On 04/25/2011 07:18 PM, Matthew Gardner wrote: > This whole conversation really comes down to this: what's your prior > on the kinds of attacks that you expect? Because people have > different beliefs about which attacks are likely, they come to > different conclusions about security. If you believe that someone who > gains physical access to your machines, or lives close enough to you > to see notes on your computer, is most likely, you will probably agree > with AJ and the author of the article. If, like Aaron and Stuart (and > myself), you believe that someone compromising a website containing > thousands or millions of stored usernames and passwords (including > yours) is more likely, then you think that the article is baloney.
Allow me to put this to rest (if that's possible). In one of my prior lives, in a city far, far away, I worked for a company that was required to do a "Sneakers" style penetration test. This was a basic penetration test, not quite so grand as having Dan Aykroyd sitting in a sewer line doing wire taps. They had the entire company's passwords in less than one hour. To protect the innocent, I won't go into details on how it was accomplished. Suffice it to say, when I got the penetration report, my password was by far the most secure out of the hundreds compromised; it took the longest to crack, but still it fell in less than an hour. We can argue all day long about what password is most secure, but after seeing the report and compromised password list, I have to agree that the user is the weakest link. Set up your password policies with all the restrictions you want. Increase your length and complexity requirements. If you go to far, what happens? The user writes the password down on a sticky note, and puts it on the bottom of their keyboard. The place where any tweaker worth his salt on the after-hours janitorial staff will look. So you balance out complexity with ease of use. You train your users on how bad it is to write down a password. Then what happens? You might pass the first few levels of penetration test, but I'm aware of another company whose penetration test consisted of the tester scattering picture (and key logger) laden flash drives outside the business' front door, the parking lot, and the break room. Within 24 hours, almost every flash drive was logging and reporting from inside the business. Now I know that none of us is likely that gullible. And there are several businesses that would do well to disable USB port access, as well as floppies, optical drives, etc, etc. While this works for the larger number of underlings with no need for such access, there is a small group of experienced, highly educated people that will whine and cry about not being able to sync their iPhones. And you will give in. Why? Because they sign your check. How do I know this? From countless personal experiences in just this sort of thing. To make matters worse, these are the people with the access that really counts. Underling access can seriously hurt a company. Officer access can wipe out the company. The bad guy may eventually be caught, but in the best case, the business' loss of good-will may never recover. In the worst case, the business may not open it's doors tomorrow. Don't believe me? I watched an $800 million company disappear literally overnight due to one board member's lack of respect for security and common sense. You can spend money and time all you want, but the user is still the weakest link. I'm not saying you shouldn't do everything you can to mitigate the problem. I'm saying security is a process, not a destination, and it must include continuous user education. Secure the system and secure the user. Compromise either part and the other will fall. But when all is said and done, social engineering is frequently the easiest and most successful attack. Grazie, ;-Daniel -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
