Unit 10: System Protection




          There are a few approaches to guessing passwords which I shall discuss, along with methods of   Notes
          countering these attacks.
          Most operating systems, as well as large applications such as Database Management Systems,
          are shipped with administrative accounts that have preset passwords. Because these passwords
          are standard, outside attackers have used them to break into IT systems. It is a simple, but
          important, measure to change the passwords on administrative accounts as soon as an IT system
          is received.
          A second approach to discovering passwords is to guess them, based on information about the
          individual who created the password. Using such information as the name of the individual,
          spouse, pet or street address or other information such as a birth date or birthplace can frequently
          yield an individual’s password. Users should be cautioned against using information that is
          easily associated with them for a password.
          There are several brute force attacks on passwords that involve either the use of an
          on-line dictionary or an exhaustive attempt at different character combinations. There are several
          tactics that may be used to prevent a dictionary attack.
          They include deliberately misspelling words, combining two or more words together, or
          including numbers and punctuation in a password. Ensuring that passwords meet a minimum
          length requirement also helps make them less susceptible to brute force attacks.
          To assist users in choosing passwords that are unlikely to be guessed, some operating systems
          provide randomly generated passwords. While these passwords are often described as

          pronounceable, they are frequently difficult to remember, especially if a user has more than one
          of them, and so are prone to being written down. In general, it is better for users to choose their
          own passwords, but with the considerations outlined above in mind.
          Password length and the frequency with which passwords are changed in an organization
          should be defined by the organization’s security policy and procedures and implemented by the

          organization’s IT system administrator(s).
          The frequency with which passwords should be changed should depend on the sensitivity of the
          data. Periodic changing of passwords can prevent the damage done by stolen passwords, and
          make “brute force” attempts to break into system more diffi cult.
          Too frequent changes, however, can be irritating to users and can lead to security breaches such
          as users writing down passwords or using too obvious passwords in an attempt to keep track
          of a large number of changing passwords. This is inevitable when users have access to a large
          number of machines. Security policy and procedures should strive for consistent, livable rules
          across an organization.

          Some mainframe operating systems and many PC applications use passwords as a means of
          access control, not just authentication. Instead of using mechanisms such as Access Control Lists
          (ACLs), access is granted by entering a password. The result is a proliferation of passwords
          that can significantly reduce the overall security of an IT system. While the use of passwords

          as a means of access control is common, it is an approach that is less than optimal and not cost-
          effective.
          There are numerous password-cracking utilities out on the Internet — some of which are freeware
          and some of which are licensed professional products. If a hacker downloads an encrypted

          password  file, or a write-protected document with password protection, they can run the

          password file or document through a password cracking utility, obtain the password, and then
          either enter the system using a legitimate user’s account or modify the write-protected document
          by inserting the correct password when prompted. By using a protocol analyzer, hackers can

          “sniff” the network traffic on the wire and obtain passwords in plaintext rather easily.
          However, in spite of the risks in using passwords, they are still commonly used world over with
          the assumption that taking the trouble to violate password protections would not be worth the




                                           LOVELY PROFESSIONAL UNIVERSITY                                   189