TiGra Networks

10 Immutable Laws of Security

Why You Need a Strong Password

It is worth reminding ourselves occasionally why we need passwords and computer security and what we are protecting ourselves from. I often talk to people in small businesses who hate the idea of having to use passwords and permissions. They consider that their people are trustworthy and that they should have open access. But computer security is not about protecting you from the people you trust. It is just as much about accountability, protecting your trusted people from themselves, and from you, and from the unknown elements outside of the organisation such as malicious software and hackers. Any organisation with a server needs to implement security policies and not always for the obvious reasons. The number one delivery vehicle for malicious software, for example, is email. We all use email and we are all human, we make mistakes, we can be tricked into opening a malicious attachment. The chances are that despite countermeasures, sooner or later some malicious code is going to find its way on to your systems. At that point, everyone in the organisation who has a blank or trivial password will have plenty of reason to regret it. Defending yourself from these situations requires a defence-in-depth approach. The firewall is one layer of defence, your antivirus software is another. Your Windows username and password is your last line of defence. If a bad guy can guess your password, it’s “game over”.

Ten Immutable Laws

Microsoft TechNet has a great article about security: 10 Immutable Laws of Security. In summary:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea

Click on any law to link back to a more in-depth description at the Microsoft TechNet site. I’ll bet at least one of those laws is already ringing a few alarm bells in your head.

It always pays to remember that your Windows user name and password protects a lot of valuable and/or sensitive information. When you log in to your computer each day, you are unlocking access to that information. If your network has an internet connection, you could potentially be exposing that information to persons unknown. The Internet is an amazing, powerful resource that has massive benefits for businesses and individuals, but it also has a dark underbelly. The threats can be mitigated when they are understood, but following security best-practices and understanding the Ten Immutable Laws is a key part of that mitigation strategy. There really is no acceptable alternative.

Pesky Passwords

I understand that creating and remembering strong passwords is a chore. It is a necessary evil and the inconvenience can be minimised with some thought. System Administrators often get this very wrong, forcing users to create passwords that are hard to use and remember, which often leads to them being written on a post-it note stuck to the users’ monitor or top drawer (Immutable Law #3). A password that has to be written down is self-defeating. I’ve covered strategies for creating strong passwords elsewhere, essentially there are two techniques:

1. Use a mnemonic – a password that is complex but memorable.
2. Use a passphrase – a sentence or phrase in plain text and including spaces and punctuation. Size is everything, each additional word makes the passphrase massively more secure.

Additionally, password pain can be eliminated using a physical security device. Some solutions available today are:

• Biometric devices, such as fingerprint readers, are now affordable and accurate. They are becoming popular because of their convenience, ease of use and affordability. Many laptops and keyboards are available with fingerprint recognition built-in. The best devices have software that lets you register your Windows login password and passwords for various web sites and services, so that all of your passwords can be protected by a quick scan of one or more fingers.
• Smart cards rely on a certificate stored in the memory of a credit-card style device. Logging in is as simple as inserting your smart card. Pulling the card out typically locks your workstation.
• Time-dependent key generators such as RSA SecureID generate passwords that are only valid for a minute or so. Even if a password is discovered, it is useless outside of that time window.

Share this post: | | |