Holding Down the Fort
In the closing scene of Butch Cassidy and the Sundance Kid, the titular duo is trapped in a farmhouse, surrounded by the Bolivian army and dreaming of far off Australia, where both banks and the armed forces are pushovers.
Our heroic duo’s hideout has only one door, no other apertures. This is a blessing and a curse: as they plot their escape, bullets can’t whiz through windows and cause chaos within. But their opponents can centre their focus on that single point of exit.
Forgetting for a moment who the bandits are in this scene - the imagery is too good to pass up - sometimes in corporate IT it feels like bullets are coming from all sides, from faceless enemies who outmatch and outnumber you. Every corporate network is a hideout in this cyber wild-west. It may be well defended, but it still has its share of apertures. With the right training, however, the bullets can be dodged as they come in. With the right skills and experience, your staff can lead the plunge into a more secure corporate world.
Closing the apertures is the first step. Sure, you can install a state-of-the-art intranet monitoring and data-inspection system. By all means, if you can afford to maintain it, you should.
But simple measures can also help mitigate your susceptibility to data theft. Train your staff to be cautious. Not to click on suspicious links. Not to open documents they weren’t expecting, especially before a virus scan. Implement spam filters to quarantine emails from those Nigerian princes.
Kaspersky Labs reports that in the first quarter of 2013, 66.55% of all email was spam. These emails are relatively easy for users to identify. A greater worry is a spear-phishing campaign using targeted messages or calls to elicit otherwise private information, even passwords.
Strong Passwords. You’ve heard it before. You’ll hear it again, because it’s important. Use a twelve character, alphanumeric, upper and lower case password, with a few symbols mixed in. The length is important. Each additional character in a password adds to the “exponential wall of complexity”.1 And never use the same password on two sites.
Keep an eye on your business’ password policy. Does it follow a single standardized pattern? That’s a problem. A single compromise from a dedicated attacker could roll up your entire network.2 Best practice is to have each user create their own password, but require that it be strong. The criteria for strong passwords should be set out in your firm’s acceptable use policies. They will protect the company and the staff in the event of a crisis.
Which brings us back to Cassidy and The Kid. The Kid was just as interested in the duo’s success as Cassidy, but was constrained by a lack of experience, not capability. Eventually, with the right incentive and guidance from Cassidy, he took the plunge. The pair was better for it.
For a good explanation of password complexity, see Gibson Research Corp.’s page on ‘one password in a haystack'
I’ve done it on test systems by dumping the password hashes and using the known password pattern (e.g. if an attacker somehow uncovers one user’s password is ‘182kz($h’, it’s quick and simple to run every possible combination according to ‘###[a-z][a-z][symbol][symbol][a-z]’). I’m certified in Passware Forensic, a tool used for password cracking and recovery. Free tools (hashcat) can perform the same kinds operations