Today's ISN Sponsor: Repent Security Incorporated
Get Serious About Network Security
Internet Week
Oct 1997
by Rick Sturm
Security - Does it really matter? Does anyone care about the security of
networks and systems? You're probably saying to yourself, "Of course,
everyone knows that security is absolutely essential for large
organizations today. Security is no longer optional. It is absolutely
mandatory." I agree. However, if it is so important and no longer
optional, why do so few people and organizations take it seriously?
You may think I'm joking, but in general most organizations today make
only superficial attempts to protect their corporate computing and
communications assets. Consider the example of passwords. Most companies
today still permit passwords that are words - names such as family
members, pets, month of the year. To be exact, passwords are still
permitted to be chosen because they are easy to remember rather than
because they are difficult for an attacker to guess. What's more, a number
of organizations let a password continue to be used indefinitely. Even
among the groups that do allow passwords to expire, it's still uncommon
for them to check the new password against a list of previously used ones
in order to guard against the reuse of the same password. Ideally,
passwords should be fairly long (between five to seven characters), have a
limited life (one month, for example) and contain at least one numeric or
special character.
Studies have found corporate executives to be one of the leading
impediments to tighter corporate security for IT environments. Why? The
answer is that all too often, they have refused to permit something as
simple as more stringent password standards because they personally find
it too difficult and inconvenient to remember. Therefore, not realizing
the seriousness of the threats that face their organization, they opt for
convenience over effectiveness.
Certainly there are many steps that can be taken that provide even
greater protection for the IT assets than simply requiring the use of a
password that is hard to guess. However, if an organization is not willing
to inconvenience itself enough to establish better requirements for
passwords, how likely is it to actually make financial investments in more
significant security mechanisms?
Then there are the users of the ubiquitous Post-it note. You have all
seen the problems to which I'm referring. You can walk through many
offices where user IDs and passwords written on Post-it notes are stuck on
terminals. You call this security? Again, it reflects a lack of
understanding. By far the greatest threat comes not from the external
attacker but from the employee. So what is the answer? Help the people in
your company understand there are real threats facing them and that
security is no laughing matter. Use statistics or horror stories -
whatever it takes - to get them to wake up and see what they are facing.
If you wish to receive ISN directly, mail majordomo@sekurity.org with "subscribe isn".
ISN is a non-profit list designed to keep Security Professionals aware.
Received on Sat Mar 14 03:09:51 1998