Category Archives: InfoSec

Password Managers, something worth considering. Some Options

6 Replies

Password-PostItI think we all appreciate that we all have lots of passwords to remember, especially if your working in the IT industry. Now a lot of us have good methods to mentally store the various passwords, however its still not uncommon to see a Post-It on the monitor, stuck under the keyboard, or even a big white sticker stuck directly on the front of a laptop.

Many years ago when I worked in a small office, I had a phone call from a user explaining how his password had gone. He hadn’t forgotten it, it had gone. This didn’t make any sense, so I went to see him. Turned out his password was the serial number of a near by fire extinguisher, and this has recently been replaced and moved else where in the building. Creative thinking, but a little bit flawed 🙂

With many organisations passwords are still the key to gaining access to the system. This may cover one of more of the following, such as encryption password, network log on, mail access, bank information and more. So its clear passwords are important, and its not something with should be sharing and advertising to every passer by. So aside from continuing user awareness on the importance, what other solutions could be considered.

Well one option is a Password Manager. Essentially a password manager is an application, add-on or device that can store all your passwords in a secure encrypted format, that you protect with a single complex passphrase. With this in mind I have had a little look at some of the offerings available, both opensource and commercial to provide a single place to start you on your search for the right solution for you and your company.

Firefox Password Manager
So we could consider this as putting all your eggs in one basket, but its possibly better than using post it notes, and a plain text file to store all your passwords. Granted there is always a possibility of a browser exploit leading to a vulnerability that could gain access, so also keep this in mind. If you do use the Firefox Password Manager, ensure that you set a strong master password. I am not sure specifically how the passwords are stored, but at least it will require you to enter a password to have the stored passwords available, so not just anyone using your machine would have access.
FireFoxPasswordManager

Access Manager
Access Manager is a great free password management tool. Your passwords are safely encrypted with AES and Blowfish, and the tool has a simple and easy to use interface, and like most of these applications you can install it onto a removable media. A nice little function of this tool is the Password Selector, when logging onto some security web sites they require different letters or numbers from your password and the password selector tool makes this easy for you.
AccessManager

KeePass
The KeePass Password Safe is probably my favorite application (aside from my IronKey) for storing passwords. KeePass secures your password with AES and Twofish encryption, and it has what I think is a simple easy to use interface, oh and its Free to. It doesn’t need to be installed on your system so you can easily run it from a thumb drive or other removable storage, and it also has a neat password generator. There are versions for Windows, Mac and Linux so should be something for everyone.
KeePass

Keeper
Keeper Password and Data Vault is not a free tool, but there is a demo available before parting with your precious $15. I have heard good things about this product from others in the InfoSec community but I have not used it myself. One advantage is that it works on the Mac and for those with an iPhone you can sync your passwords, so that could be handy.
Keeper

IronKey
I appreciate not everyone has an IronKey (not cheap, but awesome) but if you do you may want to considering using the inbuilt password manager and password generator. The advantage you have with the IronKey is that it uses AES like the other offerings but it has the advantages of all the other IronKey offerings, specifically the hardware encryption.
IronKeyPassword

I am sure there are many more solutions, but I think this gives you a little insight into whats available so you can do your own research on these products as well as digging deeper into other applications and options for securing your precious passwords.

A little tip though, use a strong passphrase you wont forget as if you do, you wont be getting easy access to your passwords. So don’t put it on a sticky on your screen. If you really do need to write it down, secure the paper somewhere safe and secure and totally separate from your IT equipment, and don’t make it obvious as what its for…. perhaps get  a safe 😀

BS10012 The Data Protection Act Personal Information Management System (PIMS)

2 Replies

I recently took the opportunity to attend a seminar on the newly released BS10012 standard, which was hosted by URM and BSI.
Basically this standard is a mechanism / process for an organisation to implement to ensure they have a routine and measurable process meeting the Data Protection Act (DPA) requirements. There isn’t currently a certification for this standard, but this may change with demand. However the BS standard does provide the plan, do, check, act framework to help meet obligations and improve the process over time.

I am not a big fan of certification just for the sake of it, I instead believe the standards can be used to form a baseline, as they are essentially documented best practice.

The standard isn’t UK specific so can be of value to any organisation struggling to meet their DPA requirements. Apparently 65% of organisations in the UK are not meeting the obligations. I guess at the moment the ICO doesn’t have the resource to go looking, and just have to wait for someone to slip up. They are increasing the costs associated with DPA notification from £35 to £500, so this is a serious increase, so perhaps we can expect a more proactive approach to seeking out non compliance.

The conference had some benefit, and cleared up some DPA obligations to me, and showed how this new standard could fit in with ISO27001. Just thought I would share its existence, as its only about 7 weeks old.

So whats this BSI10012 standard all about? Its basically a standard that specifies the requirements for a personal information management system (PIMS), which provides an infrastructure to maintain and improve compliance to the DPA requirements. It follows the Plan, Do, Check, Act cycle that people will be familiar with if you have worked with other BS, ISO and ITIL standards.

Many organisations in the UK are failing in their DPA obligations, and perhaps this  new standard will provide a baseline worth adopting. Obviously is optional, but its early days. I do feel that the ICO are really going to start taking a much deeper in organisations compliance, so if your organisation works best following a predefined baseline structure, BS10012 might be worth considering.

UK Government once again propose to cut off file sharers

Leave a reply

It seems that Business Secretary Lord Mandelson has got involved in the recently publish digital britian report, and is now pushing hard to have people who share music and videos cut off. I am not saying its right that people should be doing this, but who can effectively police this. I assume there will be no proper investigation to ensure the ISP subscriber was the actual person doing the downloading, and not someone who hopped on their insecure wireless.

I am sure we will see some uproar from this in the not to distant future. Soon fully encrypted P2P will be the norm.

Read more on the BBC website.

Information Security Day 6th August

Leave a reply

Promote the Information Security Day on the first thursday of August.

Information Security Day

Protection of information assets and the technology resources that support the business enterprise is very critical to the functioning of any business organization. Information System assets are always at risk from potential threats such as malicious or criminal actions, employee error, system failure, natural disaster, and lack of proper security infrastructure. Such events and situations could result in the damage to or loss of information resources, corruption or loss of data integrity, interruption business continuity, or compromise to confidentiality or privacy of end users of the information systems.
Information Security Day was started to spread the awareness of information security issues. Information Security, also known as Information Systems Security (INFOSEC) deals with the different aspects of information and its protection. Information Security Day aims at reducing the risk associated with the information systems by increasing the awareness of user community. The INFOSec Day aims at increasing the awareness in the following areas:
  • >> Understanding the various information system components
  • >> Security Management Principles
  • >> Risk Assessment, Sensitivity and Criticality
  • >> Disaster Recover and Emergency Procedures
  • >> Logical Security
  • >> Physical Security
  • >> Managerial Security Measures
The annual event is held around the world on the first thursday of August every year. If a local holiday co-incides with the Information Security Day, you can always re-arrage the date for your convenience.