Tag Archive for SOX

| June 9, 2019
Comments Off on Password Reset Practices “Obsolete”

Password Reset Practices “Obsolete”

Password Reset Practices "Obsolete" Followers of the Bach Seat know that passwords suck. And now Microsoft (MSFT) has joined me in that revelation. The boys in Redmond recently recommended that organizations no longer force employees to change their password every 60 days.

Microsoft logoIn a TechNet blog penned by Aaron Margosis, a principal consultant for Microsoft, the company called the practice – once a cornerstone of enterprise identity management – “ancient and obsolete” as it told IT, administrators, that other approaches are much more effective in keeping users safe.

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value

Windows-10-logoIn the latest security configuration baseline for Windows 10, which allows administrators to use Microsoft-recommended GPO baselines for improving the overall security posture of a system and reduce a Windows 10 machine’s attack surface, “May 2019 Update” (1903) – (available as a ZIP file for download here) Microsoft dropped the idea that passwords should be frequently changed. Previous baselines had advised enterprises to mandate a password change every 60 days. (And that was down from an earlier 90 days.)

Mr. Margosis acknowledged that policies to automatically expire passwords – and other group policies that set security standards – are often misguided. He wrote,

The small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management … Better practices, however, cannot be expressed by a set value in a group policy and coded into a template.

Multi-factor authenticationAmong those other, better practices, Mr. Margosis mentioned multi-factor authentication – also known as two-factor authentication – and banning weak, vulnerable, easily guessed, or frequently revealed passwords.

ComputerWorld points out that Microsoft is not the first to doubt the convention. The National Institute of Standards and Technology (NIST) made similar arguments as it downgraded regular password replacement. “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically),” NIST said in a FAQ that accompanied the June 2017 version of SP 800-63, “Digital Identity Guidelines,” using the term “memorized secrets” in place of “passwords.”

Then, the institute had explained why mandated password changes were a bad idea this way:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.

NIST logoBoth the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven’t been touched? “If a password is never stolen, there’s no need to expire it,” Microsoft’s Margosis said.

John Pescatore, the director of emerging security trends at the SANS Institute told ComputerWorld;

I agree 100% with Microsoft’s logic for enterprises, which are who uses [group policies] anyway … Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it.

hobgoblins of little mindsLike Microsoft and NIST, SAN’s Pescatore thought periodic password resets are the hobgoblins of little minds, “Having [this] as part of the baseline makes it easier for security teams to claim compliance because auditors are happy,” Pescatore told ComputerWorld. “Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. A great example of how compliance does not equal security.”

ComputerWorld notes other changes in the Windows 10 1903 draft baseline, Microsoft also dropped policies for the BitLocker drive encryption method and its cipher strength. The prior recommendation was to use the strongest available BitLocker encryption, but that, Microsoft said, was overkill: (“Our crypto experts tell us that there is no known danger of [128-bit encryption] being broken in the foreseeable future,” MSFT’s Margosis told ComputerWorld.) And it could easily degrade device performance.

Microsoft is also looking for feedback on a proposed change that would drop the forced disabling of Windows’ built-in Guest and Administrator accounts. Microsoft’s Margosis hedged a bit;

Removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled,”Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.

rb-

We have covered this before, forcing users to change passwords over short time-frames inevitably leads to users choosing the simplest, most memorable, and most crackable passwords possible. Things have changed over the years, including technology that now enables threat actors to crack simplistic passwords easily.

MSFT is now actively pushing MFA in the enterprise so it is not surprising they are going away from this general password policy.

MSFT changing its security baselines won’t change requirements made by regulatory authorities (PCI-DSS, HIPAA, SOX, NERC) and auditors. It takes years and years for them to change.

The change does not affect home users – but maybe it will make them think?

Slowly the world of passwords is starting to come under control.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| January 29, 2015
Comments Off on Are Firms Ignorant About BYOD Issues?

Are Firms Ignorant About BYOD Issues?

