Thursday, June 7, 2007

Password on a Post-It Note

Sheesh! This is the song that never ends, it just goes on and on my friends...

I don’t think anything in this business torques this ISO more than a user that blatantly writes their password on a Post-It note and prominently displays it somewhere around their workstation. I could preach this until I am blue in the face, but people are people.

I bring this up again and again, but this week I encountered a couple of things that got my blood boiling again on this very topic.

The Survey
Early this week I was reading a recent survey from Cyber-Ark, an authentication management company. Obviously the section in the article titled “Post-It Notes: The IT Favorite for Storing Passwords” caught my eye immediately. The IT favorite? You have to be kidding me.

“It seems that very little changes year over year - more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently. What's shocking about this year's annual survey was that the 50% number now applies to IT Professionals as well! More than half of respondents admitted to using Post-It notes to store administrative passwords, the super-powerful codes pre-built into every system such the Administrator ID on your local workstation.” - Survey Reveals Scandal of Snooping IT Staff, 5/30/07 Cyber-Ark

50% of IT Professionals admitted that they store passwords (or have) on a Post-It note! How many do and didn’t admit it? Should I be surprised? I have to admit that I was a little taken aback.

An Incident
The same day I read the article mentioned above, I received a phone call from one of our IT staff in one of our offices. He was calling me to report a suspected incident that may have happened over the weekend. A computer was logged into after-hours and used to commit acts that are against our policy. I will leave it at that.

When I receive a call of a potential incident, I begin the incident response process and an investigation. During the course of the investigation it quickly becomes evident that I will not be able to prove who did what during the time in question. For one, all of the people who use(d) the computer in question use a shared account (another separate no-no out of the scope of this article), and two the shared username and password were written on a Post-It note next to the computer.

Physical security i.e. access card controls, CCTV, etc. aside; there is little that can be done to hold anyone accountable for the actions that took place during this incident.

Essentially, case closed with many possible ramifications.

What to do? Policy, Education, and Enforcement
If you do not have a password policy, you need one. In your password policy it must be clearly stated (simple terms) what actions are acceptable and what are not in regards to password creation, usage, re-use and destruction. Your policy must be endorsed by executive management of your company if you have any hope to educate your users and enforce with action.

If I have learned one thing in security, training and awareness cannot be understated. People are creatures of habit. People with bad habits need to learn good ones. The only way people learn good habits is through constant, consistent training and reinforcement. Your training and awareness program should constantly remind people what you have written in policy with real-world examples of how it applies to them.

Enforce your policy. Your password policy should be viewed as management’s expectations of acceptable behavior from your users. If management has truly endorsed your password policy, they should expect you to enforce it as well. Enforcement can range from a friendly reminder to termination, depending on the nature of the offense. No matter which method you attempt to use to enforce your policy, be consistent and include your human resources and legal department as necessary.

Keep in mind that policy, education and enforcement all go “hand-in-hand”. If you are lacking in one, the others will suffer.

No comments: