Category “Risk Management”

Tips for creating strong password

Wednesday, 22 December, 2010

This post is from Help Net Security, a great resource for News, Articles and information on Security. Visit Help Net Security and subscribe or follow their tweets. This post is located here.

To ensure consumers stay safe online and enjoy this holiday season, Check Point outlines practical tips for creating a strong password.

  • Choose a password that is at least 8 to 10 characters long. This should be long enough to prevent brute force attacks. Since brute force attacks consist of trying every possible code, combination, or a password until the right one is found.
  • Make sure your password is difficult to guess. Do not use names of any kind, including your login name, family member’s name or a pet’s name. Also avoid using personal information such as a phone number, birthday or place of birth.
  • Avoid words that can be found in the dictionary. With the availability of online dictionaries it is easy for someone to write a program to test all of the words until they find the right one.
  • Stay away from repeated characters or easy to guess sequences. For example: 77777, 12345, or abcde.
  • Choose a password that is a mixture of numbers, letter and special characters. The more complex and random it is the harder it will be for a malicious person to crack.
  • Use fragments of words that will not be found in a dictionary. Break the word in half and put a special character in the middle.
  • Choose different and unique passwords for all of the important sites.
  • Change your passwords often. Even if someone cracks the system password file, the password they obtain is not likely to last long.
  • Use a reliable password protection solution.

To get more insight on how people create poor passwords, take a look at this analysis of 32 million breached passwords.

Proceed at your own RISK

Sunday, 26 April, 2009

riskRISK is a very common word. In the IT World, it had been becoming more and more used not only within the management realms but also going down the end-users. Risk is a big deal when it comes to Security. More often, it is tied with a value or even worse, reputation. That’s why when it comes to managing it, the most important aspect everyone should adhere to is senior management awareness and approval.

Let’s dive into the meaning of the word risk in IT Security world. The simplest way of putting it is:

THREAT + VULNERABILITY = RISK

A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. (All-in-One CISSP, Risk Management; Shon Harris). Before expanding that meaning, let’s take a look at what threats and vulnerabilities are.

A threat, as we all know, is any potential danger. Threat agents are the medium that carry out the threat. So a threat is someone or something that can identify a weakness and take advantage of it. For instance, if I know a website is running an application that is not written properly, I could exploit it to defaced it or to cause denial of service. In this case, I am a threat agent. My inappropriate actions are threat to this website.

The site’s buggy code is subject to exposure, which is its instance of being exposed to losses from a threat agent.

A vulnerability is a weakness in the infrastructure. And weakness is always represented by an absence or lack of ability to safeguard itself. So in our previous example, the poorly written website is a weakness. Without a proper safeguard in place to protect it, it is a vulnerability that a threat agent is ready to exploit.

Safeguard was mentioned earlier. This is the countermeasure that must be in place to prevent and mitigate the potential risk. Mitigating risk comes in many flavors, which we’ll try to cover them in brief details later.

So in brief, the order of concepts for all of these is:

Threat > Exposure > Vulnerability > Countermeasure/Safeguard > Risk

RISK MANAGEMENT

Risk Management involves: Risk Identification, Risk Analysis and Assessments, and Risk Mitigation. This is the process where identified group (most likely the Risk Management team) identify the risk (threats and vulnerabilities), analyze, and mitigate it to an acceptable level. The goal is to implement countermeasures to reduce the risk at a level that is acceptable to the security policy.

Read the rest of this entry »