Are Firms Ignorant About BYOD Issues?Enterprises are being ignorant towards the issues BYOD is causing to their business says backup vendor Acronis. James Rawbone, Senior Partner Account Manager EMEA, Enterprise Mobility Solutions at Acronis, shared his opinions with Desire Athow at ITProPortal on why and how enterprises are being ignorant towards BYOD issues.

Acronis logoThe Acronis 2013 Global Data Protection Trend Report developed by the Ponemon Institute identified five surprising BYOD trends:

1. There are big gaps in secure BYOD policies across organizations. The Acronis survey found that 60% of businesses have no personal device policy in place, and those with policies 24% make exceptions for executives, who are most likely handling the most sensitive corporate data. As a result, these organizations are increasingly vulnerable to data loss and serious compliance issues.

2.Simple security precautions are not being adopted. The survey found only 31% of companies mandate a device password or key lock on personal devices, and only 21% do remote device wipes when employees leave the company, drastically increasing the risk for data leakage.

3.Businesses underestimate the dangers of public clouds. The researchers report that corporate files are commonly shared through third-party cloud storage solutions such as DropBox, but 67% of organizations don’t have a policy in place around public clouds and 80% haven’t trained employees in the correct use of these platforms.

compatibility and interoperability are still big obstacles4.The growth of Apple (AAPL) devices is complicating BYOD security for administrators. 65% of organizations will support Macs in the next year, and 57% feel compatibility and interoperability are still big obstacles to getting Macs compliant with their IT infrastructure. This puts data stored and shared across the corporate network and on Apple devices at risk.

5.Some organizations are ignoring the benefits of mobile collaboration altogether. More than 30% surveyed actually forbid personal devices from accessing the network.

 tight budgetsMr. Rawbone sees two reasons organizations are not educating or training their employees on the risks of BYOD. First is time and money. Most companies have tight budgets across the board and in particular within their IT department, as well as their overall staffing. The second excuse for not training their staff is that they are unaware that their staff is using these solutions, or they are turning a blind eye to the issues effect their corporate data and overall IT infrastructure.

The Acronis Senior Partner told ITProPortal there are legal and compliance issues associated with BYOD; but generally BYOD can be adapted to each compliance regulation and rule. The main concern of BYOD is data protection and ensuring that as employees bring devices to-and-from the workplace, confidential corporate data is adequately protected while remaining easily accessible. An important part of data protection, often not addressed by BYOD strategies, includes ensuring that information and records comply with privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX), as well as specific industry and regional privacy regulations.

data protection Mr. Rawbone concludes by reminding the author that the important thing every business needs to remember is that mobile devices can be replaced for a small cost in comparison to having your confidential data stolen and used incorrectly.

Companies need to embrace technological evolution and look at the business benefits of BYOD. Otherwise, he claims they will be facing some serious network and data issues and worst of all potentially facing some legal problems in the coming future.

mobile device security policyCreating a mobile device security policy doesn’t have to be complicated, but it needs to encompass devices, data, and files. The article lists a number of simple things organizations should do, like require users to key-lock their devices with password protection. 68% of those surveyed use VPN or secure gateway connections across networks and systems, and 52% use Microsoft (MSFT) Active Directory and/or LDAP. The simplest place to start is to use device key-lock and password protection.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| November 26, 2013
Comments Off on Data Centers Expand in the D

Data Centers Expand in the D

Online Tech continues its data center build-out in the Metro Detroit area. The new data center, formerly a Sprint-Nextel facility will expand Online Tech’s total Michigan footprint to 100,000 gross square feet. The firm’s $10M renovation of the Westland, MI site will create a 34,000 square foot facility with 18,000 square feet of raised floor space with a total IT load capacity of 1.2 MW. The Metro Detroit data center will feature fiber connectivity to eight different telecommunications providers. The firm will add 15 new jobs in the data center over the next five years to run the facility according to Whir.

The firm operates three other Michigan data centers, two in Ann Arbor and one in Flint. The new facility will bring its total data center footprint to 100,000 square feet. It is the market leader in the Detroit Metro with the top market share in multi-tenant data center space in Michigan, according to 451 Research. Yan Ness, co-CEO of Online Tech called the new data center a milestone for the firm.

This new facility is a major milestone for Online Tech because it is our fourth data center and it brings us to an overall total of 100,000 square feet of gross data center space. This facility will allow us to serve the large Detroit market, where we see strong demand for the secure, compliant cloud and hosting services

Mike Klein, co-CEO of Online Tech explained to Whir that the firm’s advantage is it focus on compliance.

Data centerOur data centers deliver secure colocation and cloud hosting services to clients whose IT operations must comply with regulations like HIPAA, PCI, and Sarbanes-Oxley. Our data centers, including the new Metro Detroit Data Center, reflect our commitment to protecting our clients and their sensitive data

In anticipation of further growth, the firm expanded its Ann Arbor headquarters in September 2013 to meet its rapid growth after doubling its employee count to nearly 50 over the past 18 months.

In October 2011 the company opened a 20,000 square foot data center with 10,000 square feet of raised floor in the Avis Farms complex minutes away from Online Tech’s headquarters and original data center in Ann Arbor. The Tier 3 data center has a fully redundant power and network infrastructure to maintain availability for colocation, managed server, and cloud computing hosting business according to reports.

Data centerOnline Tech invested more than $1 million in upgrades and expansion to its Flint, MI data center during August 2011. The 2011 update enabled 1 megawatt of power to the Flint data center floor. Whir says the Flint site was built in 1986 as a disaster recovery center for General Motors (GM). Online Tech took over the facility in 2005 with its acquisition of Gentech. Separated by more than 50 miles, the Flint data center is on a separate electrical grid to provide clients with production and disaster recovery data centers in Michigan.

Online Tech has plans to grow beyond metro Detroit. Co-CEO Ness told Whir,

… our growth won’t stop there We see similar opportunities for us in other markets in the Great Lakes region and the Midwest, and we expect to continue our growth strategy by expanding our portfolio of data centers into other cities in the near future.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| June 15, 2005
One comment

The Secret Life of Copiers

The Secret Life of Copiers-Updated – 05-11-2007- Most digital copiers manufactured in the past five years have disk drives to reproduce documents. As a result, the seemingly harmless machines that are commonly used to spit out copies of sensitive information can retain the data being scanned.

Digital copier manufacturer Sharp issued a warning about photocopier vulnerabilities in conjunction with tax season. The company warned that it isn’t just people who make copies of their tax returns who are at risk.

A few years ago Sharp was among the first to offer a security kit for its machines. The security kit would encrypt and overwrite the images being scanned. Overwriting the data ensures it isn’t stored on the hard disks indefinitely.

In many cases, a central administrative or IT department monitors an entire fleet of copiers using each machine’s Internet Protocol (IP) address. What they forget is that, because the copiers are managed remotely, other people could get access to them. Firms can take action in several ways.

One option is to close IP ports. When a copier is being installed, the IT staff should close IP ports to ensure there is only one access point to the machine. Another option would be to use media access control (MAC) filtering. MAC filtering sets rules to accept commands only from specified MAC addresses such as the help desk, restricting outsiders.

The Secret Life of Copiers, CFO Magazine May 01, 2004

Last fall, reports began circulating that a large university in the Northeast had uncovered an illegal music-file-swapping service on campus. The music files were stored in a spot nobody would ever think to look: a copy machine. The students were actually transferring MP3s to and from a hard drive on a copier, The machine’s hard drive was designed to capture and store scanned documents. Apparently, a member of the school’s IT department stumbled on the plot after noticing a remarkable amount of traffic going to and from the networked copier.

While the technology for making copies has changed little in the past 50 years, most copiers are now full-blown IT devices, with network and E-mail server connectivity. employees typically have unfettered access to copiers — and thus any information stored on them. This makes copy machines perfect targets for hackers or, since the drives are usually removable, thieves.

Enterprise appliance security could prove to be of real importance in the new era of privacy (for example, the Health Insurance Portability and Accountability Act of 1996, or HIPAA) and document management (the Sarbanes-Oxley Act of 2002). That’s doubly true if a company uses copiers to scan sensitive personal documents such as medical records, birth certificates, or financial forms. Louis E. Slawetsky, president of Rochester, N.Y.-based research firm Industry Analysts Inc said, “People don’t think of copiers as a vulnerability … That’s a problem since they have hard drives and can store whatever has been copied for an indefinite period of time.

