CAPR 110-1, 27 Dec 12, CAP Electronic Systems and Data Administration

[krnlpanick]

^^^  :clap:

Having a root / superadmin password also doesn't mean it's actually even in use, or "everyone is using it".  It can be in a continuity
envelope at higher HQ.  Used if needed, ignored otherwise.  Again, units are not doing ecommerce or other secure transactions,
and if the whole website goes *poof*, big deal.   It's back up in an hour.

Chris's Rule #7 of Application Security, unused but enabled things are holes waiting for someone to discover.

Generally speaking, you wouldn't think anything of this, and there is no problem necessarily having an account that is that "superuser" or "contingency-user" per se, however - as was noted you want strong auditing on that user. Not only log auditing, but enabling alerting when that user account is accessed is also important. I have a few systems that have had similar "contingency-users" - if the user logs on, a file is accessed in that users home directory (read or write), or that user receives an email from a non-system account I receive a notification via email and SMS. Generally speaking, if someone is going to legitimately use that account for anything, I will know about it before-hand - so any time I receive that text at 0200 I am going to investigate immediately.

And back on topic for their password complexity rules:

First off, I <3 xkcd, arguably the best thing on the internet.

Human-Readable Passwords are the problem. I use 32 character randomly generated passwords consisting of uppers, lowers, numbers, and special characters. I use a password database to remember those passwords so I don't have to. I keep the key-file to that password database on a USB stick that is on my person, so if it is compromised I will know it. Doing that same math for one of my passwords:

My Random Password: ^j-}v& iKDvWC7_33w9M{z'%dF$A!E>N
Bits of Entropy: 165
2^165 = 4.68 * 10^49 Possible Combinations
1.483 * 10^39 Years at 1000/sec guesses

This results in me not having to remember anything other than where I put the key to my password database (or the backup of the key)

The problem is that we teach password complexity, but we do not teach implementation.

[Eclipse]

The problem is that we teach password complexity, but we do not teach implementation.

I agree.  I have a client with all manner of complicated security settings for their user IDs, and then they require everyone to have the actual password
on a post it in their drawer.

[JeffDG]

The problem is that we teach password complexity, but we do not teach implementation.

I agree.  I have a client with all manner of complicated security settings for their user IDs, and then they require everyone to have the actual password
on a post it in their drawer.

[a2capt]

.. and all this HIPPA stuff, I still find passwords written under keyboards, on the pull out "cutting board" ;-) thing on desks,  behind doors on the hutch, and .. even right on the monitor.

"It's too hard to remember, the software won't let me use the simple stuff" "If I use the finger print thing, then I can't call in and have people look up stuff they need, if I'm not here". D'oh!

[arajca]

.. and all this HIPPA stuff, I still find passwords written under keyboards, on the pull out "cutting board" ;-) thing on desks,  behind doors on the hutch, and .. even right on the monitor.

"It's too hard to remember, the software won't let me use the simple stuff" "If I use the finger print thing, then I can't call in and have people look up stuff they need, if I'm not here". D'oh!

Head, Wall. Wall, Head. Play Nice.

[coudano]

Don't forget,   your password has to be at least 15 characters, with 2 of everything, nothing too close to a dictionary word, AND you have to change them all every 6 months, and your password cannot too closely match anything that has been your password in the last 12 months...

Quite frankly, *I* write down passwords, for the systems I have to use that have stupid rules like this (and I generally abhor writing down passwords).

I don't keep them in the drawer, under the keyboard, or on the monitor.  But they are written down.
Really, I try to avoid using systems like that as much as possible, but sometimes it can't be avoided...



There is definitely some over-reaction there, and there is a "stupid line" that you cross, where you actually make your stuff less secure, by making the policies too strict.

[Phil Hirons, Jr.]

It is impossible to build idiot-proof software. The world keeps building better idiots.

[NIN]

I agree.  I have a client with all manner of complicated security settings for their user IDs, and then they require everyone to have the actual password
on a post it in their drawer.

I always like the Excel file with user IDs & passwords in the publicly accessible directory on the server.

Hackers assume its a honeypot.

[krnlpanick]

I agree.  I have a client with all manner of complicated security settings for their user IDs, and then they require everyone to have the actual password
on a post it in their drawer.

I always like the Excel file with user IDs & passwords in the publicly accessible directory on the server.

Hackers assume its a honeypot.

Insiders do not and a good hacker will profile his targets long before-hand knowing where the actual honeypots are.

