On 2012-06-12 Kurt Buff wrote:
> On Tue, Jun 12, 2012 at 11:30 AM, Kai Wirt <u-turn1 (at) gmx (dot) de [email concealed]> wrote:
>>> Just also revise enforcing password changing rules (every after 30
>>> days) on your site and strong passwords(no less then 8 characters,
>>> special characters, upper cases,numbers and symbols) , this helps
>>> when attackers try brute forcing, so by the time they crack the
>>> password its no longer in use...
>>
>> There's an interesting paper on this topic:
>>
>> http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks
.pdf
>>
>> In short, most of the password rules employed today are mostly
>> annoying to users and don't really improve security.
>
> That paper is deeply flawed, if not outright wrong, and borders on the
> pernicious.
>
> The end-user externality not considered by them is the cost to clean
> up an incident in an organization by IT staff after someone picks the
> dancing pigs over the secure way of doing things.

I have to disagree. If you carefully re-read the paper, you'll notice
that the author does include clean-up in the end-user externalities.
Whether the clean-up is done by the user himself or someone else in his
place matters little in this respect.

> If more staff were fired or otherwise disciplined after it was proved
> that they had gotten their company PC infected by navigating to
> non-work-related web sites (or performing their work in an unsafe
> manner against advice), we'd have a much better security environment -
> and the discipline must also apply to C-level execs, as the data they
> handle are even more precious than some staffer in shipping.
>
> I've personally cleaned up malware from the CxO's machines at $WORK,
> multiple times, because they a) won't pay attention to my
> recommendations for handling web sites and email and b) won't let me
> block or quarantine executables and suspect documents at the gateways
> that are designed to handle them.

Actually, no, that wouldn't help much. People are very good at ignoring
risk that isn't imminent. Also, as annoying as it may be, CxO people are
the people paying the bills, so they do get to make the final decision.
Yes, they do set a bad example by doing so, but that can't be helped if
they won't listen to reason.

It's my observation that security measures usually only work well when
either the users clearly understand (and acknowledge) the risks and
benefits, or the measures don't get in the way of their daily work
(much). If security measures become a hassle without apparent benefits,
the *will* be ignored/circumvented. Adding more threats is unlikely to
change anything about that.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]