No.  Just the people who use them.

Passwords of reasonable strength (8 characters or more consisting of upper/lower case and special keys) coupled with timely expiration, are secure.  Passphrases with comparable measures are equally secure.  The systems and users are currently the weakest links in the security chain. 

The interfaces and tools which we input the passwords may be vulnerable.  This includes but is not limited to key-loggers, sniffers, input redirections, etc.  But it is the user, where the most significant weakness exists.  They can be duped into divulging their passwords (phone, web, chat, email, etc.) and in many cases make them available in other ways (sticky note under the keyboard).

A recent Newsweek article covered the topic of building a better password:

"...a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. (Two hundred nineteen years is actually very good, but the lesson remains: simpler can be stronger.) The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity-mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"-somehow became the sole determinant of password strength."

The difference between passwords which can be cracked in two-hundred versus a billion years is immaterial if users are forced to change passwords every few months.   The bad guys just don’t have the time to crack the password before it is changed or the data is sufficiently aged to not be of value. 

To undermine cracking attempts, we force users to use 'strong' passwords so that dictionary attacks are fruitless and threat agents must resort to a laborious brute force attack, trying massive numbers of combinations in order to be successful.  All passwords can be cracked via brute force, but it takes time.   It becomes an exercise in how many attempts can be made over a given period.  The faster the process the more combinations can be tried and therefore the shorter the time to discover the one which works.  The length and possible characters determines the number of combinations.

Undermining the strength of a password is not the biggest concern.  It is far more likely for a password to be sniffed on the network, captured on a system, or duped from a user, rather than be cracked.

The most significant vulnerability is with the user and systems where passwords are entered and stored.  There is no practical benefit to further abuse users with new diabolical password schemes.  We should pay less attention to stronger and better password formats and instead invest in better behavioral controls, user education, and the strengthening of system and interfaces.

Thinking creatively, a South African IT company decided to use a low technology solution to complete a data transfer when their ISP network could not handle the job.  Typically, quick out-of-the-box IT solutions are rarely secure.  Smart technologists are good at finding solutions to meet their objectives, but when time is short, security tends to be ignored.  Does the combination of frustrated people, short timelines and the need to transfer a lot of data equate to insecurity?  Not always. 

Being different sometimes has its security advantages.  In this case data was transferred in a manner which was unpredictable to intercept, highly reliable, impossible to sniff, faster than the traditional available wired network, and maintained high security for integrity and confidentiality.

Yes, they used a carrier pigeon.

The best news story of the day.

Phishing is pervasive, evolving, and a serious threat to everyone.  Matthew Rosenquist discusses strategies to defeat phishing attacks.

Video 5:14 minutes

Risk metrics are the heart and soul of information security indicators.  An increasing proliferation of tools and assessments has emerged, attempting to quantify states of information security.  Given the nature of what is trying to be measured, this is arguably one of the toughest challenges in the metrics space.  The recent trend is for different bodies to develop and publish their own standards, which creates confusion regarding accuracy and applicability.  Why all the turmoil, competing models, and misalignment?  The sad story is (queue the somber violins) we just have not figured out how to measure information security risks very well.

I have seen and applied many different methods, audits, and evaluations with varying degrees of success and disappointment.  I have come to the following three basic conclusions:

1. Current tools and methods lack maturity in this area, for both accuracy and comprehensiveness (and yes, I am guilty of contributing to the pool)
2. No silver bullet exists.  A unified method, which provides a predictive overarching and detailed risk analysis, is unlikely.  Different approaches have their applicability.  Choose wisely 
3. There is no replacement for a security professional’s brain.  From the selection of the analysis method, the gathering of relevant data, to the interpretation of the results, requires a seasoned security professional.  There is no substitute which can handle the ambiguity, chaos, and relational dependencies affecting the outcome

An example will help express some of the challenges.  The OCTAVE methodology, created by Carnegie Mellon University some years ago has been battle tested veteran in this role.  It is a qualitative to quantitative device which leverages the expertise of key people to give a numerical value of risk in their respective area.  Because personal bias and fears, the need to allow flexible ways of answering questions, and the varying degrees of base knowledge between the experts, results can vary greatly without even factoring in the changes occurring in the threat landscape.

