No.  Just the people who use them.

Passwords of reasonable strength (8 characters or more consisting of upper/lower case and special keys) coupled with timely expiration, are secure.  Passphrases with comparable measures are equally secure.  The systems and users are currently the weakest links in the security chain. 

The interfaces and tools which we input the passwords may be vulnerable.  This includes but is not limited to key-loggers, sniffers, input redirections, etc.  But it is the user, where the most significant weakness exists.  They can be duped into divulging their passwords (phone, web, chat, email, etc.) and in many cases make them available in other ways (sticky note under the keyboard).

A recent Newsweek article covered the topic of building a better password:

"...a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. (Two hundred nineteen years is actually very good, but the lesson remains: simpler can be stronger.) The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity-mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"-somehow became the sole determinant of password strength."

The difference between passwords which can be cracked in two-hundred versus a billion years is immaterial if users are forced to change passwords every few months.   The bad guys just don’t have the time to crack the password before it is changed or the data is sufficiently aged to not be of value. 

To undermine cracking attempts, we force users to use 'strong' passwords so that dictionary attacks are fruitless and threat agents must resort to a laborious brute force attack, trying massive numbers of combinations in order to be successful.  All passwords can be cracked via brute force, but it takes time.   It becomes an exercise in how many attempts can be made over a given period.  The faster the process the more combinations can be tried and therefore the shorter the time to discover the one which works.  The length and possible characters determines the number of combinations.

Undermining the strength of a password is not the biggest concern.  It is far more likely for a password to be sniffed on the network, captured on a system, or duped from a user, rather than be cracked.

The most significant vulnerability is with the user and systems where passwords are entered and stored.  There is no practical benefit to further abuse users with new diabolical password schemes.  We should pay less attention to stronger and better password formats and instead invest in better behavioral controls, user education, and the strengthening of system and interfaces.

Measures generate data and metrics organize data to generate information.  The difference between ‘data’ and ‘information’, the former is something you know, the latter is something you use.

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

The key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for September, 2009:

Measures generate data and metrics organize data to generate information. 

The difference between ‘data’ and ‘information’, the former is something you know,

the latter is something you use.

In security, it is easy to confuse the terms ‘measures’ and ‘metrics’.  They are two distinct but related concepts.  Measurement theory incorporates the scale of nominal, ordinal, interval, ratio, and absolute.  These scales are used to measure something, with the output being data.  Metrics however are about analysis and intelligent decision making.  Metrics translate data into meaningful information which will support decision making.  Data is something you know.  Information is something you use to make decisions.

Fortune Cookie Security Advice - No Royal Road to Security - July 2008

Fortune Cookie Security Advice - Strategic Compettive Secure - June 2009

Fortune Cookie Security Advice - May 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - February 2009

Fortune Cookie Security Advice - March 2009

Fortune Cookie Security Advice - April 2009

Fortune Cookie Security Advice - May 2009

Yesterday I wrote a blog titled “Submarines, Stealth Fighters and Evolving Needs of Information Security” in the Server Room where I discuss some new server technologies aimed at better securing data from hackers, viruses and new malware called rootkits.

After writing that blog, I began to think about the variety of levels by which information security is delivered.  To truly manage risk and provide information security for a business, you need many levels of controls and defenses. In fact, I learned that Intel IT has a Defense in Depth strategy for information security

Within Intel IT, every strategic discussion I have witnessed from implementing cloud architectures, deploying server virtualization and client virtualization, evaluating Windows 7  (more coming soon on our plans here), developing business intelligence and social media collaboration solutions, designing for security is a paramount factor.  Every IT solution must take into account aspects of information security – the risks of not considering it are too great.  There is a rich set on content dedicated to Intel IT’s approach to security solutions.

Of course the question for IT is how much is enough. Is meeting the minimum regulatory requirements sufficient – or should we strive for a higher level of protection – at what cost.  There is no formula here.  It is a delicate balance to match risk, investment costs and ROI to deliver sufficient information security protection.  Over-invest in security and you could be constraining business growth or restricting process improvement … under-invest and you risk exposure to information loss could be too high; or (worst of all) don’t innovate business processes because of worries concerning security exposure

It was only after taking our required annual IT security training mandated for all Intel employees last week did it really hit me that PEOPLE are our primary defense against information theft.  Within the Intel IT organization, I have found a huge focus on the value of our people – our subject matter experts.  From the engineers, architects and IT strategists to the training of all employees on the principles, expectations and tools we all need to use to maximize the effectiveness of what IT has put in place.  This was reinforced by a recent Gartner call I attended where the speaker proposed that people are our most agile and important asset.  I agree.

The bottom line: IT’s job is simultaneously deliver business value through innovation aimed at enabling growth, boosting productivity, maximizing efficiency and maintaining continuity.  This is what makes PEOPLE so critical because the balancing act is a question of IT governance – the formal means to evaluate, benchmark and decide how to balance these critical questions – in close collaboration with partner business units, HR, legal and senior management.

Technology can’t do it alone – we have to deploy technology with intelligence, purpose and controls.  That is only possible by enabling people to be trained, educated and empowered with the ability, tools and support to be successful. 

Do you agree?

Chris Peters

@Chris_P_Intel (twitter)

Phishing is pervasive, evolving, and a serious threat to everyone.  Matthew Rosenquist discusses strategies to defeat phishing attacks.