My take, if you have enough time to store your user-id and password in an excel spreadsheet, it is really any more difficult to use software that was designed to store your usernames and passwords in a way that is secure. I use KeePass, which has clients for iPhone, Android, Windows, Mac, and *nix as well as browser plugins for both Firefox and Chrome that allow you to bypass the need to even have the database "open" and auto-fills usernames and passwords for you so you don't really even need to interact with it - plus it generates secure random passwords that you don't know about thus eliminating the human factor from the equation altogether.

I have seen employment terminated for storing passwords in clear text - that one employee invalidates any compliance to any regulatory standards that an organization has to be compliant against - thing is, if that employee's spreadsheet provides passwords to either the insider to elevate their access or to the outsider to give them access to sensitive resources it is the organization that is punished with huge fines and legal actions, the employee gets fired and finds a new job where he does the exact same thing.

[A.Member]

As an IT Pro I hate password sharing; IMHO passwords should be kept secret for a number of reasons.

As an IT Pro, you should be in favor of limited and appropriate password sharing.

Umm, NO!!! 

No one should ever be in favor of using common IDs and passwords.  Contrary to implications later in your post, doing so does not align with any InfoSec best practices and is a direct violation of standards, such as PCI.  Each user should have a unique ID and password.  This allows for logging and tracking of activity. 

[JeffDG]

As an IT Pro I hate password sharing; IMHO passwords should be kept secret for a number of reasons.

As an IT Pro, you should be in favor of limited and appropriate password sharing.

Umm, NO!!! 

No one should ever be in favor of using common IDs and passwords.  Contrary to implications later in your post, doing so does not align with any InfoSec best practices and is a direct violation of standards, such as PCI.  Each user should have a unique ID and password.  This allows for logging and tracking of activity.

I've used a shared password at exactly one client...ever.

It was a high-security environment.  They were concerned to the point that they needed assurances that the IT folks could not get into certain parts of the system, even the CIO was not cleared for some of the projects.  That said, there was a need for administrative access to certain system functions at specific times.

Compromise was reached.  Two people were entrusted with half of the admin password each...and it was extreme, like 15 characters each...they each put their part of the password on a card, it was sealed in an envelope, initials on the seal, the whole 9 yards.  The seal had to be personally verified by both of them on a weekly basis (and it was written down in case one of them was hit by a bus), and changed once a month (with the original envelope being destroyed still sealed so nobody could find patterns in the passwords being set).

When it was needed, they both needed to agree, and would each enter their portion of the password, then they were required to observe the other performing the actions that required the admin account.  About 10 executives got alerts whenever the account was accessed, and a full report of why was due within 2 hours of access to them.

Beyond that, not a lot of need for shared passwords.

[A.Member]

As an IT Pro I hate password sharing; IMHO passwords should be kept secret for a number of reasons.

As an IT Pro, you should be in favor of limited and appropriate password sharing.

Umm, NO!!! 

No one should ever be in favor of using common IDs and passwords.  Contrary to implications later in your post, doing so does not align with any InfoSec best practices and is a direct violation of standards, such as PCI.  Each user should have a unique ID and password.  This allows for logging and tracking of activity.

I've used a shared password at exactly one client...ever.

It was a high-security environment.  They were concerned to the point that they needed assurances that the IT folks could not get into certain parts of the system, even the CIO was not cleared for some of the projects.  That said, there was a need for administrative access to certain system functions at specific times.

Compromise was reached.  Two people were entrusted with half of the admin password each...and it was extreme, like 15 characters each...they each put their part of the password on a card, it was sealed in an envelope, initials on the seal, the whole 9 yards.  The seal had to be personally verified by both of them on a weekly basis (and it was written down in case one of them was hit by a bus), and changed once a month (with the original envelope being destroyed still sealed so nobody could find patterns in the passwords being set).

When it was needed, they both needed to agree, and would each enter their portion of the password, then they were required to observe the other performing the actions that required the admin account.  About 10 executives got alerts whenever the account was accessed, and a full report of why was due within 2 hours of access to them.

Beyond that, not a lot of need for shared passwords.

I can't speak to what you did or that companies policies.  However, shared, interactive passwords in a prod environment will not pass any real security audit; no chance for complaince with standards such as PCI.   Trust me.

[Brad]

As an IT Pro I hate password sharing; IMHO passwords should be kept secret for a number of reasons.

As an IT Pro, you should be in favor of limited and appropriate password sharing.

Umm, NO!!! 

No one should ever be in favor of using common IDs and passwords.  Contrary to implications later in your post, doing so does not align with any InfoSec best practices and is a direct violation of standards, such as PCI.  Each user should have a unique ID and password.  This allows for logging and tracking of activity.

