Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security procedure question

From: "Mario A. Spinthiras" <mario () netway com cy>
Date: Wed, 04 Oct 2006 08:47:00 +0300
missy.augustine () gmail com wrote:
I think the main issue with passwords is that many companies require you to have multiple complicated (one number, one special char, at least 8 characters) passwords and then need to be changed every 60-90 days, and can't be too close to older version of the password. Humans are inherently flawed, we have a much easier time remembering patterns, random letters numbers and characters do not come easy, and coupled with the fact we need to change them we are overwheled. Credit cards are 'relatively' easy to change, in business trying to get your password reset seems like pulling teeth. 
I really don't think there is a simple solution to the password problem, I think companies which utilizes sign in cards 
(with encryption of cource) with a pin #, then that card + pin can be used to open up other portals within the intranet are 
a step in the right direction.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
I dont understand people. Its a principle. Take the very basics. This issue is unbelievably long and boring in terms of repetition of facts. Lets take a cute example for ALL users out there in charge of a password.
Peter got a job with SpankNet. SpankNet kindly asked peter to sign a contract. In this contract there are terms with regards to how passwords and sensitive information are handled thus meaning that sensitive information should be only in one's head. If this is not kept this way then they are in violation of their contract terms and possibly breaking the law since a crime that can follow can be based on peter's ignorance. HUMAN IGNORANCE.
In continuation peter accidentally writes his password on a piece of paper , and sticks the piece of paper under the TFT monitor base stand.
A few days later a cleaning lady that was going through the offices finds a little piece of paper sticking out under the monitor. HMMM WHATS THIS thinks the cleaning lady. So she talks to a manager. The manager sees this piece of paper , cross checks and finds out its peter's password!! OH NO! thinks the manager.
So peter violated his contract since he mistreated sensitive information. WHO KNOWS ? MAYBE PETER PUT THE PAPER THERE FOR SOMEONE ELSE TO FIND!! or maybe he just forgot. One way or another the following events happen after he is dismissed from employment.
He has to go home and explain to his wife why she cant buy any more fur coats. He also has to explain that he was dismissed from a firm and this is something that future employers can clearly find out - and why they have to eat can food for the next six months. 
He also has to explain why he might be facing a law suit and more...
So in plain words.. sensitive information IS YOUR RESPONSIBILITY or you shouldnt be working even NEAR a touch tone telephone never the less a computational device.
The above example is based on fake names , places , companies , and situations but the jist could become your very own nightmare. 

Good for staff training is it not ? :)


Have a nice day.

Regards,
Mario A. Spinthiras

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: