Policies That Work (Making IT Real)

We talk a lot about IT, but we don’t talk nearly enough about making IT real.

In particular, I’ve found that there’s a disconnect between IT – security guys in particular – and the people they’re securing. While this applies across the board, it becomes a problem when policies are being created.

One of the keys to effective security is to stop trying to create policies or procedures that aren’t going to work. It’s great on paper to require users to have fourteen character passwords that change every day, only use Internet access for work purposes, turn off their cellphones as they walk in the door, have IT install (and fix) all printer connections, and never connect their iPads to corporate wireless. Unfortunately, these requirements work best on paper….not necessarily in reality. Security policies that users don’t buy into weaken security across the board.

When it comes to wireless in particular, it’s hard to tell users to just give up their need for constant Internet access. So I say: give them a clean, safe avenue to feed their need for unlimited access to the Internet. WiFi is so cheap – Internet connections in general are so cheap – that I suggest having open third-party wireless. It goes out to the Internet, and has no connection to the internal network. You get on the VPN as if you were in Starbucks – it’s just as hostile – and you back that up with policy that you treat the VPN as if you were in Starbucks. If you find a user bridging the networks, you have appropriate policy enforcements, equivalent to the ones if you found out that someone was publishing sensitive docs from a open, public network.

The question, then, is “what does appropriate punishment look like.” Personally, I believe in having effective policies that actually result in real change, and for that I have always found that positive reinforcement works the best. Whether positive or negative, acknowledgement either way is effective and very important. When I do a security awareness engagement (pentest) and I’ve completely destroyed the place, I spend the third day going out of my way getting caught. One time, I walked out with the business processing computer from behind a teller machine. There was a guy who had let me do lots of bad stuff, but this time he caught me. As soon as he caught me, I said “ooh, you caught me.” Basically, I gave him the win! It was a bad situation and we found all these flaws in their security. But these four people were able to find something, and that caught their attention.

We spend too much time in our industry showing people what they did wrong. You can’t find everything that everyone did wrong. But you can show them examples of what to do right. That’s what enforcement policies should be based off of – what it looks like to do things right. When I do enforce a punishment, I go to their desk and make that employee stand right behind me and watch while I “check” at their computer, even if I already know what was wrong. I make them watch the process. And then I say “you do understand our corporate policies, right?” Usually, if it’s the first time, I won’t necessarily even report it the first time, but I do publicly show him what the right way forward is. I don’t just educate this person – I’m also trying to educate everyone around that guy.

Unfortunately, not many IT departments have a guy like me.

But every IT guy can be a guy like me. Every quarter, a security professional or IT team doing security needs to physically walk through the company’s buildings. Pick a floor, campus, department. Walk through while people are there. Look under keyboards and monitors for passwords. Let them know what you’re doing, and let them know why you’re doing it. Security is everyone’s job: you’re just the one being obvious about it.

Creating A Secure PassPHRASE and Ditching PassWORDS

In a nearly two decade career in technology, mainly in security, I can count on my two hands the amount of times that I’ve changed my personal behavior because of something I’ve heard in a meeting. Typically it would happen as I was sitting in the audience watching a presentation at some con, and a sudden realization came over me that if I tweaked my behavior just a bit I could better secure myself. At the same time I’ve been really lucky to sit next to super smart security people, literally, at work each day and listen in as they detailed why what I was doing was WRONG (or dumb, or idiotic…). Unfortunately, it isn’t always done with grace. There’s nothing I hate more than a smug reminder of how insecure I am with no suggestion of how to make it better.

Last week in a cramped conference room in Boston it happened again, but this time it was done with such ease and simplicity I not only wanted to change my behavior, I wanted to punch myself in the face for not having realized it sooner. The conveyer of this great idea – though not the first person to say it – was Jayson Street, well known throughout the community and of course on this blog for saying what he means, telling it like it is, and always trying to help all of us in need. The advice might be old hat for some, but it hit me like a ton of bricks.

The one thing you can do to better secure yourself in 2016 is to ditch your passwords and start using passphrases.

Yes, I know, many of you have been talking about and doing this for years. Even Edward Snowden got on the bandwagon earlier this year. Simply because it’s been talked about doesn’t mean people are actually adhering to the advice, and that means we have to keep talking about this one as much as possible, since our biggest threat remains the uneducated consumer. AND, yes, the strongest password is the one you can’t remember…but people outside of a very few in security simply laugh at the absurdity of that statement.

Now, with that all behind us, let’s talk about how to implement this into your connected lifestyle.

5 Ways To Create a Secure Passphrase…and Ditch Passwords

Think of a passphrase as a complex sentence, versus a password that is simply, well, a word that maybe has some digits or a few symbols (yes, you are SO tricky using ‘$$’ as ‘ss’). But there are a few tips you should follow (or share with your employees) to create the strongest passphrase.

1. Use The Space Bar

Most online accounts will now support the use of blank spaces in your passphrase, this will allow you to create that sentence we talked about above, but it also makes it harder to figure out by both humans or sniffers.

2. Go Long…15 or More Characters

Most password crackers will slow when the passphrase hits 15 or more characters, and that’s when they get past the NTLM hashes and have to actually work at it! Can they still figure it out? Sure, but the longer it takes for them to get your password your chances of them giving up rises.

3. Use a Passphrase That is Personal, but Unique

The beauty of a passphrase is that it should be something that you can remember a bit more easily, but it can’tcreate a secure password be something that people would easily guess. Say, for example, you are a huge Star Wars fan (I hear there is a new one that came out recently), so you decide to create a passphrase of “May the force be with you!”. Look at you, it’s more than 10 characters, it uses the space bar, and even that pesky exclamation point. Nice work, but it’s not stronger than you’re old “w00ki3” password.

Most likely you have already liked Star Wars on Facebook and everyone knows you were at the midnight showing dressed as Jenga Fett. While that passphrase was personal, it wasn’t unique. You may have, instead, chosen something that was both personal and unique, maybe:

Think of something you’d tell someone close to you, but not your coworkers. Unforgettable? Slightly embarrassing? (“I actually like Episode one. Don’t tell anyone!”) Perfect.

“I actually like Episode one. Don’t tell anyone!”

4. Keep Being a Character

No, not you personally, your passphrase. Still use those exclamation points, hyphens, ampersands…they are even more effective in a passphrase. Building on our example:

“I @ctually like Episode 1. Don’t tell anyone!”

5. Variety is the Spice of Live…and Passphrases

Here is where I’m still going to tell you that you need different passphrases for different accounts. Now, is it realistic that you’ll have a different passphrase for every single site, app, and account? Probably not.. Doesn’t mean we can’t try. One suggestion here is to create a variety of passphrases that also will help you remember where each one belongs. Example:

“I @ctually like Episode 1. Don’t tell anyone at the bank!”

Feel better? Feel more secure? Good! Now, make it your 2016 resolution to replace passwords with a secure passphrase.