On one level, the network comprises all the physical elements, or hardware, that make up your digital infrastructure. This includes any and all computers used by personnel, as well as all information technology, such as servers, modems, hubs, routers, and wireless access points. Network security exists to understand and eliminate threats to the best of your ability. Some of the most common and dangerous risks threatening your network include:.
Across all these vectors, and more, cybercriminals have many ways to gain control of your systems and steal or extort valuable resources from you. Luckily, just as there are varied vulnerabilities, there are several tried and true responses and preventative measures to help counter the harm these threats can pose to your network.
Some of the most common and effective practices that shore up network security are:. These protections and others work in tandem to help keep your business secure. Arguably the most important network security safeguard is robust password management. Network security depends upon diligent password management.
The National Institute of Standards and Technology has established particular guidelines governing what password management should look like at all companies. In particular, it emphasizes the use of strong passwords and passphrases , as well as several other measures that go beyond password protection like multi-factor authentication. A password protected access system works similarly to a padlock: a key the password is used to unlock or enable access to protected assets.
And, like a padlock, this system is useless if an attacker has access to the key. The biggest threats to password safety involve cybercriminals obtaining that digital key by:. A sophisticated cybercriminal outfit will leverage all these attacks, and more.
And compromising just one password could be enough to do irreparable damage to an entire network. Effective password management uses a combination of techniques and measures to make passwords more difficult for hackers and other bad actors to obtain. The most effective way to manage passwords and keep your organization safe is to combine these practices with an over-arching cybersecurity framework that reduces harm from all matters of attacks.
Therefore, passwords are always needed for access to any resource. Another way to manage passwords for network security involves a robust, all-in-one solution like profesional managed security services. Contracting a private company like RSI Security to handle all matters of your cybersecurity provides numerous benefits and synergies, like integration of password management into your overall cybersecurity framework programs.
Password management alone is an extremely effective way to protect your network. Combining these measures with robust password management, managed security providers are the best way to ensure your entire network is safe. Here at RSI Security , we know firsthand how important a robust password management system is to your network and overall security. In addition to help with passwords, we can also assure your compliance with relevant regulatory guidelines, as well as the overall soundness of your entire cyberdefense framework.
So, what are you waiting for? Contact RSI Security today to see the pivotal role password management in network security can play for your organization.
We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts GRC.
Save my name, email, and website in this browser for the next time I comment. This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More. Password Management. Guide to Password Management for Network Security Password management involves much more than simply requiring a certain number of letters or characters for users creating login credentials, or requiring users to change passwords once per year or hopefully more frequently.
Of all breaches studied: Only 15 percent involved abuse of authorized use, and errors accounted for 21 percent But 29 percent involved the direct use of stolen credentials for unauthorized access And 32 percent involved phishing, which most commonly entails theft of login credentials Both of these latter vulnerabilities are preventable with strong password management.
Network Security Network security entails protecting all elements of your network against various threats that could allow hackers or other cybercriminals to damage your company. But what exactly does the network consist of? Biggest Threats to Network Security Network security exists to understand and eliminate threats to the best of your ability.
Some of the most common and dangerous risks threatening your network include: Malware — Malware or mal icious soft ware includes a wide variety of viruses and other programs that, once installed, spread across your network corrupting data. Outright theft or ransom is the end goal of a trojan, spyware, or other malware-based attack. Data interception — Another broad category, these attacks utilize a number of passive eavesdropping and active man in the middle techniques to collect and analyze data being transported within or across networks.
Social engineering — These attacks are unique in that they involve exploiting one vulnerability common to all companies: humans. Social engineering attacks , like phishing, seek to trick individuals into compromising valuable information. The ID determines whether the user is authorized to gain access to a system. In some systems, only those who already have an ID filed on the system are allowed to gain access.
The ID determines the privileges accorded to the user. A few users may have supervisory or "superuser" status that enables them to read files and perform functions that are especially protected by the operating system.
Some systems have guest or anonymous accounts, and users of these accounts have more limited privileges than others. The ID is used in what is referred to as discretionary access control. For example, by listing the IDs of the other users, a user may grant permission to them to read files owned by that user.
To understand the nature of the threat to password-based systems, let us consider a scheme that is widely used on UNIX, in which passwords are never stored in the clear. Rather, the following procedure is employed Figure Each user selects a password of up to eight printable characters in length. This is converted into a bit value using 7-bit ASCII that serves as the key input to an encryption routine. The encryption routine, known as crypt 3 , is based on DES.
The DES algorithm is modified using a bit " salt " value. Typically, this value is related to the time at which the password is assigned to the user. The modified DES algorithm is exercised with a data input consisting of a bit block of zeros. The output of the algorithm then serves as input for a second encryption.
This process is repeated for a total of 25 encryptions. The resulting bit output is then translated into an character sequence. The hashed password is then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID.
This method has been shown to be secure against a variety of cryptanalytic attacks [WAGN00]. Figure It prevents duplicate passwords from being visible in the password file. Even if two users choose the same password, those passwords will be assigned at different times.
Hence, the "extended" passwords of the two users will differ. It effectively increases the length of the password without requiring the user to remember two additional characters. Hence, the number of possible passwords is increased by a factor of , increasing the difficulty of guessing a password. It prevents the use of a hardware implementation of DES, which would ease the difficulty of a brute-force guessing attack. The operating system uses the ID to index into the password file and retrieve the plaintext salt and the encrypted password.
