Go Its 25 15
- 1. Sergey Grigorenko CISSP CISA CISM September 2009 PRRESENTATION
- 2. Purpose and scope Overview Threats Against Passwords GO-ITS 25.15 Security Controls How to meet this standard? Questions? AGENDA Sergey Grigorenko CISSP CISA CISM September 2009
- 3. The purpose of this presentation is to assist OPS in understanding of GO-ITS 25.15 “Security Requirements for Password Management and Use” Standard requirements and common threats against their character-based passwords and how to mitigate those threats within the cluster or enterprise. PURPOSE AND SCOPE Sergey Grigorenko CISSP CISA CISM September 2009 Non-character-based passwords, such as graphic-based passwords, Biometrics, Digital Certificates and Authentication Protocols, are outside the scope of this presentation. Audience: This presentation is for non technical stuff and program managers who can use the information presented to facilitate the decision-making processes associated with password management, such as password policy creation. Duration: 5-7 minutes
- 4. Information Security OVERVIEW Sergey Grigorenko CISSP CISA CISM September 2009 Information security is the protection of information and information systems from: unauthorized access use disclosure disruption modification or destruction . Information security is achieved by ensuring the: confidentiality Integrity availability of information (CIA)
- 5. Security Architecture OVERVIEW Sergey Grigorenko CISSP CISA CISM September 2009 Business requirements Regulatory requirements A N A L Y S I S * POLICIES * ** STANDARDS ** *** PROCEDURES AND GUIDELINES *** Administrative Controls MONITOR, REPORT AND IMPROVE GO-ITS 25.15 Technical Controls Firewalls Intrusion detection prevention Access control System Hardening Physical Controls Guards CCTV Lockers Alarm systems
- 6. OVERVIEW Sergey Grigorenko CISSP CISA CISM September 2009 The cost of data loss for 2008: $50.00 - $200.00 per a record – 215 million records lost since January 2008 = $11 to $430 Billion – $6.3 million per company incident. /Gartner/
- 7. OVERVIEW Sergey Grigorenko CISSP CISA CISM September 2009 The objective of GO-ITS 25.15 Standard is to ensure that the management and use of passwords to access Government of Ontario information and information technology is effective, and assists in the mitigation of unacceptable risks to those resources. “ Security Requirements for Password Management and Use” Standard number 25.15 has been created by Information Technology Standards Council ( ITSC ) to sets out security requirements for password management and use.
- 8. OVERVIEW What the password is? A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource. Identification is a claimant presenting an identifier (username) that indicates a user identity for the system. Authentication is the process of establishing confidence in the validity of a claimant’s presented identifier. Passwords are used in many ways to protect data, systems, and networks. For example, passwords are used to authenticate users of operating systems, applications (e.g., email, labor recording), hardware, and remote access solutions. Sergey Grigorenko CISSP CISA CISM September 2009
- 9. Threats Against Passwords Sergey Grigorenko CISSP CISA CISM September 2009 In order to protect users and organization from a password attack, we have to understand of the various threats and tactics
- 10. Threats Against Passwords Sergey Grigorenko CISSP CISA CISM September 2009 Brute force attack- the attacker attempts to guess the password using all possible combinations of characters Dictionary attack -the attacker attempts to guess the password using a list of possible passwords Password Calculator . http:// lastbit.com/pswcalc.asp
- 11. GO-ITS 25.15 Security Controls Sergey Grigorenko CISSP CISA CISM September 2009 Passwords must contain at least 8 characters Passwords must contain at least one digit and at least one upper case and one lower case letter User passwords must be tested for strength on a periodic basis Passwords themselves are highly sensitive and must be protected accordingly
- 12. Threats Against Passwords Sergey Grigorenko CISSP CISA CISM September 2009 Users may also reveal their passwords to attackers because of social engineering . Users must not disclose their passwords to anyone else Users must immediately change any disclosed or compromised passwords For example, an attacker could pretend to be a help desk agent, call a user, and ask the user to provide a password to assist the agent in troubleshooting a problem. Sniffing may occur as passive eavesdropping or active interception, such as a man-in-the-middle attack with an attacker serving as an intermediary through which messages between two other systems pass. Capturing is an attacker acquiring a password from storage, transmission, or user knowledge and behavior. Initial passwords must be communicated to the user directly in person, by telephone or by encrypted email Passwords must be encrypted in storage and in transmission Unencrypted passwords or credential information must not be cached
- 13. How to meet this standard? Sergey Grigorenko CISSP CISA CISM September 2009 Create a password policy that specifies all of the organization’s password management-related requirements Establish clear process for password management and use (procedures an guidelines) Communicate and enforce these requirements to the end user through awareness program and monitoring
- 14. September 2009 Sergey Grigorenko INFO@SERGRI.NET September 2009 QUESTIONS? References: NIST Special Publication 800-118 Guide to Enterprise Password Management Government of Ontario IT Standard (GO-ITS) 25.15 (V.1.3)