Video 5:14 minutes

Greed drives behaviors of cyber attackers.  Matthew Rosenquist discusses the pain and benefits of the Greed Principle.

Video 3:29 minutes

Purpose of Security Programs

Risk metrics are the heart and soul of information security indicators.  An increasing proliferation of tools and assessments has emerged, attempting to quantify states of information security.  Given the nature of what is trying to be measured, this is arguably one of the toughest challenges in the metrics space.  The recent trend is for different bodies to develop and publish their own standards, which creates confusion regarding accuracy and applicability.  Why all the turmoil, competing models, and misalignment?  The sad story is (queue the somber violins) we just have not figured out how to measure information security risks very well.

I have seen and applied many different methods, audits, and evaluations with varying degrees of success and disappointment.  I have come to the following three basic conclusions:

1. Current tools and methods lack maturity in this area, for both accuracy and comprehensiveness (and yes, I am guilty of contributing to the pool)
2. No silver bullet exists.  A unified method, which provides a predictive overarching and detailed risk analysis, is unlikely.  Different approaches have their applicability.  Choose wisely 
3. There is no replacement for a security professional’s brain.  From the selection of the analysis method, the gathering of relevant data, to the interpretation of the results, requires a seasoned security professional.  There is no substitute which can handle the ambiguity, chaos, and relational dependencies affecting the outcome

An example will help express some of the challenges.  The OCTAVE methodology, created by Carnegie Mellon University some years ago has been battle tested veteran in this role.  It is a qualitative to quantitative device which leverages the expertise of key people to give a numerical value of risk in their respective area.  Because personal bias and fears, the need to allow flexible ways of answering questions, and the varying degrees of base knowledge between the experts, results can vary greatly without even factoring in the changes occurring in the threat landscape.

Let me be clear, I am a fan and a longtime supporter.  However, it has its limitations.  I have developed several assessments based upon the model in a large environment.  As long as the limitations are accepted, it is applied where it leverages its strengths, and the process is rolled out properly, the results can be very valuable.

But don’t confuse value with precision.  I have observed the accuracy to be +/- 40% in complex organizations.  I believe this is largely due to multiple tiers of qualitative-to-quantitative analysis and the bias introduced at each level.  Credible sources have expressed a better +/- 20% accuracy for smaller implementations.  Although these numbers sound terrible, it is very good compared to other methods.  I have great respect for the chaps at Carnegie Mellon University who created the methodology.  Groups within our company have used a modified form of this approach, with advanced structures tailored to our computing ecosystem, for years with great success.  The low accuracy rate is not a poor reflection on the CMU model, rather it is a stark insight on how immature we are in this field.

So this is a sad story, but one which is not over.  A cadre of very bright people is working to tackle this problem.  In the short term, I expect to see many more methods, theories, templates, and standards emerge for specific situations.  In the end, I doubt if ever we will have a unified way to measure security risks, but I hold high hopes the best will be culled to a small number which can be applied to most situations and deliver reasonable metrics.

I was recently trading thoughts with Anton Chuvakin, a respected security metrics professional, in a philosophical discussion of perfection and quality of security.  Admittedly, I was on auto-pilot (operating without the benefit of coffee) rattling away with my ‘Optimal Security’ rhetoric, when Anton posed two thought provoking questions: CAN one "mandate optimal security"?  How do you "mandate flexible"?

I was stopped in my tracks.  This got me thinking.  After fetching a tall cup of coffee to start my brain juices flowing in earnest, I reached back into the pages of history to come up with the following perspective and examples:

I believe, to a certain extent, we can mandate flexibility and optimization.  Surely we can act in ways which deny both.  So why can’t we act in a manner which intrinsically promotes them?

I think back to lessons of WWII and the Maginot line.  The French chose to create a fortification which was static by design and lacked mobility or a capability to adapt to changing enemy tactics.  They invested heavily into this control, which became the backbone of their country's eastern defense.  It was an appalling failure.  Alternatively, the German blitzkrieg, and the stratagems of both Rommel and Patton prevailed.  Flexibility through mobility was far more effective than an elaborate static defense.

I would argue that flexibility can be mandated through proper planning and design.  We have examples in the history of information security.  In the early years of Anti-Virus (AV) products, they were non-memory resident applications which were prescribed to be run once a week.  Updates were a rarity if at all.  That rigid design quickly lost effectiveness, with the rise in velocity of new malware.  AV vendors were forced to adapt.  The overall design has changed to one which is flexible, can be updated to meet emerging malware, and continuously runs in the background to provide persistent security.

Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization.  Create security to be flexible and you enable the service to keep up with the continual changes.

In general, design a system to be flexible and its longevity for effectiveness is extended.  Plan how systems can continuously adjust itself to align to what is 'optimal' and you increase the sustaining efficiency.

We must be strategic in our planning and design of security, lest we suffer the fate of France's Maginot line.

Check out Anton’s Blog for other thought provoking viewpoints; just be sure to have your coffee at the ready.

More on “Optimal security”:

Strategy for Sustaining Optimal Security

Information Security Defense In Depth Whitepaper is Now Available

Fortune Cookie Security Advice - June 2008

Defense In Depth Strategy Optimizes Security

The Four Dirty Questions of Measuring Information Security

What are your thoughts?  Rigid or Fluid?  Have you implemented optimal and flexible?