Let me be clear, I am a fan and a longtime supporter.  However, it has its limitations.  I have developed several assessments based upon the model in a large environment.  As long as the limitations are accepted, it is applied where it leverages its strengths, and the process is rolled out properly, the results can be very valuable.

But don’t confuse value with precision.  I have observed the accuracy to be +/- 40% in complex organizations.  I believe this is largely due to multiple tiers of qualitative-to-quantitative analysis and the bias introduced at each level.  Credible sources have expressed a better +/- 20% accuracy for smaller implementations.  Although these numbers sound terrible, it is very good compared to other methods.  I have great respect for the chaps at Carnegie Mellon University who created the methodology.  Groups within our company have used a modified form of this approach, with advanced structures tailored to our computing ecosystem, for years with great success.  The low accuracy rate is not a poor reflection on the CMU model, rather it is a stark insight on how immature we are in this field.

So this is a sad story, but one which is not over.  A cadre of very bright people is working to tackle this problem.  In the short term, I expect to see many more methods, theories, templates, and standards emerge for specific situations.  In the end, I doubt if ever we will have a unified way to measure security risks, but I hold high hopes the best will be culled to a small number which can be applied to most situations and deliver reasonable metrics.

I was recently trading thoughts with Anton Chuvakin, a respected security metrics professional, in a philosophical discussion of perfection and quality of security.  Admittedly, I was on auto-pilot (operating without the benefit of coffee) rattling away with my ‘Optimal Security’ rhetoric, when Anton posed two thought provoking questions: CAN one "mandate optimal security"?  How do you "mandate flexible"?

I was stopped in my tracks.  This got me thinking.  After fetching a tall cup of coffee to start my brain juices flowing in earnest, I reached back into the pages of history to come up with the following perspective and examples:

I believe, to a certain extent, we can mandate flexibility and optimization.  Surely we can act in ways which deny both.  So why can’t we act in a manner which intrinsically promotes them?

I think back to lessons of WWII and the Maginot line.  The French chose to create a fortification which was static by design and lacked mobility or a capability to adapt to changing enemy tactics.  They invested heavily into this control, which became the backbone of their country's eastern defense.  It was an appalling failure.  Alternatively, the German blitzkrieg, and the stratagems of both Rommel and Patton prevailed.  Flexibility through mobility was far more effective than an elaborate static defense.

I would argue that flexibility can be mandated through proper planning and design.  We have examples in the history of information security.  In the early years of Anti-Virus (AV) products, they were non-memory resident applications which were prescribed to be run once a week.  Updates were a rarity if at all.  That rigid design quickly lost effectiveness, with the rise in velocity of new malware.  AV vendors were forced to adapt.  The overall design has changed to one which is flexible, can be updated to meet emerging malware, and continuously runs in the background to provide persistent security.

Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization.  Create security to be flexible and you enable the service to keep up with the continual changes.

In general, design a system to be flexible and its longevity for effectiveness is extended.  Plan how systems can continuously adjust itself to align to what is 'optimal' and you increase the sustaining efficiency.

We must be strategic in our planning and design of security, lest we suffer the fate of France's Maginot line.

Check out Anton’s Blog for other thought provoking viewpoints; just be sure to have your coffee at the ready.

More on “Optimal security”:

Strategy for Sustaining Optimal Security

Information Security Defense In Depth Whitepaper is Now Available

Fortune Cookie Security Advice - June 2008

Defense In Depth Strategy Optimizes Security

The Four Dirty Questions of Measuring Information Security

What are your thoughts?  Rigid or Fluid?  Have you implemented optimal and flexible?

Optimal security must not only be attained, but also sustained over time.  A good security strategy must be forward thinking to understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.

'Optimal Security' is the right balance of security spending and losses prevented where business acceptable losses are achieved.  It changes often and likely maintains different targets for the dissimilar parts of the entity.

Organizations are likely to mandate security expectations which typically manifests in a set of configurations, specifications, and operating standards.  The risk is these security controls may be relatively static and entrenched.

Establishing a baseline security is a good practice, but in order to remain effective it must adapt to changes in the environment by remaining dynamic to keep in lock-step with rapidly changing threats, vulnerabilities, and resulting exposures.  It must be a fluid posture, able to rapidly change based upon different internal priorities and external changes.  Sustaining business structure must be designed to continually predict areas needing modification and support design and deployment of those changes.  Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization.  Design security to be flexible and you enable the service to keep up with the continual changes in the information branch of security.

