| Author |
A litle something to discuss and get a chuckle
|
|
| dannyboy 950 2002-11-18, 3:52 pm |
| Not to long ago I ran into an old aquaintance from VietNam days. Knowing of my expertise he asked me if I would check out his companies new security.
Opting to use an Internal break in, (I hate being shot by on overactive security guard with a glock), I got myself hired on as a maintenance person useing the identy of a convicted fellon I used to know.
During the course of my nights work I accessed 23 of the 40 workstations without haveing to crack or hack any of them, I merely used the passwords and acces permissions that I found lying about or cleverly?? hidden, includeing 3 senior officers computers.
My greatest find was the nicely bound report
and outline provided by the security consulant firm who set up their security.
In all fairness it was a very good system if it would have been implemented and enforced. This I found in the bottom left drawer of the unlocked desk of the CEO.
I have found in the past that many executives feel that because they are the boss they dont have to follow the rules that they set for others, this provides a week ness in any security program.
Needless to say there were a lot of red faces and several changes made. | |
| onoski 2002-11-20, 2:02 pm |
| How interesting, well not too surprised as it happens. Everyone including network admins just have to be more vigilant and educate end users off the importance of passwords,etc. Well, without weaknesses like these there wouldn't be the need for ITer's like us | |
| chodan 2002-11-20, 8:36 pm |
| I understand the difficulty.
I finally bit the bullet and instituted a password policy with much wailing and gnashing of teeth by the rest of the staff.
They act as though I am making it difficult.
It is this.
every 30 days you must change your password.
It must be unique for at least 3 changes.
If you don't change it in thirty days it the account is locked out.
If you log on incorectly 5 times it is locked out.
It must contain 5 characters.
That don't sound too unreasonable to me.
What do you all think.
Until I did it some people had their same password for 6 years.
I finally got enough authority to initiate the proccess. | |
| onoski 2002-11-21, 5:16 am |
| It sounds practical and reasonable to me. It's the way to go | |
| AuthorHelen 2002-11-21, 5:41 pm |
| All of those sound like good requirements; I would require a longer password, though, particularly if you're not validating passwords against a dictionary to make sure that they're not easily-guessable words.
I would also give users hints on how to choose good passwords like:
- Pick the first letter of each word of a phrase you can remember, like the lyrics to one of your favorite songs
- Tacking a "1" or "0" on the end of a word found in the dictionary does not a good password make. Be more creative than that.
- If you play an instrument, try using the letters that result when you press keys in a way that matches how you would play melody of a song you like on your instrument
- Putting a random special character or two in the middle of a password tends to increase its strength significantly, though it's probably still not as good as the initial or notes suggestions above
- If you have to write it down anywhere at any time, it's not secure; so choose a password you will remember
--
* Helen *
(PS. Look that <== way and see the new cert :-) | |
| chodan 2002-11-21, 6:52 pm |
| AuthorHelen
Thanks for the tips.
If you don't mind, may I use these tips in our company news letter? | |
| AuthorHelen 2002-11-21, 6:57 pm |
| Sure, go ahead.
--
* Helen * | |
| Supertech 2002-11-21, 7:32 pm |
| I do believe you are a "1st poster" for a Security+. Congratulations! | |
| AuthorHelen 2002-11-21, 7:57 pm |
| Thanks!
I haven't heard any other beta participants report that CompTIA said they passed yet (having publishing deadlines has its privileges, I guess ;-).
To put "first post of cert" in perspective: I believe all of those originally involved in the exam's development were grandfathered into the cert (so they're way ahead of the rest of us, by multiple months).
--
* Helen * | |
| namrak 2002-11-21, 7:59 pm |
| Nothing like a real-world example to set the tone for security. Security is one of those things that are never fully appreciated when it is effectively implemented. More like a hassle as evidenced by employee moans and groans.
By the way AuthorHelen, hearty congratulations on obtaining Security+!  | |
| chodan 2002-11-21, 9:00 pm |
| I tried to logon to comptia today with the information on my test report sheet but it wouldn't let me log in.
The reply said it couldn't find a match to the info I supplied???
Oh well I can wait a few more days I guess.
