The Glade 4.0
https://gladerebooted.net/

Corporate Executives and Information Security
https://gladerebooted.net/viewtopic.php?f=7&t=11066		 Page 1 of 1
Author:  Talya [ Tue Aug 26, 2014 9:49 am ]
Post subject:  Corporate Executives and Information Security
There are two equally understandable and logical philosophies in dealing with executives in a big company:

(1) Executives deal with the most confidential and sensitive information in the company, and should therefore be subject to the most restrictive of IT security policies in order to protect that information.

(2) Choose your battles very carefully. Executives can get you fired and replace you with sycophants if you don't do as they demand, so unless it's truly impossible, give the executive what they ask for.

Now, whether or not one agrees with both of these principles, they're both understandable. What is not understandable, however, is attempting to do both at once. It DOES NOT WORK. You don't put your executives, for instance, on the most restrictive possible mobile security policy, so that they can do nothing with their phones, and then accommodate every single request for things that that security policy blocks, to the frustration of all the IT staff. Either put them on the most restrictive policy and enforce it, or put them on a less restrictive policy knowing you are not going to enforce it. Don't poke holes in the most restrictive policies to accommodate them!
Author:  Elmarnieh [ Wed Aug 27, 2014 2:36 pm ]
Post subject: 
Yes but lots of places do it because all it takes is one nervous nellie manager who has a team that can make those one-off changes and boom they are done.

Ideally a company of sufficient size should have an executive team that handles all executive policies and devices.
Author:  Arathain Kelvar [ Thu Aug 28, 2014 9:38 am ]
Post subject: 
IT just shut off the ability for me to email my parents for security reasons. I can receive emails but not send.

They are looking into it. 3 days and counting.
Author:  Wwen [ Thu Aug 28, 2014 4:17 pm ]
Post subject: 
I'm sure your parents are planning to bring down the company.
Author:  Aizle [ Sat Aug 30, 2014 8:43 am ]
Post subject: 
I once had an executive at a company who while being the nicest guy you could ever want to meet, would only use the password of "beige" or a simple variant.
Author:  Xequecal [ Wed Sep 03, 2014 3:22 pm ]
Post subject:  Re: Corporate Executives and Information Security
I don't understand why passwords need to be overly complex. Is this basically ITs nice way of saying, "Don't use "password" as your password, you idiots."? I mean, doesn't it lock the account after 3-5 failed login attempts anyways? How could someone possibly brute force it?
Author:  Rorinthas [ Wed Sep 03, 2014 5:15 pm ]
Post subject:  Re: Corporate Executives and Information Security
Not everyone uses a lockout system it's optional in AD

But yes it is a an easy way of telling users not to be stupid by not letting them.i knew an hr director who was still using the universal 4 letter default password for his email for years
Author:  Elmarnieh [ Wed Sep 10, 2014 8:23 am ]
Post subject: 
Tricky line in IT security.
Force complex enough passwords and/or change them frequently enough and people will simply write their passwords down someplace or iterate them Cabbagebunnyfoot1, Cabbagebunnyfoot2, Cabbagebunnyfoot3...
Author:  Stathol [ Sun Sep 14, 2014 7:41 pm ]
Post subject: 
Most password policies are dumb, but not for the reasons you might think. For one thing, password length matters far more than password complexity.
Image
What Elmo said is also quite true. Scheduled rotation policies are appropriate in some high security environments where the user base understands actual password complexity and are dedicated to maintaining it, but in most environments they just weaken security. In most corporate environments, the only reason to change passwords is because a breach has occurred.

And to be completely blunt, most policies are wishful thinking. A randomly generated, 16-character password with uppercase, lowercase, and numbers has 95 bits of entropy. But when users are asked to create a password meeting those character and length requirements, they choose passwords that have far less entropy. You can't save users from themselves. If there's any sort of "logic" (read: "pattern") behind how you create your passwords, complexity requirements are moot. You're an easy mark because crackers are smart enough to think like you do.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
Author:  Rorinthas [ Sun Sep 14, 2014 8:09 pm ]
Post subject:  Re: Corporate Executives and Information Security
Thank you Stathol. I wanted to bring that into the conversation, but I didn't have time to hunt it down. Unfortunatly most services limited you to 16 characters. Ergo you cant use the xcxd method and in order to remember ylu password you have to rely on a classic solution based on logic
Author:  Stathol [ Mon Sep 15, 2014 10:11 am ]
Post subject: 
I run into that less often these days, but yeah, it still happens. The best and easiest solution to all of these issues (IMHO) is to use a well-secured password vault type application. I've been using Keepass. I store the database in a dropbox folder so that I can synchronize it between all of my devices (including my cellphone). All of my passwords are randomly generated with as much entropy as the site will allow, or 128 bits, whichever is greater. I C&P them into login forms whenever I need them. I haven't memorized a password in years. In fact, I don't even know what any of my passwords are. The only password I've memorized is the master password for the keepass database. It's lengthy and random (why bother with 128-bit AES if your password has less than 128 bits of entropy?), but you only have to memorize it once.
Page 1 of 1 All times are UTC - 6 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/