RE: Passwords

["Doty, Ted (ISSAtlanta)" <TDoty () iss net>]

On Wednesday, October 13, 1999 1:46 PM, Rick Smith
<rick_smith () securecomputing com> wrote:
> At 12:19 PM 10/13/99 -0500, Don Helms wrote:
>
> > However, you can track the activity on a given account and see if the
> patterns
> > change.  For example, the guy that logs in to one app every 
> moorning, does
> his
> > work and goes home.  If suddenly that user is running this 
> app, that app and 
> > poking round at random, his password might have been 
> compromised.  Also keep 
> > an eye on time of day for new and unusual activity.  
>
> Does anyone have experience with such a thing in an operational
> environment? My impression was that these systems were had 
> very limited
> benefits.

The NIDES project concluded that detecting these events was sporadic at
best, and was subject to fairly high levels of both false positive and false
negative.  Then again, this was 1993, so there has been a while for
technology to move ahead (SAFEGUARD final report, 12/93, SRI International).

What seems much easier is not to look for access with a compromised
password, but rather access with a known user account and an unknown
password (brute force attacks).  These leave logs basically everywhere.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems          | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA                       | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE