E. Eugene Schultz

Improving password security and memorability to protect personal and organizational information

Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username-password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable.

Analysis of vulnerabilities in Internet firewalls

Firewalls protect a trusted network from an untrusted network by filtering traffic according to a specified security policy. A diverse set of firewalls is being used today. As it is infeasible to examine and test each firewall for all possible potential problems, a taxonomy is needed to understand firewall vulnerabilities in the context of firewall operations. This paper describes a novel methodology for analyzing vulnerabilities in Internet firewalls. A firewall vulnerability is defined as an error made during firewall design, implementation, or configuration, that can be exploited to attack the trusted network that the firewall is supposed to protect. We examine firewall internals, and cross-reference each firewall operation with causes and effects of weaknesses in that operation, analyzing twenty reported problems with available firewalls. The result of our analysis is a set of matrices that illustrate the distribution of firewall vulnerability causes and effects over firewall operations. These matrices are useful in avoiding and detecting unforeseen problems during both firewall implementation and firewall testing. Two case studies of Firewall-1 and Raptor illustrate our methodology.

Usability and Security An Appraisal of Usability Issues in Information Security Methods

In the modern multi-user computer environment, Internet-capable network servers provide connectivity that allows a large portion of the user population to access information at the desktop from sources around the world. Because of the ease with which information can be accessed, computer security breaches may occur unless systems and restricted information stored therein are kept secure. Breaches of security can have serious consequences, including theft of confidential corporate documents, compromise of intellectual property, unauthorized modification of systems and data, denial of service, and others. Considerable research has been conducted on threats to security.

Improving computer security for authentication of users: influence of proactive password restrictions.

Entering a username—password combination is a widely used procedure for identification and authentication in computer systems. However, it is a notoriously weak method, in that the passwords adopted by many users are easy to crack. In an attempt to improve security, proactive password checking may be used, in which passwords must meet several criteria to be more resistant to cracking. In two experiments, we examined the influence of proactive password restrictions on the time that it took to generate an acceptable password and to use it subsequently to log in. The required length was a minimum of five characters in Experiment 1 and eight characters in Experiment 2. In both experiments, one condition had only the length restriction, and the other had additional restrictions. The additional restrictions greatly increased the time it took to generate the password but had only a small effect on the time it took to use it subsequently to log in. For the five-character passwords, 75% were cracked when no other restrictions were imposed, and this was reduced to 33% with the additional restrictions. For the eight-character passwords, 17% were cracked with no other restrictions, and 12.5% with restrictions. The results indicate that increasing the minimum character length reduces crackability and increases security, regardless of whether additional restrictions are imposed.

From the editor-in-chief: Security training and awareness-fitting a square peg in a round hole

A few years ago the Gartner Group stated that nothing in the practice of information security produces as much return on investment (ROI) as security training and awareness. Many information security professionals (myself included) are skeptical of the Gartner Group’s pronouncement, however. After all, risk analysis has for years been the sacred cow of information security professionals, and are not areas such as vulnerability analysis and mitigation, intrusion detection and incident response (at least in theory) almost as valued? Does security training and awareness really yield more ROI than other important areas of an information security practice, or better put, does it yield at least a reasonable ROI? Looking at how organizations have traditionally approached this areadas one of low prioritydover the years would lead one not to conclude. When budget crises occur, for example, count on training and awareness being one of the first areas (if not the first area) in which the budget is slashed. Pity the person in charge of this area, toodthe head of security training and awareness is always well advised to keep an updated resumé; the first staff cut is much more likely to be this position rather than another within an information security staff. Consider also the potential of information security staff for upward mobility. Someone who is in chargeof risk assessmentand management or security operations has a very good likelihood of eventually becoming the chief information security officer or a manager somewhere else within an IT organization, but not whoever is in charge of security awareness and training. Of all the areas within information security, furthermore, none is more underrepresented as far as the number of

Refereed papers: A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals1 1This work was supported by sponsers of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

