Re: Password Cracking & Consequences

[Christian Wilson <Christian.Wilson () ITS MONASH EDU AU>]

Theresa,

On Fri, Aug 27, 2004 at 12:17:58PM -0400, Theresa M Rowe wrote:
> Yes, that's what I was looking for.  Your policy does not
> explicitly state the password cracking technique, but you
> have had campus discussion on the policy?
> For us to create an IT policy here, there's at least 4 rounds
> of different committee review and approval.  We'd have to
> explicitely state we were going to try to crack passwords, or
> the policy would not support the action.

The majority of our IT policies go through a number of groups which
are established at the University. For starters, we have our Technical
Working Party, (TWP), which consists of all the technical staff in the
various faculties and administrative areas. We also have our IT Managers,
which consist of the managers of those particular areas, then our ITS
Managers, which consist of the managers of the central IT service provision
areas, and then the University Wide IT Security Policy Committee, which
consists of people that are responsible for IT as well as business owners
within the various faculties.

Typically important IT policies after they have been approved by the University
Wide Committee are also noted by other important committees within the
University, in particular the Committee of Deans [heads of all our Faculties]
and the Vice Chancellors Group.

I think that it would be a difficult and time consuming task to go into details
within policy documents. If we had to explicitely state that we were going to
try to crack passwords, then we'd have to state that we were going to try to
scan the university network for vulnerabilities, etc etc etc etc etc etc.

A policy document should be a guiding document on what a particular institution
is doing at a particular point of time. It should not be a prescriptive step
by step documentary on what particular issues need to be covered. If your
policy document says that you are responsible for IT Security in your
organisation or Faculty, and shows the general areas that you are responsible
for, and has high level managerial sign off/approval, then you should (in my
opinion) not need to go into low level detail on how you are going to manage
IT Security at your organisation.

Of course, you may have supplementary procedures which show the 'doing' in
terms of how you are going to approach things, but at the policy level you
or your organisational department should be entrusted with managing IT
Security for your institution or organisational unit, and hence should be able
to do whatever is necessary to ensure the Confidentiality, Integrity, and
Availability of IT resources.

Hope this helps
Christian.
> Theresa
>
> ---- Original message ----
> > Date: Sat, 28 Aug 2004 02:09:37 +1000
> > From: Christian Wilson <Christian.Wilson () its monash edu au>
> > Subject: Re: [SECURITY] Password Cracking & Consequences
> > To: Theresa M Rowe <rowe () oakland edu>
> > Cc: SECURITY () LISTSERV EDUCAUSE EDU
> >
> > Theresa,
> >
> > On Fri, Aug 27, 2004 at 08:29:17AM -0400, Theresa M Rowe
> wrote:
> > > I just cannot imagine even trying that in our culture.  I
> am
> > > surprise that this is being done at some organizations.
> Can
> > > you share more specifics about the process:
> > > What campus involvement did you get prior to making the
> > > decision - this couldn't have been just an IT decision.
> > > How did you market it?
> > > How did your faculty react?
> >
> > We have an IT Security Policy (everyone I believe can read
> it, its located
> > at http://www.adm.monash.edu.au/unisec/pol/itec13.html).
> >
> > Things like cracking passwords/finding security
> vulnerabilities and exposing
> > such vulnerabilities can be determined from our policy via
> the following
> > clause:
> >
> > "10.2 Monitoring will be undertaken routinely by ITS
> Authorized Staff in
> > the normal course of their duties to maintain technical
> security and
> > operational efficiency of the system/service. Any
> extraordinary action
> > taken to monitor IT services must be authorized by the
> Executive
> > Director, ITS."
> >
> > So basically issues regarding technical security, the
> cracking of usernames
> > and passswords would fall under this.
> >
> > Our IT Security Policy has been approved by the University
> IT Policy group,
> > so thats how we can justify doing what you are asking.
> >
> > Perhaps things are different in Australia as opposed to the
> US? I don't know?
> > I'd be interested in seeing what people on list think about
> our policy.
> > Hope this helps
> > Christian.
> > --
> > Christian Wilson
> > IT Security and Risk Manager, Infrastructure Services
> > Information Technology Services, Monash University - Clayton
> > Phone: +61 3 990 51187
> Theresa Rowe
> Assistant Vice President
> University Technology Services
> www.oakland.edu/uts - the latest news from University Technology Services

--
Christian Wilson
IT Security and Risk Manager, Infrastructure Services
Information Technology Services, Monash University - Clayton
Phone: +61 3 990 51187

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.