Security Management Strategies for the CIOMany organizations have collected applications and systems that store passwords in various ways, making password protection a serious problem for both employee and customer passwords, said Johannes Ullrich, chief research officer at the SANS Institute.
Requires Free Membership to View
The thing about passwords is the application never needs to know the password, so that allows for hashing and other encryption methods.Johannes Ullrich, chief research officer, the SANS Institute
Social networks and other organizations should appropriately protect user passwords or face serious issues when an attacker breaks in to pilfer data, Ullrich said. Attackers have proven account credentials are highly coveted, he said, because they provide the easiest way to get in as an authenticated user on the system. The LinkedIn password breach, one in a string of account credential breaches in recent years, is another example of password security missteps.
In an interview with SearchSecurity.com, Ullrich talked about the importance of taking an inventory of the various password databases on the network, deploying appropriate protection and migrating away from legacy applications that store passwords and other personal information in clear text. Enterprises can deploy single sign-on, he said.
It’s difficult to apply similar protections to email addresses, Ullrich said. Applications often need to see the email address in clear text and businesses need the email address available to message customers. Applying encryption to email would likely result in key management issues, he said.
Experts tell me the LinkedIn
breach highlighted the need for database security. If you were a CISO at an enterprise,
how would you approach the news of this breach?
Ullrich: I think the first thing to do is take an inventory of all of the password databases
that you have in the network. The difficult part about this is usually you have more than one. You
have them spread all around because there are likely different applications that you have acquired
over the years. Trying to get a good inventory and figuring out how they are protected is a first
step. Then of course there are applications that are not compliant and still deployed on many
networks. They either store the data in clear text or are insufficiently hashed. Try to come up
with a transition plan for that, which is questionable, so you would have to come up with some
other mitigating controls there.
Why do organizations have password databases that they may not know about?
Ullrich: It is because of the way most networks grow over time. You find the organization may
purchase applications that you are not aware of how they store passwords. An enterprise has dozens
of applications and they all have their own password store. Ideally you would have some sort of
single sign-on implemented. That would be the ultimate goal I would aim for as a CISO, but then
again, implementing a single sign-on with all those legacy applications is usually a huge
challenge. It’s not something you do overnight.
Are email addresses stored alongside passwords? Should they be protected as strongly as
passwords?
Ullrich: Email addresses and usernames, which are often the first part of an email address,
tend to be stored next to each other. I don’t think there is much you can do to protect the email
address because you need that in clear text in order to send emails to the user. The thing about
passwords is the application never needs to know the password, so that allows for hashing and other
encryption methods. You don’t really have that option for email addresses. You could encrypt email
addresses, but then you would have to do something with the keys because the application would need
to decrypt it. So you would have key management issues.
A lot of the data breaches we’ve seen over the last several years have had some sort of
social engineering component. Other than training, is there anything you can do to protect end
users against social engineering tactics?
Ullrich: You can still do access control. One of the problems of course is that social
engineering can convince an insider to leak all the passwords. It doesn’t need to be a malicious
attack. An attacker can convince an insider to leak them without social engineering. I think to
address social engineering you need internal controls as well as external. What you do against a
malicious insider also works well against social engineering attacks.
There’s been a push with “big
data” for the addition of network traffic monitoring systems deployed in the enterprise.
Are those systems only being deployed at large enterprises?
Ullrich: I think you would need too much manpower for small or mid-sized businesses to deploy
and maintain these types of systems. You need a fairly specialized skill to actually be able to
operate them. I think smaller businesses will be stuck with outsourced monitoring or
monitoring by a part-time system administrator or something like that. I don’t think those systems
would help very much because they tend to collect data and don’t get monitored correctly. I think
smaller businesses should choose network controls that would have the biggest impact in the
end.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation