Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Christian Wilson <Christian.Wilson () ITS MONASH EDU AU>
Date: Sat, 28 Aug 2004 02:40:13 +1000
Theresa, On Fri, Aug 27, 2004 at 12:17:58PM -0400, Theresa M Rowe wrote:
Yes, that's what I was looking for. Your policy does not explicitly state the password cracking technique, but you have had campus discussion on the policy? For us to create an IT policy here, there's at least 4 rounds of different committee review and approval. We'd have to explicitely state we were going to try to crack passwords, or the policy would not support the action.
The majority of our IT policies go through a number of groups which are established at the University. For starters, we have our Technical Working Party, (TWP), which consists of all the technical staff in the various faculties and administrative areas. We also have our IT Managers, which consist of the managers of those particular areas, then our ITS Managers, which consist of the managers of the central IT service provision areas, and then the University Wide IT Security Policy Committee, which consists of people that are responsible for IT as well as business owners within the various faculties. Typically important IT policies after they have been approved by the University Wide Committee are also noted by other important committees within the University, in particular the Committee of Deans [heads of all our Faculties] and the Vice Chancellors Group. I think that it would be a difficult and time consuming task to go into details within policy documents. If we had to explicitely state that we were going to try to crack passwords, then we'd have to state that we were going to try to scan the university network for vulnerabilities, etc etc etc etc etc etc. A policy document should be a guiding document on what a particular institution is doing at a particular point of time. It should not be a prescriptive step by step documentary on what particular issues need to be covered. If your policy document says that you are responsible for IT Security in your organisation or Faculty, and shows the general areas that you are responsible for, and has high level managerial sign off/approval, then you should (in my opinion) not need to go into low level detail on how you are going to manage IT Security at your organisation. Of course, you may have supplementary procedures which show the 'doing' in terms of how you are going to approach things, but at the policy level you or your organisational department should be entrusted with managing IT Security for your institution or organisational unit, and hence should be able to do whatever is necessary to ensure the Confidentiality, Integrity, and Availability of IT resources. Hope this helps Christian.
Theresa ---- Original message ----Date: Sat, 28 Aug 2004 02:09:37 +1000 From: Christian Wilson <Christian.Wilson () its monash edu au> Subject: Re: [SECURITY] Password Cracking & Consequences To: Theresa M Rowe <rowe () oakland edu> Cc: SECURITY () LISTSERV EDUCAUSE EDU Theresa, On Fri, Aug 27, 2004 at 08:29:17AM -0400, Theresa M Rowewrote:I just cannot imagine even trying that in our culture. Iamsurprise that this is being done at some organizations.Canyou share more specifics about the process: What campus involvement did you get prior to making the decision - this couldn't have been just an IT decision. How did you market it? How did your faculty react?We have an IT Security Policy (everyone I believe can readit, its locatedat http://www.adm.monash.edu.au/unisec/pol/itec13.html). Things like cracking passwords/finding securityvulnerabilities and exposingsuch vulnerabilities can be determined from our policy viathe followingclause: "10.2 Monitoring will be undertaken routinely by ITSAuthorized Staff inthe normal course of their duties to maintain technicalsecurity andoperational efficiency of the system/service. Anyextraordinary actiontaken to monitor IT services must be authorized by theExecutiveDirector, ITS." So basically issues regarding technical security, thecracking of usernamesand passswords would fall under this. Our IT Security Policy has been approved by the UniversityIT Policy group,so thats how we can justify doing what you are asking. Perhaps things are different in Australia as opposed to theUS? I don't know?I'd be interested in seeing what people on list think aboutour policy.Hope this helps Christian. -- Christian Wilson IT Security and Risk Manager, Infrastructure Services Information Technology Services, Monash University - Clayton Phone: +61 3 990 51187Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
-- Christian Wilson IT Security and Risk Manager, Infrastructure Services Information Technology Services, Monash University - Clayton Phone: +61 3 990 51187 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Eric Pancer (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
(Thread continues...)