These are some suggested low cost ways for managing passwords that can help avoid the lazy password habits described in the article:
1. Desktop password management software: KeePass, 1Password, etc.
2. USB key: IronKey, ID Vault, SignUpShield
3. Standalone device: Atek Logio Secure Password Organizer
people
The most insecure things on your network are the people. They share passwords, they store critical data on flash drives, they email work home, and if you let them, they install every piece of malware available. Any list of 10 that leaves out the people is useless. Network managers number 1 job is trying to compensate for the STUPIDITY of the people using the network.
The Corollary: Admin-level access
You've pegged a key problem with that one.
The key problem with the people factor is poorly written applications that still require the user be logged-in as a member of the local machine administrator group for the application to run correctly. Even critical apps published by the Big Guys are written this way. Although not necessarily a problem for the legacy-coded app, running a PC with the user as a member of Local Admins opens the PC for installation of any sort of potential malware that the end user cares to accidentally inflict upon the PC. Sadly, there is far too much of these legacy-coded apps, even in their latest versions, to effectively eliminate this problem.
A common workaround for this is to tell network admins to have users logged in as Local Machine Users, and have users Run As Admininstrator for those problem apps. Some of those legacy apps will work correctly this way, but many will still refuse. And, providing the Administrator logon to allow Run As Administrator functionality for those users who insist upon adding those cutsie, malware-laden apps to their PC, is almost as bad as having the PC logged in as an administrator. With the tiniest bit of social engineering flim-flam, one of those clowns will gladly help the malware wranglers set-up shop on their PC.
Giving a user the password
Giving a user the password to an account that's a member of the local Administrators' group may not be necessary. You can get a decent programmer to write a little exe that launches that program that way for you, so the user does not need to know the credentials. The username/password can be encrypted inside it. Then you can change the default .lnk file to start the launcher instead.
This can be done with scripting too, but it's harder to keep that username/password secure.
Some of these badly-behaved apps want to write to a registry value that is read-only. If you can find out what it is, you can grant permission to it. There are registry-watcher utilities that can help you find them. Then you can take away local Administrator group membership.
Just a couple of ideas that have worked for me.
Strongly disagree with 2, 5 and 8
2. Sharing a password across multiple network devices.
This is such a poor recommendation. If different systems have different passwords you can guarantee that the passwords are of poor quality and stored somewhere else than the head of the user. Proper solution here is to use centralized authentication, such as Microsoft AD, where all your devices authenticate from. This implies each user has their own password, but single password. And from one system, you will remove access for this single user to any and all service.
5. Allowing nonsecure remote access and management software.
ssh is industry standard for secure remote access. Having poor password or easily available key will compromise any system. Implying that there is some implicit drawback in ssh compared to some other remote access method is unprofessional.
8. Failing to configure your routers to prohibit unwanted outbound traffic.
Implication here is, that your machine has been compromised but you don't care, as they can only use single protocol to communicate. Of course having single channel open is enough to contact the backdoor from outside world, be it SMTP or HTTP, it is trivial to piggyback any data over it, and as you control the server, you are free to do so.
If your machine is compromised, you'd better be bit more concerned about it, as you have 0 trust on what data it returns in the service that has to be open to the world.
Re. Strongly disagree with 2, 5 and 8
#2 is critical in the event a single device gets compromised. I've performed penetration testing and in the cases where passwords were shared, I was able to own the network much quicker. In the event you can't authenticate to the AD server, you still need to be able to access a network device.
#5 see #2
#6 Malicious outbound traffic is a great way to have your IP blacklisted in under an hour after an attack. Use proper egress filters or pay the consequences.
It's not that any one thing will be a magic bullet, it's the principle of defense in depth. I have an egress filter to catch bad outbound traffic, but I also run AV on the server, I turn off/delete expired accounts, I remove unnecessary services, etc. If AV fails, I'm still not going to be blacklisted.
#2 You can always have
#2
You can always have fallback local user, when centralized authentication
can't be used. Which is shared with named people, and is changed when
list changes. Basically people you need to get centralized authentication
working again.
Your argument is lesser worry, than the fact how people choose passwords
when they need to know several to work. If they need to use several, they
are excessively poor, guessable and reused in their private use services.
If they only need to have one password, they are vastly more likely to
honour the policies.
#6
Irrelevant, if one port is open, you can use that one port to source
malicious traffic as well as contact the backdoor.
What people should do, is take care ingress filtering, open management
from management net and only the service port that you are using, be it
HTTP or SMTP.
And this filtering should do in the switch/router facing the server,
instead of firewall, there is no need to introduce states in the
network to protect the server, as they will just make DDoSing the
server overly trivial.
Automating the top issues
I work with Netcordia, and I could not help but to put in a shameless plug about our product, NetMRI. In looking at the top 10 issues, NetMRI fully automates the detection and analysis of at least 5 of these issues: #1, #2, #4, #8, and #10.
We also find that people making changes in the network is the #1 cause of network problems. And we take care of that as well, showing who made the change, where, when and what the change was.
Check us out: http://www.netcordia.com/products/netmri-enterprise.asp
Automatic Network Audit and Network Documentation
Check out OPNET's IT Sentinel solution for semantic based network audit. Simple string matching is no longer sufficient to find many of these issues on your routers and switches. I believe that Gartner says that 80% of network downtime is based on human configuration error - Sentinel finds these very hard to find issues for network engineering and security best practices (700 plus rules - open source in Python too!)
4. Misconfiguring your access control lists - TUFIN is a huge he
Using it to support very large customer environments.
It shines even better in multi-vendor firewall networks.
I'm addicted to using it.
These are not just dumb mistakes...
It's 2009... these issues are not mistakes... they are pure NEGLIGENCE!
Post new comment