I've used a shared password at exactly one client...ever.

It was a high-security environment.  They were concerned to the point that they needed assurances that the IT folks could not get into certain parts of the system, even the CIO was not cleared for some of the projects.  That said, there was a need for administrative access to certain system functions at specific times.

Compromise was reached.  Two people were entrusted with half of the admin password each...and it was extreme, like 15 characters each...they each put their part of the password on a card, it was sealed in an envelope, initials on the seal, the whole 9 yards.  The seal had to be personally verified by both of them on a weekly basis (and it was written down in case one of them was hit by a bus), and changed once a month (with the original envelope being destroyed still sealed so nobody could find patterns in the passwords being set).

When it was needed, they both needed to agree, and would each enter their portion of the password, then they were required to observe the other performing the actions that required the admin account.  About 10 executives got alerts whenever the account was accessed, and a full report of why was due within 2 hours of access to them.

Beyond that, not a lot of need for shared passwords.

Jeff why do I picture this being your morning commute?

Michael Madsen in Wargames

[coudano]

Look, i've learned and passed test on, and gotten the alphabets after my title, all of the 'industry definitions' and 'best practices'.  They are a great baseline, and if you followed them verbatim, you certainly wouldn't be doing anything outright wrong.

At the end of the day though, information security is a practical application of policies based upon a balance of risk assessment vs functional needs.

I could train at least a dozen examples in front of you, where 'industry standards' are bent or broken in the interest of functionality or business needs, while still maintaining acceptable (risk calculated, and accepted) security levels.  Proper business policy documentation accomplished, auditor satisfied.

There is also a certain level of paranoia and trust that have to be balanced, and accepted as part of the risk of doing business.  You can separate out admin/root rights all day long, amongst a team of sysadmins, which is great, but they are still root/admin, and any one of them can still manipulate logs, to erase inappropriate actions, or even point the finger at someone else.  And look, at the end of the day, all of your admins probably have physical access, which is the same thing as just handing everyone the root password.  Unless you are going to put all your computers in a vault, and video record them 24/7/365, and require two person integrity every time someone physically touches a computer...  And so on.  Don't get me wrong, there are times and places where those strict measures are appropriate (and when they are, used them, by all means).  There are other times,   (like the CAP Squadron #123 webserver) when all of that is just silly, and you either trust your sysadmin(s) not to rip you off, or you don't...

I could also train (at least) four (PCI) auditors (that i have actually worked with) in front of you, who are complete morons.

That said, when CAP starts handling PCI or HIPPA or FERPA information, or other such information which comes with specific legal or regulatory baggage, then we can start talking about carrying that baggage.  If you don't have to meet those regulations (which no squadron website should), then it's silly to carry that baggage just because you can.  But don't let me quash your enthusiasm, knock yourself out



Here is a nice security centric white paper about the use of shared accounts in the 'real world' application of IT administration, versus the pristine world of theory (er, certification testing).
http://www.sans.org/reading_room/whitepapers/basics/administration-shared-accounts_1271

[NIN]

Many  years ago, I got the "Additional Duty" of "Wing Computer Guy" (I think it was on the personnel authorization as "Computer Consultant".. this was WAY before 110-1 and IT Officers). We were discussing putting a server in at wing, so that we had a central place for the Wing's administrator to put things, etc.

The wing commander says "Well, there is quite a bit of sensitive information that she has on her PC right now. I would want that secured in such a way so that not even the administrator can see it."

I told him "You can do it that way, but really, the administrator is going to have broad access, partly due to making the backups work, etc."

The wing commander makes a face and looks over at our Wing LO who was sitting in.

"What do they do in the Air Force?"

The LO shrugs. "Someplace in the bowels of the comm shop, there is a bored TSgt with the keys to the kingdom."

[a2capt]

The LO shrugs. "Someplace in the bowels of the comm shop, there is a bored TSgt with the keys to the kingdom."

..and he might bring in CD-RW's labeled "Lady Gaga" and do the swapperoonie on the contents..

Oh, wait.

[Tim Medeiros]

The LO shrugs. "Someplace in the bowels of the comm shop, there is a bored TSgt with the keys to the kingdom."

Add in a couple of airmen that report to said TSgt and that is right on the money 

[Devil Doc]

I have to remember numerous passwords at work. Not only that, we have to change them every 90 days. On top of that you cant use the same password twice EVAR!! Talk about frustrating!! I work for the Department of Veteran Affairs, so you know how locked down the VA is. Very time consuming when they all go out at once, takes you some time to change them.