CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [268]
Rainbow tables The really worrisome tool for password attacks is called a rainbow table. Traditionally, password crackers hashed each potential password and then performed an Exclusive Or (XOR) comparison to check it against the stolen hash. The hashing process is much slower than the XOR process, so 99.99 percent of the time spent cracking passwords was actually spent generating hashes. So, a new form of password cracking was developed to remove the hashing time from the cracking time. Massive databases of hashes are created for every potential password, from single characters on up, using all keyboard characters (or even all ASCII 255 characters). Currently, a rainbow table for cracking Windows OS passwords is available that contains all the hashes for passwords that contain from 1 to 14 characters using any keyboard character. That database is 64GB in size, but it can be used in an attack to crack a password in less than three hours—meaning that all Windows OS passwords of 14 characters or fewer are worthless.
To protect yourself from this threat, change all of your Windows OS and network passwords to a minimum of 16 characters. Or, if you get approval from your security administrator, start using one or more higher-order ASCII characters in a password of at least 8 characters. You can’t just use the higher-order ASCII characters because many legacy systems (for example, those written prior to 2000) do not support them. If every system you interact with does not support higher-order ASCII characters, then you can’t use them.
One of the smartest—and most secure—things you can do is turn off LANMAN passwords.
Another protection is the addition of a salt to the password before it is hashed. Windows 2003/8, Windows XP Professional (SP1+), SE Linux variants, and many other modern and secure OSs employ salts. The purpose of a salt is to thwart easy hash cracking and prebuilt hash databases. Often the salt is the SID of the user account, thus a 40-character (or so) phrase is added to a, say, 12-character password to create a 52-character entity that is then hashed. An attacker may be able to learn the salt value, especially if it is the SID, but it still stops all of the easy attack methods. The use of salts forces a true real-time brute force approach to cracking hashes, thus allowing OSs to once again provide real protection for passwords (assuming the password is complex and long to begin with).
Use as many different types of characters as possible, including lowercase letters, uppercase letters, numbers, and symbols. Change your password frequently, at least every 45 days if not more often. Never reuse a previous password, and never use the same password for more than one account. Don’t use password-storage tools, whether software or hardware. However, if you have to juggle so many passwords that a management tool is essential, then make sure the passwords are stored with strong encryption and the lock on the tool is stronger than the best password it is storing.
Managing Personnel
Personnel management is a security concept that focuses on minimizing the vulnerabilities, threats, and risks that people themselves bring to an organization. Ultimately, people are the last line of defense for your company’s assets. There are many mechanisms imposed to help improve personnel security, such as separation of duties, the principle of least privilege, acceptable use policies, job reviews, mandatory vacations, and even exit interviews.
You need to be aware of these controls and learn how to do your job within the boundaries that they dictate. Here are some important recommendations for management:
■ Know exactly which privileges you are assigned.
■ Don’t attempt to exceed your assigned authority.
■ Know which actions require multiple people to work together, and then attempt them only with the correct number of admins.
■ If you discover that you have