This creates a potential security problem: customers have access to a machine connected to the bank’s network. mitigates the danger by placing the machine behind two firewalls and making the copier password-protected. Security consultants say potential buyers of new copiers should almost always look for machines with encryption or overwriting capabilities.

Hard-copy security is also an issue — you don’t want the wrong person picking up someone else’s copy job. Hence, experts advise prospective buyers to stick to machines that come with password protection. That way, says Larry Kovnat, systems security program manager for Xerox’s office group in Rochester, N.Y., “no one can inadvertently see documents or pick them up.”

Despite the improvements in copier-machine defenses, one security hole still has not been addressed: E-mail. Although copiers generally can keep track of who is E-mailing a document (through passwords), it is nigh impossible to put limits on what can be sent or where the E-mails can be sent. This could change, however, as copier hard drives and network connections become more sophisticated.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| June 3, 2005
Comments Off on Network Security Layering

Network Security Layering

Network Security LayeringMost companies are prepared for threats to their networks from the outside world. However, security breaches from within the corporation often pose the biggest concern. In this post-Enron world of increased corporate governance, IT managers must deal with both technical and human challenges to meet their companies’ security requirements. New legislative mandates, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the Graham-Leach-Bliley Act, also exist.

When considering securing a network, it’s essential to take a holistic approach, from the physical layer to the application layer. Thorough security policies, appropriate authentication mechanisms, and effective user education must complement the technologies implemented within the network.

The security-layering concept allows for variable-depth security. Variable-depth security occurs when each security level builds upon the capabilities of the layer below, resulting in more stringent security moving up through the layers. This can help protect organizations from security breaches that may come from within, as layering provides multiple measures of security controls.

The first security layer: VLANs

At the first layer, essential network compartmentalization and segmentation can be provided by virtual LANs. This allows various business functions to be contained and segmented into private LANs. Traffic from other VLAN segments is strictly controlled or prohibited. Several benefits may be derived from deploying VLANs for small to midsize businesses across the company’s multiple sites. These include the use of VLAN “tags.” VLAN tags allow traffic segregation into specific groups, such as finance, human resources, and engineering. It also prevents the separation of data without “leakage” between VLANs as a required element for security.

The second layer: Firewalls

The second layer of security can be achieved with perimeter defense and distributed firewall-filtering capabilities at strategic points within the network. The firewall layer allows the network to be further segmented into smaller areas, monitors it, and protects against harmful traffic from the public network. In addition, an authentication capability for incoming or outgoing users can be provided. The use of firewalls provides an extra layer of protection that’s useful for access control. The application of policy-based access allows the customization of access based on business needs. Using a distributed firewall approach affords the added benefit of scalability as enterprise needs evolve.

The third security layer: VPNs

Virtual private networks, which offer a finer detail of user access control and personalization, can be added as a third layer of security. VPNs offer fine-grain security down to the personal user level and enable secure access for remote sites and business partners. With VPNs, dedicated pipes aren’t required since the use of dynamic routing over secure tunnels over the Internet provides a highly secure, reliable, and scalable solution. VPNs with VLANs and firewalls allow the network administrator to limit access by a user or user group based on policy criteria and business needs. VPNs give more robust assurance of data integrity and confidentiality, and strong data encryption can be enacted at this layer to provide more security.

The fourth layer: Solid security practices

Best practices by the IT security team are yet another level in a layered network security strategy. This can be achieved by ensuring that operating systems are protected against known threats. (This can be accomplished by consulting with the operating system manufacturer to get the latest systems-hardening patches and procedures.) In addition, steps must be followed to ensure all installed software is virus-free.

Securing network management traffic is essential to ensuring the network. To protect HTTP traffic, it’s preferable to encrypt all management traffic at all times using the IPsec or Secure Sockets Layer protocol. Encryption is a must even if traffic travels on the local-area network.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,