Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Mon, 13 Apr 2009 19:51:35 -0400
SANs has a great document called the Consensus Audit Guidelines (CAG) that walks through 20 good controls that government, corporate and academic institutions should consider putting in place. I posted a subset (1-4) of the document that discusses passwords below. =============================================================================== Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance This document is a first step toward providing specific audit guidelines that CISOs, CIOs, IGs, and the US-CERT can adopt to ensure their agency systems have the baseline security controls in place that are most critical. It takes advantage of the knowledge gained in analyzing the myriad attacks that are being actively and successfully launched against federal systems and our nation's industrial base systems and identifying the key controls that are most critical for stopping those attacks. This effort also takes advantage of the success and insights from the development and usage of standardized concepts for identifying, communicating, and documenting security-relevant characteristics/data. These standards include the following: common identification of vulnerabilities (Common Vulnerabilities and Exposures-CVE), definition of secure configurations (Common Configuration Enumeration-CCE), inventory of systems and platforms (Common Platform Enumeration-CPE), vulnerability severity (Common Vulnerability Scoring System-CVSS) and identification of application weaknesses (Common Weaknesses Enumeration-CWE). These standards have emerged over the last decade through collaborative research and deliberation between government, academia and industry. This document seeks to identify that subset of security control activities that CISOs, CIOs and IGs can agree are their top, shared priority for cyber security. Once agreement is reached, these controls would be the basis for future audits and evaluations. While aimed at government organizations, the principles and measures addressed in this document are also highly applicable to commercial and academic enterprises and should be usable within the commercial marketplace. What makes this document effective is that it reflects knowledge of actual attacks and defines controls that would have stopped those attacks from being successful. To construct the document, we have called upon the people who have first-hand knowledge about how the attacks are being carried out: 1. QW: Inventory all administrative passwords and validate (through automation) that each person with administrative privileges is authorized by a senior executive and that his/her administrative password has at least 12 semi-random characters, consistent with the Federal Desktop Core Configuration (FDCC) standard. In testing this control, also ensure that no administrator username/passwords (domain or local) are reused among systems and applications. In addition to the 12-or-more character password, all administrative access should utilize two-factor authentication. QW: Passwords for all systems should be stored in a hashed or encrypted format. Furthermore, files containing these encrypted or hashed passwords required for systems to authenticate users should be readable only with superuser privileges. QW: Ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet. 2. QW : Audit passwords to ensure previously used passwords are not being authorized for re-use within a certain time frame (e.g., 6 months). The doc is a good read and for those interested can be found at: www.sans.org/cag/guidelines.php<http://www.sans.org/cag/guidelines.php> -Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified Assistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Doty, Timothy T. (Apr 13)
- Re: Password Complexity and Aging Karl Heins (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Perloff, Jim (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
(Thread continues...)