Security Basics mailing list archives
RE: How do you conduct a password audit?
From: Mike Mychalczuk <Michael.Mychalczuk () netiq com>
Date: Fri, 13 May 2011 18:52:43 +0000
What you are wanting to do makes sense, but I strongly urge you that before you even consider starting this that you have a highly documented plan that has signoff up in the stratosphere level of management. Essentially you need a "get out of jail free" card because there is no way that I know of that you can do this that does not involve what fundamentally amounts to hacking and you do not want to go down this road, regardless of intention, without solid managerial backing. The justification for this exercise can be summarized as that in absence of multi-factor authentication for every employee in the company a legitimate layer of defense of the user identity is the password and its complexity. Since the organization provisions and deprovisions users to information and business services through the identity protecting the user's identity is a legitimate risk mitigation exercise. Since a valid argument can also be made that while a vulnerability may be exploited that is technical in nature, ie. Cross-site scripting, at some point in the path there has to usually be at least one elevated userid / password that is compromised - thus the password strength audit is a legitimate risk mitigation technique. I personally do not know of any "industry best practices" on this subject because in my experience this topic is very organizationally and geopolitically culturally sensitive. However, having had the opportunity to discuss this subject around different parts of the world, here are some "commonalities" to consider 1. Have a documented policy approved and signed off on by an officer of the company. Make sure the policy outlines the WHO, WHAT, WHEN. Also make sure the policy clearly denotes the approved methodology. I've seen there where the policy itself does not include the methodology but instead references an approved "methodology" document. This allows the methodology to be modified independent of the approved policy. Make sure this plan has been vetted with legal. I have heard of cases where everyone thought they were good, legal had not been consulted and bad things happened as a result. Make sure corporate counsel is on board. In the ideal universe a member of their organization is your witness 2. Do not do it as a party of one. Have a tester / evaluator and a witness. Establish a chain of custody of the data. One way I've heard of this being done is that the test is performed, the data collected and the test that contains the cracked passwords is destroyed so that all that remains is the quantifiable data and a means to notify an individual simply that "recently their password was audited, and that they failed the audit - please immediately reset your password following the stated corporate policies...." You want to have a witness that you (or someone else) is not doing this with malicious intent or improperly handling the information. 3. Typical reporting I've seen requested is: # of accounts tested, # of accounts compromised by audit project and then ultimately rolled up to department, BU / LOB, and ultimately organizational level. This provides enough fidelity to identify where additional education efforts should be focused etc. 4. I have been told of these types of exercises, I've not personally done it this way, where individuals who had weak passwords automatically had their password resets via automation and private notification. This requires a fair amount of scripting unless there is an Identity Management tool in place. I thought it was a good idea because depending on the tool(s) being used where an argument can be made that the tester then has access to the compromised password, via secondary processes the compromised password is automatically changed to a password that meets the requirements and is provided only to the end user who is then required to change it again upon first login. With regards to the methodology or "how" to conduct the audit. You want the audit to represent the real threat. Where you have multiple devices if your tester is not fluent in these platforms then they should seek counsel from SMEs as to how they would go about conducting the activity and what tools they would use etc. This knowledge should then be codified into the "methodology" document referenced before and includes the tools to be used. This is another reason why the methodology is separated from the policy so that it can be modified as to reflect current situational assessment Phasing the work is something that is more in the eye of beholder then it is something that is universal. I personally tend to like to go the following way, but others who engage in this far more than I do I would defer to 1. Non-user accounts by platform. These would be Service / Application accounts where an end user is not a physical person. Go by platform to keep the work manageable 2. Perimeter user accounts if identity stores are self-contained. I.e. using WatchGuard internally repository for VPN access etc. 3. Divide Users by Departments / platforms. Work at departmental level across users / platforms 4. Notify non-compliant users at end of each department sweep and provide adequate time for them to remediate 5. Rescan accounts that fail first audit 6. Provide regular and timely reporting of findings to management so that your management may communicate with their peers and others as appropriately in terms of findings and remediation I hope this is helpful and was what you were looking for. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of wyfr1972 () gmail com Sent: Friday, May 13, 2011 4:47 AM To: security-basics () securityfocus com Subject: How do you conduct a password audit? Hi folks, I have many questions on this. I've learnt a lot from SecBasics, but now I have a few questions of my own. I want to carry out a password audit for my company, but I'm not sure how to proceed. Firstly, how do I broach the subject with management? Are there are standards/methodologies online that I can use to back up my request to management? Then, how do you conduct the audit? We have a mix of devices Windows/Solaris/Unix/Checkpoint/Cisco/network printers/etc. How do I phase the work for best effect? How do I present my findings? Thanks for your advice and help in advance. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- How do you conduct a password audit? wyfr1972 (May 13)
- Re: How do you conduct a password audit? Edd Burgess (May 13)
- RE: How do you conduct a password audit? Matthew Reed (May 13)
- Re: How do you conduct a password audit? S.k (May 16)
- RE: How do you conduct a password audit? Chadha, Sachin (May 16)
- RE: How do you conduct a password audit? Synja (May 16)
- RE: How do you conduct a password audit? Matthew Reed (May 13)
- RE: How do you conduct a password audit? Mike Mychalczuk (May 13)
- <Possible follow-ups>
- RE: How do you conduct a password audit? Julius K. (May 13)
- RE: How do you conduct a password audit? Jeremi Gosney (May 13)
- Re: How do you conduct a password audit? Vincent Maury (May 13)
- RE: How do you conduct a password audit? Jeremi Gosney (May 16)
- RE: How do you conduct a password audit? Jeremi Gosney (May 13)
- Re: How do you conduct a password audit? Edd Burgess (May 13)
- Re: RE: How do you conduct a password audit? wyfr1972 (May 13)
- Cyber Ark Hanson Coffie Kyeremeh (May 18)