LinkSafe is designed from the ground up as a secure system, but no system has ever been devised that is completely invulnerable from attack. The practices outlined below are not only good procedures to follow for protecting LinkSafe but can be applied in general to any kind of IT system that requires keeping data protected.
Any experienced IT administrator will confirm that most users prefer the shortest, simplest passwords they can get away with. This unfortunately resulted in the creation of a widespread practice of requiring passwords to be complex, because those simple passwords are amazingly easy to crack.
The factors in play here are that the ordinary users want convenience, while the IT administrators want security. The IT administrators have the upper hand, because they can set policies that force the users to conform with the standards set by the administrators.
This creates a massive problem because many users are unable to remember complex passwords without writing them down, and the writing down a complex password renders that password insecure.
Smart users don’t write down their passwords but may more easily forget them. Forgotten passwords lead to lost time and decreased productivity. It’s a losing situation all round, and one that places your business in an unnecessary risk position.
Password complexity may have been somewhat helpful in the distant past when computing power was very low, but in modern times a credit card sized computer can crack short complex passwords in a matter of hours, and often even less time.
Most password policies require the password to be at least 6 characters in length, contain at least one uppercase and one lowercase letter, at least one number, and possibly also a special character such as a punctuation symbol. This is something like the IT administrator hopes the user will choose:
But what the users will probably choose is something like:
The reason is that these latter two examples are much easier to remember than the “administrator approved” example. They’re also much easier to crack, but what the administrator may not realize is that the complex password is only minimally more difficult to crack.
The letters in the typical password are likely to be either forming a common word, a person’s name, or something easy to type (keyboard proximity bias).
This knowledge means about 75 percent or more of most passwords are extremely easy to crack because cracking algorithms can be programmed to try the simplest combinations first, before moving on to brute force methods. A user with the password Jenny-23 may as well not bother having a password at all.
Even worse, many administrators limit the password length to between 6 and 8 characters in a forlorn attempt to prevent users from forgetting their complex passwords.
This is hopeless because modern computers can make slightly under 600,000 guesses per second, so with a decent botnet at our disposal, any 8 character password can be cracked in less than half a day unless you allow extended characters (UTF8 or UTF16), which most systems do not allow. If we instruct our cracking program to use the GPU instead of the CPU for cracking, it will get the job done about 100 times faster.
A sensible modern password policy does not call for complexity but length. Therefore the best password policy calls for at least 12 and preferably 15+ characters, composed in a way that is meaningful and memorable to the user.
Is a far more secure password than:
It’s also going to create fewer security problems than:
The simple, plain English password is better because it is long enough and complex enough to be difficult to crack (several lifetimes, even with the most powerful computers on Earth) and it’s unlikely to be forgotten. If the user knows a foreign language, that can push the guessing difficulty up even higher, for example:
Such moves will even defeat social engineering that could improve the chances of guessing a password based on a user’s personality.
User permissions are even easier to handle. Each user should only have permissions up to the limit of their area of responsibility. By creating Group Policies in the operating system, you can easily group users according to their roles, and set appropriate permissions automatically by assigning users to the correct group.
The importance of physical security is often ignored, because people don’t believe an attacker would have the audacity to attempt to circumvent security in person.
If you are included in the group of non-believers, then you also won’t believe that your own employees are the biggest threat to the security of your IT systems, but indeed they are.
Internal threats are a serious and growing problem, along with corporate espionage and sabotage. Physical security is important, and you can implement it easily.
Workstations can have unnecessary ports disabled, optical drives disabled or removed, and the computer case locked and physically secured to the work area so it can’t be carried away.
At the software level, drives can be encrypted, and of course data should always be backed up to at least three separate secure physical locations.
Server rooms should be securely locked and only accessible by authorized IT staff. Access to the server rooms should be logged electronically, and the servers themselves should be under direct CCTV surveillance so that suspicious access can be noticed.
Keeping logs of “who does what” on your system can be helpful in many ways. This will help you recover more quickly from some types of malicious activities, and makes it easier to roll back to a point where the system was free of trouble.
Being able to isolate which individuals had access at certain times and what actions they performed can provide evidence in subsequent investigations.