Re: Security Awareness Programs

[Mike Osterman <ostermmg () WHITMAN EDU>]

Agreed. It's a control against reuse elsewhere. The biggest risk to this control is someone who diligently "syncs" 
their institutional password with external web services every time they are required to change it. :)

-Mike

On Apr 2, 2014, at 1:12 PM, Roger A Safian <r-safian () NORTHWESTERN EDU> wrote:

> I believe one of the benefits of changing the password is that it’s not uncommon for web services to use an email 
> address as a user name.  If a user uses our address, and their associated password, and later that web service gets 
> compromised, there is a decent chance when the hashes are dumped that they will have had to change our password and 
> will no longer sync them.
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Von 
> Welch
> Sent: Wednesday, April 2, 2014 2:56 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security Awareness Programs
>  
> Why does Higher Education make students, their customers, change their password? 
>  
> Suggested reading:
>  
> http://research.microsoft.com/apps/pubs/?id=132623
>  
> Where Do Security Policies Come From?
> dinei Florencio and cormac herley
> June 2010
>
> We examine the password policies of 75 different web-sites. Our goal is understand the enormous diversity of 
> requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their 
> users. We compare different features of the sites to find which characteristics are correlated with stronger 
> policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, 
> the number of users, the value of the assets protected and the frequency of attacks show no correlation with 
> strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively 
> weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the 
> user has a choice show strong inverse correlation with strength.
>
> We conclude that the sites with the most restrictive password policies do not have greater security concerns, they 
> are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising 
> must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a 
> luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive 
> policies is superfluous: it causes considerable inconvenience for negligible security improvement.
>  
>  
>  
> On Apr 2, 2014, at 3:49 PM, Mike Cunningham <mike.cunningham () PCT EDU> wrote:
>
>
> I have a philosophical question for this group... 
>
> My bank never requires me, their customer, to ever change my password
> My credit union never requires me, their customer, to ever change my password
> My health insurance company never requires me, their customer, to ever change my password
> My investment web site, my credit card bank, my online prescription site, my hotel rewards account, my airline 
> rewards account, my daughters school district, never requires me to ever change my password
>
> Why does Higher Education make students, their customers, change their password? 
> Would it be better to not require it and teach them why they should instead?  
>
> Mike Cunningham
> VP of Information Technology Services/CIO
> Pennsylvania College of Technology
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, 
> Gary - flynngn
> Sent: Wednesday, April 02, 2014 3:41 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security Awareness Programs
>
> JMU policy requires password changes every 90 days.
>
> Our password change process includes having to click through captive web
> pages containing security awareness content.
>
> We do not track progress. People may click through without reading it. We
> know based on feedback that some do. OTOH we know based on feedback that
> some don't.
>
> It is all custom code and content. Content is based on role and whether it
> is the first time through.
>
> new applicants (one page on phishing and AUP)
> new/returning student
> new/returning employee/affiliate
> graduate (one page on phishing and AUP)
>
> Content for new folks is relatively constant. It hasn't changed much over
> the years.
>
> Content for returning folks changes about once a semester. 
>
> We've been doing this for around ten years.
>
> People are sent an email message after the password change indicating the
> change and providing a link to provide feedback for the security awareness
> content. Feedback has been mixed. Sometimes, uh, colorful and often
> associated with  the requirement to change passwords. Sometimes quite
> positive and/or constructive.
>
> Gary Flynn
> Security Engineer
> James Madison University
> Don't Be A PHISH!
> IsItReal?
> http://www.jmu.edu/computing/ittraining/SIGUCCS/story.html
>
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter Lundstedt
> Sent: Wednesday, April 02, 2014 3:33 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Security Awareness Programs
>
> Hi All,
>
>
>
> Curious on what others are doing to 'get the word out' on their campuses.
> What approaches seem to work best from both an initial push out on a new
> subject or with a new program, to keeping things up to date with
> acknowledgements, visibility, &c?
>
>
>
> From a product point of view, we've explored the SANS Securing the Human
> series among a few others, but the lack of customization and integration
> into
>
> HR training modules is steering us away.  Experiences there?
>
>
>
> Peter Lundstedt
>
> SECURITY ANALYST 2, INFRASTRUCTURE & SECURITY SERVICES
>
>
>
> oit