Sunday, August 22, 2010

Is eight-character password dead?

A recent news item on CNN caught my eye, it said "Say goodbye to those wimpy, eight-letter passwords".

This article is based on the research conducted by researchers at the Georgia Institute of technology.

Their research primarily focussed on brute forcing passwords using powerful graphic cards that are available today on PCs. According to them, any passwords shorter than 12 characters could be vulnerable.

Most of the organization currently use either 6 or 8 character passwords. Considering this, 12 characters would be difficult to get a buy-in from the user community and implement.

So, should you be worried?

Not so much in my opinion if you have a proper implementation of other controls such as the following:

  • Account lockout (after 3 to 5 attempts)
  • A controlled way to reset passwords
  • Proper verification mechanism for internal and third party users
  • Proper monitoring which looks for unusual account lockouts and brute force attempts
  • Proper segregation of duties
  • Proper server hardening, privilege access control and monitoring

While it is good to have more characters in a password, it is not a major concern if you have multiple controls to protect against malicious use.

This is similar to the FPGA cracking that was introduced few years go to crack WPA keys and Bluetooth PINs, of course it is much more expensive than the graphic cards.

Sunday, August 8, 2010

2010 Verizon DBIR

2010 Verizon Data Breach report has been published, here are some of the highlights of the report:

  • 98% of breaches came from servers and application assets and the top type of asset in this category were databases. 
  • 48% of breaches involved privilege misuse. 
  • 48% were caused by insiders, this is a 26% increase from last year. 90% of these were as the result of deliberate and malicious activity.
  • 98 % of breaches were avoidable through simple or intermediate controls, this is 9% increase from last year.
  • 94% of all compromised records in 2009 were attributed to Financial Services.
  • Payment card data accounted for 78% of total records breached followed by personal information and bank account data.
  • The web continues to be a common path of malware infection. This is often accomplished through SQL injection or after the attacker has root access to a system.
  • In terms of enabling access, backdoors were logically atop the list again in 2009 (tied with keyloggers). 
  • 97% of the 140+ million records were compromised through customized malware.
  • The use of stolen credentials was the number one hacking type.
  • Breaches involving end-user devices nearly doubled from last year. Much of this growth can be attributed to credential-capturing malware.
  • 86% of victims of data breaches had evidence of the breach sitting in the log files of their databases.

Apart from the recommendation provided by Verizon in the report, here are some more recommendations

  • Identify where your data is.
  • Classify the data and identify the criticality.
  • Make the business people aware of the risk and have them classify the data they handle.
  • Identify compliance requirements such as PCI and implement required controls.
  • Apply additional controls such as DRM tools to secure financial data.
  • Implement tools to control and monitor privileged user activity.
  • Make users accountable for misuse of credentials.
  • Segment the network and implement proper filtering rules on the firewalls (both inbound and outbound).
  • Implement tools to monitor database activity.
  • Implement more effective tools such as application white listing to control malware activity on desktops and servers.
  • Perform proper log analysis and real time threat detection based on logs and network traffic patterns with tools such as network anomaly detection.
  • Practice incident response.

The full report can be downloaded from here.


Saturday, August 7, 2010

Sunday, August 1, 2010

How to defend against APT

I attended a recent presentation on APT and how to defend APT attacks by the folks from Mandiant.

If you are still wondering what APT is, head over to my essay on demystifying APT. Richard from the TaoSecurity wrote an article on the July issue of the Information Security magazine on the same subject.

The Mandiant talk involved some of the APT cases they handled over the years and discussed common problems they saw at client sites. They also provided remediation solutions and associated implementation challenges.

Here are some of the notes on the remediation steps from that talk:

Limit DynDNS providers (more than 70% of investigations involved that)
Provide appropriate training for information security staff
Segment internal network
Patch 3rd party applications
Use password management tools for controlling privileged users
HIPS, put them in block mode
Train users to handle unsophisticated attacks like regular social engineering attacks