characteristics that are common to you, maiden names, significant dates, common patterns, etc. • Use randomly generated passwords or acronym oriented passwords. “My Dog Must be Fed At Least Every Single Day” = “~MdMbf@LE1d#” • Sans Institute, Password Policy - http://www.sans.org/security-resources/policies/Password_Policy.pdf
Multi-factor Authentication • Defense in depth • Utilization of something you know (such as a password) with something you have (such as a token or card) and something you are (such as a fingerprint) helps to mitigate commonly exercised password attacks. • Are you really exercising multiple factors of authentication? • Using 50 instances of something a user knows is still single factor authentication
Password Management • Make sure to expire passwords within a reasonable length of time • Avoid re-use of passwords, especially on different systems • Enforce password complexity requirements • Never share your password with anyone • Avoid writing passwords down • Be cautious using passwords on a device of unknown security posture • Information Security HQ, Follow Good Password Practices - http://informationsecurityhq.com/follow-good-password-practices/
Account Management • Least privilege based access controls… more defense in depth! • Many folks think of network access controls when it comes to exercising least privilege based access controls, but this practice should be exercised in all aspects of information security where reasonably possible, especially with account management • Avoid granting users more access than required to complete their assigned duties • Avoid granting services accounts more access than required to perform necessary functions
Identifying Weaknesses • Assess the system • System Characterization • Threat Identification • Vulnerability Identification • Control Analysis • Likelihood Determination • Impact Analysis • Risk Determination • Control Recommendations • Results Documentation • National Institute of Standards and Technology, NIST 800-30, Risk Management Guide for • Information Technology Systems - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Identifying Weaknesses • Common items to investigate: • Has the system been scanned for backdoors or keylogging malware? • What user accounts are active on the system? • Are user accounts password protected? • Are the passwords in use strong? • Have proper password management practices been exercised? • What services run on this system? • Are service requests requiring authentication? • Are there service accounts on the system? • How are passwords stored on the system? • Are passwords stored in clear text? • Are strong password hashing techniques being utilized? • What actions are authorized once authentication is achieved? • Is more permission granted than needed?
Identifying Weaknesses Sectools.org Top 10 Password Security Tools: Cain and Abel : The top password recovery tool for Windows John the Ripper : A powerful, flexible, and fast multi-platform password hash cracker THC Hydra : A Fast network authentication cracker which supports many different services Aircrack : The fastest available WEP/WPA cracking tool L0phtcrack : Windows password auditing and recovery application Airsnort : 802.11 WEP Encryption Cracking Tool SolarWinds : A plethora of network discovery/monitoring/attack tools Pwdump : A window password recovery tool RainbowCrack : An Innovative Password Hash Cracker Brutus : A network brute-force authentication cracker http://sectools.org/crackers.html
Implementing Solutions • Risk mitigation activity • Prioritize actions • Evaluate control options • Conduct cost-benefit analysis • Select controls • Assign responsibility • Develop safeguard implementation plan • Implement selected controls • National Institute of Standards and Technology, NIST 800-30, Risk Management Guide for • Information Technology Systems - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Implementing Solutions • How do we know what to do and if we did a good job? • Follow implementation guidelines developed by product vendors • Leverage STIGs (Standard Technical Implementation Guidelines) provided by NIST or other resources • Validate controls are effective with testing • Evaluate re-assessment needs as part of Change Management processes • Schedule periodic assessments to validate existing controls are still effective • Monitor logs for anomalous activity
Security Awareness • Sophisticated security controls may be rendered ineffective without a workforce properly trained on the importance of security and how they can help protect the organization • Policy and standards training • Make sure your team understands the expectations • Social engineering • Train people to be conscious of phishing emails, websites, phone calls, and other common tactics. • System management • Make sure admins understand the importance of antivirus, encryption, password management • Security best practices • Discuss the dangers of reusing passwords and the importance of strong passwords
Thank you! Please do not hesitate to send additional questions or comments to Jaret.Chiles@gmail.com