When creating passwords the most important principle is that length is more important than complexity?

Creating a Password Policy for Domain Users

☑

According to Microsoft, complex passwords consist of at least seven characters, including three of the following four character types: uppercase letters, lowercase letters, numeric digits, and non-alphanumeric characters such as & $ * and !.

Password policies and account lockout policies are set at the domain level in Group Policy.

If a subset of your user base requires a different set of account policies and other security settings, you should create a separate domain to meet their requirements.

Be sure that you understand the implications of an account lockout policy before you enable one in a production environment.

Password Decryption Software

Most password-cracking programs don't actually decrypt anything. However, if the encryption algorithm is weak or implemented incorrectly, it is sometimes possible to use a technique called one-byte patching, which is able to decrypt the password by changing one byte in the program. Another technique used with weak algorithms requires that the cracker already have obtained one or more files in decrypted form; then they can be used to decrypt others that use the same algorithm. This is called the known plain-text method. This technique is popular as an attack against password-protected .zip, .rar, and .arj files. All of these are extensions used for compressed archive files.

When strong cryptography is used and complex passwords are chosen, it is much more difficult to use direct decryption; in these cases, a dictionary or brute force attack is more often successful. PDF “decryptors” such as Guaranteed PDF Decryptor/Restrictions Remover (GuaPDF) use a type of brute force that involves testing all possible keys.

On the Scene

Set Strong Windows Passwords

Any account that is permitted to access Terminal Server for remote administration must have a complex password that is a minimum of seven characters and includes three of the four subsets listed here

{a..z}

{A..Z}

{0..9}

{[email protected]#$%^&*()_+-=[]{}\|;:'”,<.>/?∼`}

Even if this is a system used in Application Mode with users that log directly to an application, you need to force passwords of a reasonable complexity. If you have systems that are Internet facing, I recommend a minimum number of accounts be given access and they should be required to use 15+ character passwords. Use John the Ripper to test these passwords to ensure compliance. The other option is to use a dynamic password solution such as SecurID (www.rsasecurity.com).

Damage & Defense…

Search for Written Passwords

The nondisclosure of passwords for both encryption and authentication can be a source of frustration for forensic analysts. 256-bit encrypted files using complex passwords cannot be cracked in a meaningful timeframe. Understandably, suspects are often not obliging in giving up these passwords. In the UK “The Regulation of Investigatory Powers Act 2000” makes it a criminal offence to “fail to disclose when requested a key to any encrypted information.” However, the usual defense against this is for the suspect to claim to have forgotten their password. In these circumstances there is little that can be done by law enforcement. Ironically, if the suspect later admits to knowing the password and reveals it, they can be charged with the offence of originally withholding it. However, as most malicious hackers understand the need for independent, unique and complex passwords to ensure privacy, then it is possible that the password is too difficult for them to remember; hence it could be written down. All papers in the area should be seized as these may contain passwords. Books should be seized too, as one common practice is to insert written passwords within their pages. Other common hiding places should also be considered, e.g., under the mattress of a bed. Finding hard copies of passwords is sometimes the only method of deciphering encrypted data from the media.

6.1.4 Authentication and Access Control

•

Policies should be created that define the authentication and access control processes.

Authentication should be based on, as a minimum, user identification and complex password/pass phrase. Passwords should be a minimum of eight characters in length. Longer passwords are more secure and should contain upper and lower case characters, numbers, and special characters. This provides a character set of 95 possible characters. An eight-character password using a character set of 95 has a key space of 958, approximately 7×1015, or 7 quadrillion possible passwords. As the key space increases, the time required to perform an brute force attack on a password increases. The addition of two-factor authentication also increases security.

Employees should be not be given more privileges than what is needed to complete their tasks. This is called the principle of least privilege, which refers to restricting users, programs, and processes, to the lowest level of access, read/write, and execution rights necessary to do accomplish their intended work.

Access logs should be kept and reviewed periodically. Logs should be crosschecked with policy implementation.

