PASSWORD POLICIES

As an ethical hacker, you should show users the importance of securing their passwords. Here are some tips on how to do that:

• Demonstrate how to create secure passwords. Refer to them as passphrases because people tend to take passwords literally and use only words, which can be less secure.
• Show what can happen when weak passwords are used or passwords are shared.
• Diligently build user awareness of social engineering attacks.
• Enforce (or at least encourage the use of) a strong password-creation policy that includes the following criteria:
• Use upper- and lowercase letters, special characters, and numbers. Never use only numbers. Such passwords can be cracked quickly.
• Misspell words or create acronyms from a quote or a sentence. For example, ASCII is an acronym for American Standard Code for Information Interchange that can also be used as part of a password.
• Use punctuation characters to separate words or acronyms.
• Change passwords every 6 to 12 months or immediately if they’re suspected of being compromised. Anything more frequent introduces an inconvenience that serves only to create more vulnerabilities.
• Use different passwords for each system. This is especially important for network infrastructure hosts, such as servers, firewalls, and routers. It’s okay to use similar passwords — just make them slightly different for each type of system, such as SummerInTheSouth-Win7 for Windows systems and Linux+SummerInTheSouth for Linux systems.
• Use variable-length passwords. This trick can throw off attackers because they won’t know the required minimum or maximum length of passwords and must try all password length combinations.
• Don’t use common slang words or words that are in a dictionary.
• Don’t rely completely on similar-looking characters, such as 3 instead of E, 5 instead of S, or ! instead of 1. Password-cracking programs can check for this.
• Don’t reuse the same password within at least four to five password changes.
• Use password-protected screen savers. Unlocked screens are a great way for systems to be compromised even if their hard drives are encrypted.
• Don’t share passwords. To each his or her own!
• Avoid storing user passwords in an unsecured central location, such as an unprotected spreadsheet on a hard drive. This is an invitation for disaster. Use Password Safe or a similar program to store user passwords.

OTHER COUNTERMEASURES

Here are some other password-hacking countermeasures:

• Enable security auditing to help monitor and track password attacks.
• Test your applications to make sure they aren’t storing passwords indefinitely in memory or writing them to disk. A good tool for this is WinHex.
• Keep your systems patched. Passwords are reset or compromised during buffer overflows or other denial of service (DoS) conditions.
• Know your user IDs. If an account has never been used, delete or disable the account until it’s needed. You can determine unused accounts by manual inspection or by using a tool such as DumpSec, a tool that can enumerate the Windows operating system and gather user IDs and other information.
• As the security administrator in your organization, you can enable account lockout to prevent password-cracking attempts. Account lockout is the ability to lock user accounts for a certain time after a certain number of failed login attempts has occurred. Most operating systems have this capability.
• Don’t set it too low, and don’t set it too high to give a malicious user a greater chance of breaking in. Somewhere between 5 and 50 might work for you. Consider the following when configuring account lockout on your systems:
• To use account lockout to prevent any possibilities of a user DoS condition, require two different passwords, and don’t set a lockout time for the first one if that feature is available in your operating system.
• If you permit autoreset of the account after a certain period — often referred to as intruder lockout — don’t set a short time period. Thirty minutes often works well.
• A failed login counter can increase password security and minimize the overall effects of account lockout if the account experiences an automated attack. A login counter can force a password change after a number of failed attempts. If the number of failed login attempts is high and occurred over a short period, the account has likely experienced an automated password attack.
• Other password-protection countermeasures include
• Stronger authentication methods. Examples of these are challenge/response, smart cards, tokens, biometrics, or digital certificates.
• Automated password reset. This functionality lets users manage most of their password problems without getting others involved. Otherwise, this support issue becomes expensive, especially for larger organizations.
• Password-protect the system BIOS. This is especially important on servers and laptops that are susceptible to physical security threats and vulnerabilities.

• Ongoing, proactive hunting.

  • Leads that are automatically created by contextual tagging of unusual behavior
  • Complement with targeted hunting, based on your unique environmental risks, changes to your threat landscape, or through intelligence on new attack campaigns and techniques.

• Machine learning analytics.

  • We augment human experience with machine learning analytics, which can highlight subtle behavioral changes in petabytes of data.
  • Our approach uses time, entity, and peer-group models to quickly spot anomalies which suggest highly evasive threats, this means we can priorities mitigation before threats become breaches.