Re: Password Complexity and Aging

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

SANs has a great document called the Consensus Audit Guidelines (CAG)  that walks through 20 good controls that 
government, corporate and academic institutions should consider putting in place.  I posted a subset (1-4) of the 
document that discusses passwords below.

===============================================================================
Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

This document is a first step toward providing specific audit guidelines that CISOs, CIOs, IGs, and the US-CERT can 
adopt to ensure their agency systems have the baseline security controls in place that are most critical. It takes 
advantage of the knowledge gained in analyzing the myriad attacks that are being actively and successfully launched 
against federal systems and our nation's industrial base systems and identifying the key controls that are most 
critical for stopping those attacks. This effort also takes advantage of the success and insights from the development 
and usage of standardized concepts for identifying, communicating, and documenting security-relevant 
characteristics/data. These standards include the following: common identification of vulnerabilities (Common 
Vulnerabilities and Exposures-CVE), definition of secure configurations (Common Configuration Enumeration-CCE), 
inventory of systems and platforms (Common Platform Enumeration-CPE), vulnerability severity (Common Vulnerability 
Scoring System-CVSS) and identification of application weaknesses (Common Weaknesses Enumeration-CWE). These standards 
have emerged over the last decade through collaborative research and deliberation between government, academia and 
industry. This document seeks to identify that subset of security control activities that CISOs, CIOs and IGs can agree 
are their top, shared priority for cyber security. Once agreement is reached, these controls would be the basis for 
future audits and evaluations. While aimed at government organizations, the principles and measures addressed in this 
document are also highly applicable to commercial and academic enterprises and should be usable within the commercial 
marketplace.  What makes this document effective is that it reflects knowledge of actual attacks and defines controls 
that would have stopped those attacks from being successful. To construct the document, we have called upon the people 
who have first-hand knowledge about how the attacks are being carried out:


 1.  QW: Inventory all administrative passwords and validate (through automation) that each person with administrative 
privileges is authorized by a senior executive and that his/her administrative password has at least 12 semi-random 
characters, consistent with the Federal Desktop Core Configuration (FDCC) standard. In testing this control, also 
ensure that no administrator username/passwords (domain or local) are reused among systems and applications. In 
addition to the 12-or-more character password, all administrative access should utilize two-factor authentication.

QW: Passwords for all systems should be stored in a hashed or encrypted format. Furthermore, files containing these 
encrypted or hashed passwords required for systems to authenticate users should be readable only with superuser 
privileges. QW: Ensure that administrator accounts are used only for system administration activities, and not for 
reading e-mail, composing documents, or surfing the Internet.
 2.  QW

: Audit passwords to ensure previously used passwords are not being authorized for re-use within a certain time frame 
(e.g., 6 months).

The doc is a good read and for those interested can be found at:  
www.sans.org/cag/guidelines.php<http://www.sans.org/cag/guidelines.php>



-Kevin



Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177