The salt and user-supplied password are used as input to the encryption routine. If the result matches the stored value, the password is accepted. The encryption routine is designed to discourage guessing attacks.
Software implementations of DES are slow compared to hardware versions, and the use of 25 iterations multiplies the time required by However, since the original design of this algorithm, two changes have occurred. First, newer implementations of the algorithm itself have resulted in speedups. For example, the Internet worm described in Chapter 19 was able to do online password guessing of a few hundred passwords in a reasonably short time by using a more efficient encryption algorithm than the standard one stored on the UNIX systems that it attacked.
Second, hardware performance continues to increase, so that any software algorithm executes more quickly. Thus, there are two threats to the UNIX password scheme. First, a user can gain access on a machine using a guest account or by some other means and then run a password guessing program, called a password cracker, on that machine.
The attacker should be able to check hundreds and perhaps thousands of possible passwords with little resource consumption. In addition, if an opponent is able to obtain a copy of the password file, then a cracker program can be run on another machine at leisure. This enables the opponent to run through many thousands of possible passwords in a reasonable period. Using a Thinking Machines Corporation parallel computer, a performance of encryptions per second per vector unit was achieved.
With four vector units per processing node a standard configuration , this works out to , encryptions per second on a node machine which is a modest size and 6. Even these stupendous guessing rates do not yet make it feasible for an attacker to use a dumb brute-force technique of trying all possible combinations of characters to discover a password.
Instead, password crackers rely on the fact that some people choose easily guessable passwords. Some users, when permitted to choose their own password, pick one that is absurdly short.
The results of one study at Purdue University are shown in Table The study observed password change choices on 54 machines, representing approximately user accounts. An attacker could begin the attack by exhaustively testing all possible passwords of length 3 or fewer. A simple remedy is for the system to reject any password choice of fewer than, say, six characters or even to require that all passwords be exactly eight characters in length.
Most users would not complain about such a restriction. Table Password length is only part of the problem. Many people, when permitted to choose their own password, pick a password that is guessable, such as their own name, their street name, a common dictionary word, and so forth.
This makes the job of password cracking straightforward. The cracker simply has to test the password file against lists of likely passwords. Because many people use guessable passwords, such a strategy should succeed on virtually all systems. One demonstration of the effectiveness of guessing is reported in [KLEI90].
From a variety of sources, the author collected UNIX password files, containing nearly 14, encrypted passwords. The result, which the author rightly characterizes as frightening, is shown in Table In all, nearly one-fourth of the passwords were guessed. The following strategy was used:. Try the user's name, initials, account name, and other relevant personal information. In all, different permutations for each user were tried.
Try words from various dictionaries. The author compiled a dictionary of over 60, words, including the online dictionary on the system itself, and various other lists as shown. Try various permutations on the words from step 2.
This included making the first letter uppercase or a control character, making the entire word uppercase, reversing the word, changing the letter "o" to the digit "zero," and so on. These permutations added another 1 million words to the list. Try various capitalization permutations on the words from step 2 that were not considered in step 3.
This added almost 2 million additional words to the list. Thus, the test involved in the neighborhood of 3 million words. Using the fastest Thinking Machines implementation listed earlier, the time to encrypt all these words for all possible salt values is under an hour. One way to thwart a password attack is to deny the opponent access to the password file. If the encrypted password portion of the file is accessible only by a privileged user, then the opponent cannot read it without already knowing the password of a privileged user.
Many systems, including most UNIX systems, are susceptible to unanticipated break-ins. Once an attacker has gained access by some means, he or she may wish to obtain a collection of passwords in order to use different accounts for different logon sessions to decrease the risk of detection. Or a user with an account may desire another user's account to access privileged data or to sabotage the system. An accident of protection might render the password file readable, thus compromising all the accounts.
Some of the users have accounts on other machines in other protection domains, and they use the same password. Thus, if the passwords could be read by anyone on one machine, a machine in another location might be compromised. Thus, a more effective strategy would be to force users to select passwords that are difficult to guess. The lesson from the two experiments just described Tables At the other extreme, if users are assigned passwords consisting of eight randomly selected printable characters, password cracking is effectively impossible.
But it would be almost as impossible for most users to remember their passwords. Fortunately, even if we limit the password universe to strings of characters that are reasonably memorable, the size of the universe is still too large to permit practical cracking.
Our goal, then, is to eliminate guessable passwords while allowing the user to select a password that is memorable. Four basic techniques are in use:. Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords.
This user education strategy is unlikely to succeed at most installations, particularly where there is a large user population or a lot of turnover. Many users will simply ignore the guidelines. Others may not be good judges of what is a strong password. For example, many users mistakenly believe that reversing a word or capitalizing the last letter makes a password unguessable.
Computer-generated passwords also have problems. If the passwords are quite random in nature, users will not be able to remember them. Even if the password is pronounceable, the user may have difficulty remembering it and so be tempted to write it down. In general, computer-generated password schemes have a history of poor acceptance by users. The standard includes not only a description of the approach but also a complete listing of the C source code of the algorithm.
0コメント