The importance of password audits

Have you ever tried to crack your network user’s passwords? Why would you do that you ask? Simple, compliance check is one reason. The other is to better understand what is possible and what kind of password your users are using. In this post, I’ll discuss why it is a very good idea to do periodic password audits in your network.

Have you ever tried to crack your network user’s passwords?  Why would you do that you ask?  Simple, compliance check is one reason.  The other is to better understand what is possible and what kind of password your users are using.  In this post, I’ll discuss why it is a very good idea to do periodic password audits in your network.

You might might think that the idea of running a password cracking program on your network users is a waste of time.  In fact, you have to remember that if the bad guys are most likely to use that type of tool, you should use it first.  That way you will know what a black hat will be able to get out our your password database.  Here are a few reasons why you should do regular password audits.

You should not have the false comfort that your network is safe just because you have turned on complex password group policy in active directory.  The rules of complex password in active directory are as follow:

  • The password is at least six characters long.
  • The password contains characters from at least three of the following five categories:
    • English uppercase characters (A – Z)
    • English lowercase characters (a – z)
    • Base 10 digits (0 – 9)
    • Non-alphanumeric (For example: !, $, #, or %)
    • Unicode characters
  • The password does not contain three or more characters from the user’s account name.

Using those rules, that means that the password Password1 is actually a valid password.  How good of a password is that?  This a valid password because active directory does not actually do a password complexity check.  What it does is more accurately described as a password constraint check.  The idea of complex passwords is that it should force users to not use dictionary words as their passwords.  Since it is not practical to have a full dictionary in Active Directory to make sure that passwords are not in the dictionary, the designers simply impose constraints on what your password should be like.  Hence, the complex password group policy constraints as described above.

Another aspect of passwords is that people will tend to re-use the same password everywhere they can.  What this means is that the password is only as strong as the weakest link.  Namely, if you use the same password on a web site that is easily compromised, the black hat will try the newly discovered password on your bank account as well, knowing full well that it is likely going to be the same password.

If you are not willing, or allowed to do a password audit on your network, you really should take a look a studies that were done on passwords that have been revealed because of security breaches.  There has been two recent incidents that are worthy of reading.  One is an article on Dark Reading (http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html) about the phpbb.com web site hack.  The other one is from Bruce Schneier who did an analysis on passwords that were published by people behind a fake MySpace web page used in a phishing campain.

Whenever possible, you should use some kind of two-factor authentication, such as smart cards or an RSA token.

One of the best known password cracking software is L0pthCrack, which used to be owned by Symantec.  L0pthCrack has recently been re-acquired by its original authors.  They intend to update the venerable software and start selling it again.  There is other software that can be purchased (and some free) that can help you audit your user’s password.

Perimeter defense is useless!

I think it is well known by security experts that the old perimeter defense model just does not work any more. A firewall does give some protection, but users are constantly asking that ports be opened so that they can access services outside of the corporate network. Not only that, but there is not much to prevent malicious traffic to go through your ports that are already opened. Should we ditch the firewall? No, but you should add more layers to your defense. In this post, I will list of the defenses you should have in your environment.

I think it is well known by security experts that the old perimeter defense model just does not work any more. A firewall does give some protection, but users are constantly asking that ports be opened so that they can access services outside of the corporate network.  Not only that, but there is not much to prevent malicious traffic to go through your ports that are already opened.  Should we ditch the firewall?  No, but you should add more layers to your defense.  In this post, I will list of the defenses you should have in your environment.

Whenever such a user requests to have yet another port to be opened, you should make sure that you restrict as much as possible the end-points that can make use of that port you are opening up. For example, John asks that a port be opened so he can establish a VNP connection from the corporate LAN to a business partner, you should make sure that only John’s IP address is allowed to use that port and that there is only one outside IP address that John can reach on that port.

Firewall management is not what keeps me up at night though. What keeps my up at night is the fact that it is so easy to create tunnels from inside my network to the outside over well known ports, such as port 80 or 443 in order to access anything that you would normally block at the firewall. That plus the fact that now you cannot browse most web sites with first installing such things as Flash player and Adobe PDF reader.

A recently vulnerability in Adobe Reader for which there is no patch as of now (Adobe said they will release one on March 11th) is a rather scary one.  This type of vulnerability can be exploited without the user even opening the malicious PDF! How can you defend yourself against that?!  You should have as many layers as possible in order to prevent that malicious PDF from succesfully penetrate your network.  The Verison Business Security Blog has a very good list of steps that can be taken to protect yourself against that threat.  of course, you could always drop Abode Reader altogether.

In general though, that approach can be applied against any threats.  Here are the different layers you should have in place in order of priority:

  1. A firewall.  I would venture to guess that everyone out there has that one in place.  Make sure that a regular review of what rules you have in place is done.
  2. Intrusion Detection (IDS) or better yet, Intrusion Prevention (IPS).  If you can affort it, TippingPoint is probably a leader in that field and works great.  At the very least, you should have Snort in your network.
  3. Don’t allow your users to be local administrators.  Most of the people that get infected with malware  and virus are logged on with local administrator rights.  That’s a very bad idea.  Lock down those users!
  4. Anti-Virus on every machines.  AV is not perfect as it is a reactive technology, but it will catch a lot of what is out there.  Anti-Virus products now can do more than just detecting and cleaning virus.  The can block use of certain ports on your hosts (such as port 25 for e-mails or ports typically used for IRC).
  5. Host-based Intrusion Detection System (HIDS).  This technology is starting to catch on in corporate environments.  This is basically the equivalent of having ZoneAlarm on each desktop, but centrally managed by the corporate IT.
  6. Last but not least, patching!  Make sure that you are current in your OS patches and your application patches.  That is not always easy in corporate environment since it sometimes requires careful testing and planning.

In my experience, the mobile users are the weak links.  Once they take their laptops outside of the corporate LAN, many of those defensive layers, such as IPS and the firewall, are no longer there to protect them.  That’s why you need to have strong defenses on the workstations, such as disk encryption and HIDS.

Can anyone think of other layers that should be in place?