PROTECTING SYSTEMS AND DATA PASSWORD ADVICE

Transcription

1 PROTECTING SYSTEMS AND DATA PASSWORD ADVICE DECEMBER 2012 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in this document or its references. You should make your own judgement as regards use of this document and seek independent professional advice on your particular circumstances. 1

2 Contents Introduction..3 Passwords Areas for attention Origin of the advice given in this document CPNI advice.4 Non-administrator account - specific advice Administrator account - specific advice Password strength Lockout configuration Password storage Hardware Remote connection Testing and automation Third parties Monitoring of accounts for anomalous usage Security skills and awareness Further guidance 7 2

3 Introduction Passwords A password is a string of characters used in combination with other information to identify an individual. Password protection is used to prevent unauthorised access to systems and/or material. Areas for attention There are techniques which attackers can use to determine or to discover password data. Approaches include cracking or guessing of passwords, interception during transmission and conducting a search throughout an IT infrastructure for stored password information. Many of these techniques can be applied by automated tools. Focusing on the following areas will make it more difficult for an attacker to establish and make use of passwords. Default passwords Weak passwords Password composition Password re-use and password sharing Storage of passwords Transmission of passwords Measures to protect administrator-level accounts need extra consideration. An attacker will seek escalated privileges through the compromise of these accounts. It is important that robust measures are in place to protect administrator-level accounts. Origin of the advice given in this document CPNI is participating in an international government-industry effort to promote the Top 20 Critical Security Controls for Effective Cyber Defence, published by SANS (see Further Guidance section document 3). Within the 20 controls (and sub-controls) there are measures relating to the use of passwords. CPNI have undertaken work to pull-together the password-related content within Version 4 of the Consensus Audit Guidelines (CAG4) document. The following notation is used in this document to reference advice given within the Critical Security Controls: [CSC XX-YY] where XX is the control number (1-20) and YY is the sub-control (00 indicates advice outside of the sub-control list, but within the control text). In addition, to ensure that a balanced view is provided, CPNI have captured some additional comments covering both conventional and new thinking in the area. This password advice document is intended to be an evolving document that seeks to reflect new thinking and different views on the topic. t is anticipated that this short reference document will be updated periodically. 3

4 CPNI advice Non-administrator account - specific advice Non-administrator accounts should have strong passwords that contain letters, numbers and special characters [CSC 16-08]. Non-administrator accounts should be configured to require password changes every 90 days [CSC 16-08]. Non-administrator accounts should have passwords that have a minimal age of 1 day [CSC 16-08]. Non-administrator accounts should not permit the re-use of the previous 15 passwords [CSC 16-08]. Administrator account - specific advice Administrator accounts must have strong passwords that are complex containing letters, numbers and special characters intermixed with no dictionary words present [CSC 12-02]. Administrator accounts must be configured to require regular password changes on a frequent interval tied to the complexity of the password. Interval should not exceed 90 days [CSC & 12-05]. Administrator accounts must not permit re-use of the previous 15 passwords. Re-use must not be permitted within a certain timeframe [CSC 12-09]. Administrator accounts must not be shared or even occasionally used by anyone other than the account holder [CSC 12-08]. Administrators must establish different passwords for their administrator and nonadministrator accounts [CSC 12-08]. All administrative access, including domain administrative access, should use two-factor authentication [CSC 12-12]. Password strength Complexity and length are important in preventing passwords being cracked or guessed. Recommendations for password complexity are provided above for non-administrator and administrator accounts. 4

5 It is recommended that organisations insist on the use of strong passwords for all accounts. Strong passwords should be of sufficient length to increase the difficulty it takes to crack the password [CSC 12-02]. Techniques for the generation of strong passwords are covered by documents listed within the Further Guidance section document 1 (section 3.2.4) and also in document 2. Some organisations are abandoning the practice of changing passwords at regular intervals, taking the view that changing encourages the storage of passwords by less secure means (e.g. hardcopy). Emphasis is placed instead on the use of strong passwords. However, strong passwords can be more difficult to remember, leading to increased requests for reset and the temptation to use the same password across multiple systems. Pass phrases containing multiple dictionary words along with special characters can be easier to remember, but can only be considered acceptable if they are of a reasonable length [CSC 12-02]. Lockout configuration Account lockout should be used and configured such that after a set number of failed login attempts the account is locked for a standard period of time [CSC 16-09]. Disabling an account is a denial of service. An exponentially increasing delay after each failed authentication attempt could also be considered (also known as exponential back-off). Systems should automatically create a report on a daily basis that includes a list of lockedout and disabled accounts [CSC 16-03]. Password storage Passwords must not be stored as clear text. Passwords for all systems should be stored in a hashed format, produced using an established cryptographic hashing function [CSC 12-06]. An iterated hashing function should be used. The hashed representation of a password should be produced using a salt. A unique salt should be used for each account, and should be changed when the password is changed. Salt values should be held separately from the hashed values. Files containing encrypted or hashed passwords required for systems to authenticate users should be readable only with super-user privileges [CSC 12-06]. Hardware Before deploying any new devices in a networked environment, organisations should change all default user IDs and passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value [CSC & 12-04]. 5

6 Network devices should be managed using true two-factor authentication and encrypted sessions [CSC 10-05]. Where sensitive data is held on a laptop or other portable device, the use of measures such as BIOS passwords and disk encryption should be considered. Remote Connection Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication [CSC 13-07]. Testing and automation For all types of account, checks should be in place to ensure that chosen passwords meet the requirements in terms of complexity and originality. Built-in operating system features can enforce this [CSC 12-00]. Password composition and entropy should be tested, preferably when the password is set or changed by the account user. Weak scores should result in the proposed password being rejected. Software tools are available to do this. Testing must be conducted periodically to ensure that the password policy is enforced. This can be achieved by creating a temporary, disabled, limited privilege test account on 10 different systems and then attempting to change the password on the account to a value that does not meet the organisation s password policy. Temporary test accounts should be established in a number of different, randomly-selected systems across an organisation s IT infrastructure [CSC 12-00]. An automated process should be established to periodically search for clear text s and documents containing the word password, as well as other likely indicators of password information, in the filename or body [CSC 20-05]. Systems should automatically create a report on a daily basis that includes a list of accounts with passwords that exceed the maximum password age and accounts with passwords that never expire. This list should be sent to the associated systems administrator in a secure fashion [CSC 16-03]. Third parties Where services are outsourced, instructions should be provided that clearly describe the measures which must be taken (and those which should be taken) by a third party to protect credentials which allow access to systems or data relating to the issuing organisation [CSC 12-14]. 6

7 Where a third party uses passwords to restrict access to systems or data relating to the issuing organisation, the third party should be accountable for the use of the passwords. This should form part of the contractual agreement [CSC 12-14]. Monitoring of accounts for anomalous usage In addition to good security measures directly relating to passwords, organisations must monitor user accounts. Failed login attempts should be always be logged. Attempts to access deactivated accounts should be captured, as should the use of credentials from new devices. User profiles should be constructed using information relating to typical account usage such as time-of-day access and typical duration [12-10]. Timely alerting must be established for serious anomalies and daily reporting should also be configured. In addition, configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators group [12-11]. Security Skills and Awareness Some end-users will be fooled via social engineering scams in which they are tricked into providing passwords. Understand technical skills gaps within the workforce and fill these gaps through policy, training and awareness [CSC 09-00]. Further guidance 1. Guide to Enterprise Password Management, Recommendations of the National Institute of Standards and Technology. Scarfone K., Souppaya M., NIST Special Publication , April 2009, source: [correct as of August 2012]. 2. Electronic Authentication Guideline, Recommendations of the National Institute of Standards and Technology. Burr, W.E., Dodson, D.F., Polk, W.T., NIST Special Publication Version 1.0.2, April 2006, source: [correct as of September 2012]. This document has been written to be consistent with: 3. Top 20 Critical Controls for Effective Cyber Defense, Version 4. Published by The SANS Institute, October 2012, source: [correct as of November 2012]. End of document 7