Something hit me straight in the face that may be a method for inducing cognitive awareness to end users in regards to password management. Ironically this also has a side effect of scalability when managing password changes. It isn’t completely flushed out but I wouldn’t mind getting some opinions on this. I am thinking of prototyping this in a PAM module in my spare time. Here goes… For end users we have been trying to get users to understand the importance of constructing good passwords. We provide guidance on what a good password is (even though the guidance that I have seen is still usually unacceptable in most places when compared to NIST guidelines). We spend a lot of time telling the user to “do this because security experts advise it, or it’s part of our policy” but we don’t really provide an incentive or an understanding of why we tell them to do this. Well humans are programmable, and the best […]
contributed
For SANS Critical Controls: Authentication Missing In Action
Authentication is the gateway to privilege and authorization. Consider how many portions of your life, digital and otherwise, revolve around authentication. Whether you want to do Internet banking, tweet a friend, or buy a present, some sort of authentication likely occurred to allow you to do so. But when it comes to one of the most widely used sources of advice for organizations to improve their security, authentication is absent. I’m speaking about The SANS Institute’s “20 Critical Security Controls.” This list represents a great public-private partnership effort with SANS, the Center for Internet Security, and Center for Strategic and International Studies all involved in its production and maintenance. The goal of the document is to help provide organized guidance and actionable improvements for organizations wanting to strengthen their security posture. Because of the separation of subject matter into individual control areas, the document is quite useful at conveying […]