Whenever a true IT security professional makes a presentation, there’s always at least one slide with layers of different-coloured building blocks that add up to a wall of total, seamless protection. Sometimes the words on the blocks relate to management structures; sometimes they describe the interplay of secure hardware and software installations. But rarely if ever do they describe the ease with which a typical user can defeat all these systems.
Loyal employees can often be the most significant menace to the network, whether they are crashing servers by sending videos to entire organizations or clicking on attachments from unknown sources. Needless to say, the more important their services are to the organization, the lighter their punishment when they violate security procedures. Line managers will not only protect their key employees from effective sanctions, but also resist any request to devote more of their valuable time to awareness and training.
In most systems, the password is the first and only security measure of which users are aware. Once logged on, they are allowed access to everything they need to do their work and locked out of everything else. The more complex the password, the more secure it is.
But, unfortunately, the stronger the password, the more reason users have to forget it or write it down near their workstations. If a password is eight characters long, requires a mix of upper and lower case letters, numbers and special characters, must be changed every few months and cannot be used again for years, not only will it not be memorized, many users will, consciously or not, begin to nurse a grievance against the security system and begin trying to work around it.
With the price of a help desk call anywhere between $30 and $50, effective password management can be a significant hit on the IT budget. Seasonal users like students can create a surge of demand on help desks, while hospitals and utilities need password support that is not just uninterrupted but highly secure.
At M-Tech Information Technology Inc. of Calgary, providers of automated password solutions, marketing director Karine Aviv says managing passwords is not simple.
“When you go into an organization you have a lot of different platforms, a lot of different systems, different expiry schedules, different strength rules for different systems,” she says. “It all seems very confusing, very complex. I think they get overwhelmed.” The more complex an orga-nization’s password rules become, the more calls to the help desk and the higher the frustration level among users.
M-Tech’s chief technology officer, Idan Shoham, says that “it’s really not as hard as it sounds.” The security benefits are straightforward, he says, and a “return on investment” calculator on the company’s Web site helps explain the numbers. But it still takes a long time to close a sale.
“Usually it’s to do with the fact that there is a cast of thousands who are involved, Shoham says. “The administrators of various systems, the help desk, the security people all want to touch it before we go ahead, to make sure it is not going to do anything bad to what they are responsible for.”
One survey indicates that intensive IT users have an average of 21 passwords but only two ways of managing them – they use easily remembered and therefore easily guessed passwords, or else write them down.
Users are also vulnerable to simple “social engineering” techniques aimed at stealing their passwords. The people who organize the InfoSecurity Europe conference found, in interviews with office workers at Waterloo Station in London, that 90 per cent would exchange their passwords for an inexpensive pen. Three out of four people volunteered their passwords on request.
Worms are now exploiting users’ disinclination to use difficult passwords. Once inside a computer, they can guess simple passwords. And once inside a user’s mail program, a worm can send itself out and infect more machines.
It’s frustrating, if not embarrassing, to construct elaborate networks of increasingly interdependent systems and still leave them vulnerable to something as simple as a slip of paper with a password written on it.
Increasingly, biometrics looks like the best way to solve the password puzzle. Fingerprint readers and retinal scanners are already being high-priority applications. It’s only a matter of time before that level of protection reaches every desktop.
Richard Bray ( [email protected]) is an Ottawa journalist specializing in high technology issues.