Author: Chuck Copland

Chuck Copland is the Safe Systems ISO, and in that capacity, he experiences many of the same thrills and chills of all ISO’s. He stresses over auditor visits, agonizes over data security incidents, and takes an odd, almost uncomfortable pleasure in conducting social engineering exercises.
31 Jan 2019

Ask the ISO: What Makes a Good Password?

Hey Chuck!

Our auditor is telling us we need longer passwords. I’ve done some reading and asked around on this, and I’ve heard everything from 8 to 15 characters. How long should our passwords be?


Ask a simple question, get… a different answer from every person you ask. Frustratingly enough, they all might be right.

Minimum password length settings get a lot of scrutiny, and this makes sense. Although the FFIEC issued a statement on securing credentials, they offered no specifics beyond “Implement(ing) an adequate password policy.” Without a clear regulatory directive, password settings are often determined according to subjective “industry best practices”. You may have heard that “longer equals stronger” when it comes to passwords. Security experts largely agree with that statement. We all want strong passwords, so just make long passwords and all is well! Sounds easy enough, right? Unfortunately, the truth is more complicated, and this single setting is not a security silver bullet. Password length is certainly important, but it must be considered in the proper context.

Different Degrees of Risk

As with so many Information Security decisions, risk should be front-and-center. This starts with the fundamental understanding that each of the information systems you use present different degrees of risk. For instance, the risk of unauthorized logical access to core banking software likely dwarfs the risk of access to an employee time clock application. (I’ve written about securing email here.) User rights also factor in here. A supervisor with the ability to create or edit other user accounts almost certainly poses a greater risk than a general user account. And what if the system is public-facing? We could keep going here and analyze other risk factors, but you get the idea. The further down the risk rabbit-hole that you venture, the less sense a one-size-fits-all approach to password length makes. Simply put, control strength must follow logically from inherent risk level.

Password length gets a disproportionate amount of attention compared to other password settings such as complexity or age, but each setting can influence risk profile. Layer on multi-factor authentication (MFA), and the conversation changes again. Individual controls should not be considered in a vacuum, and the same holds true for password length.

Working Against Ingenuity

Then there is that pesky human element that keeps every ISO up at night. The truth is, tuning some password settings up too high can actually make you less secure. If you make authentication too difficult, the humans on the other side of the keyboard may find inventive ways to circumvent your carefully crafted controls. While enforcing a 20-character password may sound like a no-brainer to a security-minded IT administrator, end-users might simply choose “a, b, c, …t” as their password, meeting the letter but certainly not the spirit of your password policy. If they do choose something harder to guess, they may have trouble remembering their new-and-improved password. You might start finding passwords written down in a top desk drawer or on a sticky note under the keyboard. Your IT folks might also be faced with more password unlocks/resets due to fat-fingering those keystrokes. You must factor in your users’ tolerances and your institution’s culture, especially when considering changes to something as ubiquitous as passwords.

Training is Key

Don’t discount or neglect the power of persistent training here! After all, your users cannot be expected to follow rules they do not know about or understand. This starts with clear written End User Policies and annual training to reinforce those expected behaviors, but you don’t have to stop there. Educating your users about the benefits of long passphrases is a great way to gently nudge your institution’s culture in the direction of longer passwords without changing a single setting.

There Are National Standards

With all of these variables to consider, how do you make the right decision on password length? The FFIEC does not offer precise guidance on the matter, only that you need a password policy commensurate with risk. When looking for more specificity, it never hurts to look to the National Institute of Standards and Technology (NIST). NIST is the standards body for government entities and perhaps the most widely respected security resource out there. In fact, NIST standards were actually the foundation for some FFIEC guidance. Thankfully, NIST provides some advice about passwords in the Digital Identity Guidelines publication. While the NIST stance on passwords has evolved recently (more on that juicy topic in a future blogpost) the publication once again confirms a long-held industry standard of 8 characters MINIMUM for any password. Keep in mind that this should be considered the bare minimum, even as you add complexity or another (dual or multi) authentication factor. As the sensitivity of the system or the privilege of the user increases, so too should your password complexity (length plus non-alpha characters). For critical systems and high-privilege users, your focus should be multi-factor / out of band authentication instead of strengthening a single factor delivered via a single channel.

In Conclusion

In the end, every risk must be assessed and controlled differently, and only your organization truly knows what password settings are appropriate for your risk profile. A single password policy for all of your systems fails to recognize the risk associated with your different systems. You don’t want to undershoot risk mitigation for some systems while overshooting it for others, and neither should your password policy be unnecessarily prohibitive to the end-user. Finally, keep in mind that even the longest, most complex password is virtually useless if a user accidentally exposes their credentials by falling for a phishing email or by reusing their password at an unassociated site that gets hacked.

The next time someone tells you how long your passwords should be, thank them for their opinion, and then don’t be afraid to ask them why!

08 Jun 2016

Ask the ISO — How Can I Manage Email Risks?

Hey Chuck, A bank I used to work for had a bad scare recently – they got hit with ransomware!! Best they can tell, an email attachment was the culprit. That bank is very similar to my current bank, and I thought they had a solid Information Security program while I was there. As the Information Security Officer this has me worried that we might be next! What kinds of threats are you seeing with email these days? And what can we do to make sure we aren’t the next victim?


This is a huge topic to cover, so I’m going to answer each question in a separate post. Let’s start with your question on threats.

It Only Takes One

Cyber criminals are constantly probing email systems looking for the easiest “score” at the lowest cost. Most criminals know that bank employees are the weakest link in the security chain, and if they can trick just one employee to open an attachment or simply click a link, they stand a very good chance of bypassing multiple layers of security. In fact according to the FDIC, a phishing attack of just 10 emails yields a greater than 90% chance that at least one person will become the criminal’s prey. This is a very real threat to your information security.




Free White Paper



Best Practices for Control and Management of Your Community Bank’s IT

A community bank’s digital assets are every bit as valuable as the money in the vault.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



Because the employee is the weakest link, email attacks almost always have a social engineering element. It is all too simple to masquerade as someone else in an email, and malicious emails often appear to originate from legitimate senders. From there, attackers prey on human factors such as fear of monetary loss, eagerness to please (particularly effective with anyone in the customer service area), or simple curiosity to compel their victims to open an attachment or click on a link.

While no two attacks are the same, email attacks generally fall into a few different categories:

    Phishing

    This is the most common type of attack financial institutions face. In the strictest sense, phishing emails are designed to trick recipients into disclosing sensitive information like usernames, passwords, account numbers, and social security numbers. This definition has expanded in recent years to describe the type of messages being sent. These days, phishing emails are a cheap and common malware delivery method. Cyber criminals employing a phishing campaign aim to cast a wide net by crafting a generic message that could apply to most of their recipients, hoping that even a small percentage of recipients are fooled. Phishing messages can range from extremely rough to highly polished, but are generally not customized to the specific recipient.

    Spear-Phishing

    While phishing attempts focus more on quantity, spear-phishing and whaling (aka whale phishing), are more targeted attacks. Spear phishers put in the effort to learn about their intended victims, and construct their malicious emails with this Intel in mind. Messages appear to come from individuals or vendors familiar to the recipient, and are often crafted to closely match the aesthetics and even timing of emails normally received from that outside party. These custom-made malicious emails are often of higher quality than simple phishing emails; thus, they can be more difficult for security mechanisms to filter out and for end users to detect.

    Whaling

    This spear-phishing variant involves highly personalized phishing messages targeting high-value individuals at a company such as C-level employees, senior managers, or IT Administrators. Such executives are extremely enticing to phishers, as they usually have a high level of access to both business networks and confidential information. A great deal of effort can go into the hunt for this elite group of targets, generally including extensive information gathering and/or surveillance. These messages are typically very well-crafted, highly customized, and most often appear to come from an internal user.

    CEO Fraud

    This type of attack flips whaling around, and involves the impersonation of a high level executive at the institution. As the name suggests, these emails purport to come from the CEO or another high-ranking individual. Often, emails are timed to correspond with travel or incorporate some other excuse for asking an eager-to-please employee to bypass normal operating procedures. Commonly, such requests involve wire transfers or bulk disclosure of sensitive information.

 

Data collection and social engineering are not the only concern here, and as an ISO you should be very concerned about what happens after a user opens an attachment or clicks a link. Phishing campaigns are an extremely common catalyst for malware infections. These malicious emails help fuel a massive and profitable criminal industry, so bad actors are highly motivated to keep finding new ways to sneak bugs in through your inbox.

In 2016 alone Safe Systems observed numerous email attacks acting as a front end for ransomware like Locky, CryptoWall, and CryptXXX. At best (if your backup procedures are solid), such ransomware infections can cause a temporary loss of resource availability, and at worst ransomware may cause extended downtime and permanent loss of data. While ransomware gets most of the attention, any malware infection has the potential to negatively impact your institution’s operations and reputation.

Unfortunately, there is no reason to believe these threats will decline in the foreseeable future, so financial institutions would be wise to prepare accordingly. There are numerous technical controls available to help protect your mailboxes; however, no technology solution is perfect. Additionally, entirely new threats or threat variants (aka “zero day” threats) are always an ongoing concern. Email usage policies and proper employee (and customer) training play a vital part in catching threats that evade your technical controls. Please join me for part 2 of this article where we will discuss effective security strategies to protect against email-borne threats.


Submit a question for Ask the ISO