On 02/17/2015 08:42 AM, Edward Ned Harvey (blu) wrote:
As an IT person advising a business to be more responsible, what areas do you
advocate securing most urgently? IT admin credentials? HR records? Financial
records? Other stuff? Simply everything, bar none?
I would lower the priority of worrying about risky e-mails with
sensitive information in them. I think a higher priority would be the
really big hole: insecure passwords.
Insecure because they are:
- Poorly chosen ("12345678", "password")--and passwords can't just
feel random, they need components that actually are random;
- Reused across different purposes;
- Given to third parties to "manage";
- Typed in wrong places (in response to a phishing e-mail);
- Typed on machines that have spyware running on them.
Note that I don't worry about regularly changing passwords or writing
them down. I also don't worry about whether they contain a "special
character". For example "b3ea-griffin-tempo-opera" is a great password
with at least 48-bits of entropy, pretty easy to remember and type.
(Like it? I've got at least 281,474,976,710,655 more.) Yet people
mistakenly think it is a bad password. Grrr.
An only half facetious suggestion: write passwords down, but ONLY on
$100 bills. Now guard them accordingly.
It would be a large and ongoing education effort, requiring high-level
buyin and major cultural change, but if you can get an organization to
use passwords securely, you will have solved a large part of the
problem. If you can get an organization to really reform, if you can get
users to really think through passwords--then you have accomplished a LOT!
Congratulate them for being elite (because no one does passwords
well--just ask Central Command), and then you can move on to other
things. (Including that an encryption key is very different from a
password and needs to be created with special care.)
Doing passwords right is not exactly low-hanging fruit, but it is key to
everything else. Do passwords wrong and everything else is always
breaking because of the bad passwords.
-kb
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