6.2.1.3 Allow Users to Customize Their Own Experiences

Once companies start to gather data on the impact of security controls, they find wide variations in what customers find to be inconvenient. One customer might have no objection to a complex passwords, but balk at changing it once a quarter. Another might prefer a simpler password, but find no inconvenience in entering a PIN texted to him on his phone every time he wants to log in. Several financial institutions are examining deploying portals that allow customers to pick from a menu of authentication-related controls—so long as they, in aggregate, combine to provide a sufficient level of protection. Over time, that minimum level of protection may vary by customer as well—with customers using products that are more “in the cross-hairs” for cybercriminals required to selected controls that provider a higher level of protections.

Example of governmental involvement in school online media: Australia

Victoria’s Department of Education and Early Childhood Development launched the state-wide website Ultranet with the aim of sharing information with students, teachers, and parents and enabling them to collaborate. Users can use different types of “spaces.” A “Me space” is private to the user; a “We space” is a shared space accessible to those with permission to use it; and a “See space” can be seen by all.

Following are some of Ultranet’s security features (Dept of Education and Early Childhood Development, 2012):

To access the Ultranet, authorised users must log in with a secure, complex password.

There are rules on who can access what information, and the types of users who can access each type of “space” within the Ultranet.

No anonymous postings are possible in the Ultranet – all postings are logged and audited.

All learning communities on the Ultranet must be moderated by a teacher.

All users can report inappropriate content.

In addition to the filtered internet service available in each school, the Ultranet also contains filters for bad language.

Public awareness will make it more difficult

Just as public awareness may prevent and detect cybercrime, this same awareness may also contribute to creating difficulties in forensic examinations. The average computer user has become aware of encryption to protect personal data, creating complex passwords to prevent someone guessing their password, and generally being aware of the potential hazards of computer use. And just as the average user has become more aware, so has the cybercriminals.

Although television crime dramas are not completely accurate with investigative methods, these dramas and crime novels do create to a broader perception of what examiners may be able to find on computers. This perception includes both accurate and false beliefs as to the abilities of investigative methods. Also known as the “CSI Effect,” where television dramas solve crimes within an hour, public perception may falsely believe the impossible is possible. This belief negatively affects law enforcement examiners in the courtroom just as much as it effects private sector examiners in the boardroom. The paranoia created through the entertainment world inspires cybercriminals to be even more cautious than they would have been otherwise, making investigative efforts that much more difficult.

Additionally, the education available for potential and future cybercriminals not only consists of the same colleges and universities offering cybersecurity degrees, but there also exists an entire network of online hackers which share information among each other. The information on how to commit cybercrimes is as readily available as information on how to combat cybercrime.

Types of Trusts

A trust is a logical authentication path between two domains. A trust path is the number of trusts that must be traversed between the source and destination of a resource request. Two trusts, tree-root and parent and child, are created by default when running the Active Directory Installation Wizard. The other four trusts—shortcut, external, realm, and forest—can be created as needed with the New Trust Wizard or the Netdom.exe command-line tool.

When creating those four trusts, you have the option of creating two one-way relationships, simulating bidirectional capabilities. As with any use of passwords, it is a security best practice to use long, random, and complex passwords in the establishment of trusts. The best option is to use the New Trust Wizard to create both sides simultaneously, in which case the wizard generates a strong password for you. Naturally, you must have the appropriate administrative credentials in both domains for this to work.

NOTE

See Chapter 5, “Working with Trusts and Organizational Units,” for more detailed information on the different types of trusts.

3 Synthetic or Real User Logging

It is a growing challenge to verify that a user on a computer is a “real person” during the login session and it requires checks, validations, and security techniques beyond using just SSL encryption. In addition to complex passwords and security questionnaires, devices such as a mobile phone will use two-factor technologies to provide additional authenticity to the verification process. Leveraging the advantages of two- or multiple-factor authentication methodologies provides a much stronger identification process during the user's computer session by remote isolation through a completely different technology approach. This makes it much more difficult for hackers to find and break into because the activity is separate from the main channel session of attack. These additional solutions might come in the form of:

mobile phone applications or text response notifications

universal serial bus sticks, bank cards, or time-based generated key display devices

pin-required login application program interfaces

image verification through Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA)

biometric technology such as:

voice recognition

fingerprint scanning

eye iris scanning

facial recognition

typing pattern matching