Editor's Note: HP 3000 shops migrating will encounter new challenges to security. Whether it's a move to Windows, to Unix, or to Linux, all non-3000 environments carry greater risk of breaches. the issues are current, even for existing 3000 sites continuing to homestead. One manager of N-Class servers was seeking backup tape encryption solutions this week, after his auditors required it.
After showing the penetration testing required to assess the risks in yesterday's article, Certified Information Security Professional Steve Hardwick explains tech countermeasures to secure enterprise servers. Passwording always has been a skill in the 3000 community. Entering the commodity systems world makes password practices even more critical to security.
By Steve Hardwick
Second in a series
There are always problems with passwords. Using easy to guess passwords -- especially dictionary words -- creates a vulnerability in any authentication system. It allows a hacker to streamline a brute-force attack (applying specific password attempts to determine the actual password). One way to mitigate this is to develop a password construction rule. For example, a password would have to contain an uppercase/lowercase letter, a number and a symbol, be 6-8 characters long -- and be changed every 90 days. The length is chosen so users can remember the passwords but they are not too short to easily guess. Unfortunately, this approach creates a new vulnerability.
Take an example of a 4-character password. If no rules are applied and any of the 90 standard printable keyboard characters are allowed in passwords, the number of possible combinations is 90x90x90x90 or 65,610,000 combinations. If the above algorithm is used one upper case, one lower case, one number and one symbol, then the resulting number of combinations is 26x26x10x28 or 189,280. This gives a hacker an advantage: if the password rules are known, then the number of allowable password combinations is reduced significantly. This is the basis of Rainbow hacking. Pre-computing these various password combinations, using a Rainbow table, can be fairly straightforward and save a lot of time guessing. In fact, there are websites dedicated to producing Rainbow tables.
Then there is always social engineering: tricking someone into giving you their password over the phone. A typical method is to masquerade as a trusted user. For example, a call into the IT department pretending to be a senior manager and explaining that you have forgot your password. With the right amount of verbal threat ("I'll report you to HR for insubordination") it may be possible to have the IT support tech change the password to something that the hacker gives them.
One of the most publicized security breaches was the loss of system backup tapes. In 2011 an SAIC employee had backup tapes containing 4.9 million healthcare records stolen from their car. The backup tapes were not encrypted. Similarly, many IT departments routinely create system backup tapes that include a copy of the password files (full backup). Very often these backup copies are not encrypted and can provide an easy way to get access to password files.
One other countermeasure to stop brute force or rainbow hacking is to limit the number of password attempts. For example, after three incorrect password attempts are made, the user is locked out of the account until the account is reset. But this has a nasty side-effect. A denial of service attack can be launched that will deliberately use invalid password attempts to block out a user. Although this may not compromise any information, it can cause a lot of frustration and require considerable resources to correct. A disgruntled employee may resort to this type of tactic as a parting gesture.
The next countermeasures fall under Change Management -- an area of security concerned with ensuring that the software platforms are maintained to a specific security standard.