Ianuzzi's Security Perspective

A recent Computerworld article by Todd Weiss, reinforces a basiic fact – that weak passwords make life easy for hackers. What he also mentions, and is not as obvious to many administrators, is the number of password attempts that are made on their servers.

Unless you monitor what is going on computers, you could be living in blissful ignorance.

Almost every machine which accepts connections is challenged many times each day and although there are many things you can do to protect your machines, the lowly password is an effective line of defense.

The author’s suggestion of an eight digit password using random letters, numbers and special characters is borne out by our own experience cracking passwords in our forensics lab. Dictionary, slightly modified dictionary, and shorter passwords are routinely cracked in minutes. Since technology advances quickly, we routinely use several more digits in our own servers.

Defense in depth is the best approach in protecting your machines. But as you pursue sophisticated defenses, don’t ignore the lowly password. Establish and enforce a password policy.

A scientist has developed a way to make a DVD which could hold more that 50 terabytes. This will serve to deepen the culture shock that we are experiencing in the security world.

Not too many years ago, protecting information was easier. Information had to be physically be carried away, usually on paper, and good physical security could deal with that most of the time.

Today we live in a world where many people are culturally not ready to secure information. We institute policies and procedures and train and train and people still don’t get it, If you’re not convinced of this, just get on an airliner and look around. You will usually see spreadsheets, marketing plans and other confidential information displayed for other passengers to see.

You think our data losses are catastrophic now. Just wait for better technology.

A recent Computerworld article states that half of all pirated Vista software is malware – largely trojan horse programs which could subject your computer to outside control.
This sounds an ominous note for any company which allows employees to bring in laptops or allows connections via VPN from home.

Even if you have policies which require that laptops be examined before being connected to company networks, what happens after that. Where is your data after a family member downloads malware (from any source) onto their personally owned machine?

The implications of this is as difficult to manage as they are obvious, Any machine which can access confidential information must be subject to continuous security oversight – No matter who owns it.