Vulnerabilities in vendor as well as freeware implementations of firewalls continue to emerge at a rapid pace. Each vulnerability superficially appears to be the result of something such as a coding flaw in one case, or a configuration weakness in another. Given the large number of firewall vulnerabilities that have surfaced in recent years, it is important to develop a comprehensive framework for understanding both what firewalls actually do when they receive incoming traffic and what can go wrong when they process this traffic. An intuitive starting point is to create a firewall dataflow model composed of discrete processing stages that reflect the processing characteristics of a given firewall. These stages do not necessarily all occur in all firewalls, nor do they always conform to the sequential order indicated in this paper. This paper also provides a more complete view of what happens inside a firewall, other than handling the filtering and possibly other rules that the administrator may have established. Complex interactions that influence the security that a firewall delivers frequently occur. Firewall administrators too often blindly believe that filtering rules solely decide the fate of any given packet. Distinguishing between the surface functionality (i.e., functionality related to packet filtering) and the deeper, dataflow-related functionality of firewalls provides a framework for understanding vulnerabilities that have surfaced in firewalls.Vulnerabilities in vendor as well as freeware implementations of firewalls continue to emerge at a rapid pace. Each vulnerability superficially appears to be the result of something such as a coding flaw in one case, or a configuration weakness in another. Given the large number of firewall vulnerabilities that have surfaced in recent years, it is important to develop a comprehensive framework for understanding both what firewalls actually do when they receive incoming traffic and what can go wrong when they process this traffic. An intuitive starting point is to create a firewall dataflow model composed of discrete processing stages that reflect the processing characteristics of a given firewall.These stages do not necessarily all occur in all firewalls, nor do they always conform to the sequential order indicated in this paper.This paper also provides a more complete view of what happens inside a firewall, other than handling the filtering and possibly other rules that the administrator may have established. Complex interactions that influence the security that a firewall delivers frequently occur. Firewall administrators too often blindly believe that filtering rules solely decide the fate of any given packet. Distinguishing between the surface functionality (i.e., functionality related to packet filtering) and the deeper, dataflow-related functionality of firewalls provides a framework for understanding vulnerabilities that have surfaced in firewalls.

From the editor-in-chief: Sarbanes-Oxley-a huge boon to information security in the US

Few pieces of legislation have affected so much so quickly and profoundly as the SarbaneseOxley (often abbreviated ‘‘SoX’’) Act of 2003. Triggered by accounting scandals such as Enron’s several years ago, SoX has many provisions, some of the most important of which require management of publicly traded companies to establish and maintain ‘‘an adequate internal control structure and procedures for financial reporting’’ as well as to provide an assessment of the effectiveness of the structure and procedures that have been established. As expected, accounting and legal firms have flourished as a result of SoX going into effect. Reports of large accounting firms searching desperately for additional SoX-qualified professionals have frequently made the news, especially recently because the compliance deadline date is rapidly approaching. What many, myself included, did not initially realize, however, was just how much SoX would impact the information security arena. It is easy to understand how this Act would tap the knowledge and expertise of the audit community in which internal control is the central focus and well-established IT governance methodologies such as CoBIT are widely used. The relationship of SoX to the information security arena is not, however, quite as intuitive. For years information security professionals have struggled to vault their information security practices into positions of prominence and influence, ones that have strategic value to their organization. We’ve all tried a variety of approaches, some (such as establishing and using metrics as the basis of establishing value to an organization’s business) of which have worked considerably better than others. All things considered, however, it would be difficult to claim

Feature: A systematic methodology for firewall penetration testing

Firewall testing is one of the most useful of a set of alternatives for evaluating the security effectiveness of a firewall. A major advantage of firewall testing is being able to empirically determine how secure a firewall is against attacks that are likely to be launched by network intruders. This article advances the view that firewall testing should examine not only the ability of a firewall to resist attacks from external sources, but also the defences of the entire network that the firewall protects against external threats. Accordingly, testing should follow a systematic methodology to ensure that it is complete and appropriate, and to reduce the risk of damage and/or disruption to networks and hosts within.

From the editor-in-chief: Intrusion prevention

Today’s cybercriminals are developing new and increasingly sophisticated attacks to find a way into your network. They are also creating specialized exploits to take advantage of new vulnerabilities sometimes even before software vendors have an opportunity to release a patch so delays in patching these zero-day vulnerabilities provides attackers a dangerous window of opportunity. In order to combat these evolving threats, systems administrators need a robust network security solution that protects the network 24 hours a day, 365 days a year.

Feature: When firewalls fail: Lessons learned from firewall testing

Firewall testing, if properly conducted, is advantageous in revealing specific ways that firewalls can be breached or bypassed. A previous issue of Network Security (March 1996) describes a systematic methodology for testing firewalls that SRI Consulting uses. SRI Consulting has conducted a sufficient number of tests to be able to generalize about how firewalls in real-life environments have succumbed to attacks based on this methodology. Unscreened services in hosts protected by the firewall have been the most frequently exploited exposure, followed by exploitation of services that run on the firewall itself, then by exploitation of a dangerous relationship between a firewall and an external router or host on the DMZ. Because testing results depend on the particular testing methodology used, these illustrate that negative entropy in firewalls does occur. This article also provides a list of action items for firewall and network administrators to ensure that firewall defences are adequate.