I recently spoke with an organization who had established a security posture which relied heavily on a hardened OS and application build for their systems.  At the time, they deployed a platform which took into consideration all the best configurations for hardening.  They were so confident they had satisfied security requirements they considered the problem solved.  They integrated the security design into their normal platform refresh cycle of system replacement every few years.  They never comprehended the fact they would need to continually update the build to compensate for changes in threats, new vulnerabilities and malware, and evolving business usage models.

The platform’s security, which initially was strong, began to quickly erode.  With no internal mechanism to identify when changes needed to be made, nor the testing and distribution capability, they soon found themselves in a situation where they were responding to individual incidents and changing systems one at a time based upon particular end-user needs.  This created inconsistencies in the builds which was more difficult to support.  Without proper forethought, the security team turned themselves into a firefighting organization, losing the initiative in the war of security.

This is one simple technical example.  The same holds true for the expanse of automated solutions and behavioral security controls as well.  Highly effective and efficient security strategies are forward thinking and understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.  Overall, the concept of ‘optimal security’ is one of fluid adaptations of controls to meet an ever changing target for risk acceptance.

We naturally take comfort in being able to quantify the vagueness of challenges in our existence.  This past week, I was again reminded the cup of information security is filled partially with the complexities of human perception and ambiguity of emotions weighing our mental models of judgment.  These can be misleading.

This is not a revelation.  I thrive in the trenches of security measures and metrics, and learned this lesson many seasons past.  But it is so easy to fall back into the comfort of measuring, calculating, estimating, and even predicting risks with first impressions, and foregoing proper data collection and dispassionate analysis.

It is in our very nature to apply our big cognitive brains in an attempt to make sense of something which causes concern for our minds when we encounter situations we fail to grapple.  We default to familiar structures of logic and experience to give some insight, even if it is invalid.  If we cannot grasp a cloud, it makes us feel better to at least measure it.

I recently travelled to the beautiful city of Shanghai.  In the sprawling city of 19 million, getting about requires the use of a local taxi.  Drivers are aggressive by American standards.  They creatively use all lanes, including those of oncoming traffic, to weave in and out between pedestrians, other vehicles, and bicycles, all at high speed.  Roadway guides such as speed signs, stoplights, and lane markers are just cosmetic.  The concept of ‘right of way’ is defined by the vehicle which gets there first.  Tens of thousands of taxi drivers vie for pole positions at every light and traffic snarl.  I counted no less than half a dozen head-on near misses the first day.

Not surprisingly I was a bit concerned for my safety.  But what was the actual risk?  It seemed high, with all the jockeying, speed challenges, and lurching in front of other cars at a moment’s notice.  In formal terms, the security risk calculation was off the map.  Keeping it simple, risk can be defined as equaling the (threat) x (consequence) x (vulnerability).  Threats were abundant and vectoring from every angle.  Vulnerabilities were painfully obvious as the situation was an example of near uncontrolled chaos heavily dependent upon human judgment and intervention.  Lastly, the consequences registered as likely life threatening.  Vehicle safety measures are not equal to US standards, with no airbags and rarely a functioning seatbelt.  My brain began to do the rough math and formed a mental model where the conclusion was somewhere near the “I’m screwed” end of the spectrum.

Over time, I started to take a different perspective.  By the end of the week, and too many close calls to count, I observed the city’s taxi’s did not show damage which would be consistent with rampant numbers of collisions.  Although chaotic and unpredictable, they found a balance in avoiding impacts.  My drivers’ never appeared nervous.  Many were happy to take calls on their cell phones while racing into oncoming traffic and weaving back into our directional flow at the last second.  Yet, they were not worried.  The pedestrians who seemed intent on walking into direct paths of vehicles always looked up at the last possible moment and jumped out of the way of an untimely demise.

The dangers were still there.  Nothing changed but my perception.  The risks were high, controls were low, but it was the incident rate that was the telling measure.  Lack of vehicle accidents in such a tremendous population meant they operated in an efficient manner which my brain could not comprehend as safe.  But it was.  My initial evaluation misled me to a wrong conclusion: an inaccurate determination of risk.  I felt safer than before.  To this day, I cannot comprehend how they do it.

In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth.  It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand.  Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.