Not really - the original article was interesting, and a good starting point for discussion.
My point in response to Doug was not that the insider threat has disappeared but that the blanket statement that inside threats might no longer be dominant - something that I believe is probably true, with the rise organized crime and hactivism. Kurt On Thu, Mar 15, 2012 at 19:53, Andrew S. Baker <asbz...@gmail.com> wrote: > It's not like insider threats have plummeted to 0. > > The fact is that most organizations do not need to call for external > infosec resources for insider threats. > > The Verizon security team dealt with ~855 cases worldwide. That's a good > sample side for obtaining data about specific attacks, but it's not so > large that its fully representative of the entire attack landscape. > > The discussion here was about passwords, which I hope you'd remember > considering you started it. Thus, within the context of the thread itself, > the focus is on the usefulness and viability of strong passwords whether in > the standard format, or as a passphrase. > > This other stuff you added is not really germane to the discussion, unless > your goal is simply to hijack your own thread. > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Thu, Mar 15, 2012 at 6:43 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > >> Perhaps you might want to rethink your threat model: >> >> http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232601717/new- >> verizon-breach-data-shows-outside-threat-dominated-2011.html >> >> On Thu, Mar 15, 2012 at 13:50, Doug Hampshire <dhampsh...@gmail.com>wrote: >> >>> Are you sure about that? The vast majority of security incidents happen >>> on the inside of your network from known individuals. Also it was >>> addressing offline brute force attacks. Most online systems have lockout >>> policies and other countermeasures to limit exposure to brute force >>> attacks. >>> >>> On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott >>> <crawfo...@evangel.edu>wrote: >>> >>>> I'd rather have "good" passwords written down on a sticky note >>>> accessible only to a limited number of coworkers than "bad" passwords that >>>> can be exploited by any black-hat on the internet. >>>> >>>> Sent from my Windows Phone >>>> ------------------------------ >>>> From: Heaton, Joseph@DFG >>>> Sent: 3/15/2012 11:07 AM >>>> To: NT System Admin Issues >>>> Subject: RE: Worth some consideration... >>>> >>>> >>>> Wait… I’m NOT supposed to write my password on a sticky note? How am >>>> I supposed to let my coworker use my login, then? >>>> >>>> >>>> >>>> Joe Heaton >>>> >>>> ITB – Windows Server Support >>>> >>>> >>>> >>>> *From:* Andrew S. Baker [mailto:asbz...@gmail.com] >>>> *Sent:* Thursday, March 15, 2012 7:49 AM >>>> *To:* Heaton, Joseph@DFG; NT System Admin Issues >>>> *Subject:* Re: Worth some consideration... >>>> >>>> >>>> >>>> That's an implementation problem. >>>> >>>> >>>> >>>> If I choose a passphrase of "Mary had a little lamb" then of course >>>> that will be relatively weak as passphrases go. That that is not an >>>> inherent weakness of passphrases, but of people. >>>> >>>> >>>> >>>> Lots of things are undermined by poor choices. Completely random 20 >>>> character passwords with a unicode character set are undermined by having >>>> them posted on sticky notes. >>>> >>>> >>>> >>>> We didn't need a whole article to point that out. >>>> >>>> >>>> >>>> *ASB* >>>> >>>> *http://XeeMe.com/AndrewBaker* >>>> >>>> *Harnessing the Advantages of Technology for the SMB market…* >>>> >>>> >>>> >>>> On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <kurt.b...@gmail.com> >>>> wrote: >>>> >>>> >>>> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars >>>> >>>> By Dan Goodin >>>> Ars Technica >>>> March 14, 2012 >>>> >>>> Passwords that contain multiple words aren't as resistant as some >>>> researchers expected to certain types of cracking attacks, mainly >>>> because users frequently pick phrases that occur regularly in everyday >>>> speech, a recently published paper concludes. >>>> >>>> Security managers have long regarded passphrases as an >>>> easy-to-remember way to pack dozens of characters into the string that >>>> must be entered to access online accounts or to unlock private >>>> encryption keys. The more characters, the thinking goes, the harder it >>>> is for attackers to guess or otherwise crack the code, since there are >>>> orders of magnitude more possible combinations. >>>> >>>> But a pair of computer scientists from Cambridge University has found >>>> that a significant percentage of passphrases used in a real-world >>>> scenario were easy to guess. Using a dictionary containing 20,656 >>>> phrases of movie titles, sports team names, and other proper nouns, >>>> they were able to find about 8,000 passphrases chosen by users of >>>> Amazon's now-defunct PayPhrase system. That's an estimated 1.13 >>>> percent of the available accounts. The promise of passphrases' >>>> increased entropy, it seems, was undone by many users' tendency to >>>> pick phrases that are staples of the everyday lexicon. >>>> >>>> "Our results suggest that users aren't able to choose phrases made of >>>> completely random words, but are influenced by the probability of a >>>> phrase occurring in natural language," researchers Joseph Bonneau and >>>> Ekaterina Shutova wrote in the paper (PDF), which is titled >>>> "Linguistic properties of multi-word passphrases." "Examining the >>>> surprisingly weak distribution of phrases in natural language, we can >>>> conclude that even 4-word phrases probably provide less than 30 bits >>>> of security which is insufficient against offline attack," the paper >>>> says. >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