Must one be a member to have access to that information?? | |
| AuthorHelen 2002-11-21, 9:30 pm |
| I believe anyone can access the on-line score report information. CompTIA told me it probably wouldn't be up in their online system until next week, though, so that might be why it isn't working for you.
(I received my info from different channels, because I needed it for the book. I can't check the online system, since I don't have a score report. It never occurred to me to keep a score report without a score on it... ;-)
--
* Helen * | |
|
|
|
|
| azimuth40 2002-11-22, 12:33 am |
| quote:
Originally posted by chodan
I tried to logon to comptia today with the information on my test report sheet but it wouldn't let me log in.
The reply said it couldn't find a match to the info I supplied???
Oh well I can wait a few more days I guess.
Must one be a member to have access to that information??
Try using the ID off of your Net+ card. If that was your first compTIA cert then that number should be your career ID. It should let you go forward from there. | |
| chodan 2002-11-22, 7:44 am |
| quote:
Originally posted by azimuth40
Try using the ID off of your Net+ card. If that was your first compTIA cert then that number should be your career ID. It should let you go forward from there.
I just tried that.IT didn't work.
I think the info just isn't up yet. | |
| azimuth40 2002-11-22, 12:03 pm |
| quote:
Originally posted by chodan
I just tried that.IT didn't work.
I think the info just isn't up yet.
By "didn't work" do you mean that you could not register or just saw nothing about the status of Security+. You only get one account and every cert you have ever taken from 1998 on should be there. So you should have at least seen your Net+ cert. | |
| chodan 2002-11-22, 12:20 pm |
| quote:
Originally posted by azimuth40
By "didn't work" do you mean that you could not register or just saw nothing about the status of Security+. You only get one account and every cert you have ever taken from 1998 on should be there. So you should have at least seen your Net+ cert.
No it wouldn't let me log on.
I get a response of:
Please correct the following:
We could not find a user meeting the specified criteria. Please review the criteria and try again | |
| chodan 2002-11-22, 12:30 pm |
| OK
I went back and set up an account using all the old network+ info and got in.
I think the reason the security+ info didn't work was because it wasn't listed yet. | |
| freak 2002-11-22, 12:39 pm |
| I could not agree more. As a matter of fact, I used most of those in our new company policy. It's scary to see what password policy they had before I came on board. It was a typical case of a company who grew too big too fast...
quote:
Originally posted by AuthorHelen
All of those sound like good requirements; I would require a longer password, though, particularly if you're not validating passwords against a dictionary to make sure that they're not easily-guessable words.
I would also give users hints on how to choose good passwords like:
- Pick the first letter of each word of a phrase you can remember, like the lyrics to one of your favorite songs
- Tacking a "1" or "0" on the end of a word found in the dictionary does not a good password make. Be more creative than that.
- If you play an instrument, try using the letters that result when you press keys in a way that matches how you would play melody of a song you like on your instrument
- Putting a random special character or two in the middle of a password tends to increase its strength significantly, though it's probably still not as good as the initial or notes suggestions above
- If you have to write it down anywhere at any time, it's not secure; so choose a password you will remember
--
* Helen *
(PS. Look that <== way and see the new cert :-)
| |
| chodan 2002-11-22, 2:38 pm |
| I got home a bit ago "took off early to make up for some weekend time" and saw an envelope from Comptia.
I opened it up and it read "Congratulations you are Security+ Certified"
Whew!!
Boy am I relieved.
Especially after not seeing it on the site yet. | |
|
| congratulations! | |
| chodan 2002-11-22, 2:53 pm |
| No wonder I couldn't Log on to the site My name is spelled wrong.
Oh well I have contacted them via email. | |
| AuthorHelen 2002-11-22, 4:45 pm |
| You go, chodan!
Congratulations!
--
* Helen * | |
| dannyboy 950 2002-11-22, 6:44 pm |
| Glad to see everyone getting there certifications Congratulations to you all. | |
| azimuth40 2002-11-22, 10:46 pm |
| Congratulations on the new cert, what ever your name is  | |
| chodan 2002-11-22, 11:02 pm |
| quote:
Originally posted by azimuth40
Congratulations on the new cert, what ever your name is
I am JO JO the dog faced boy!!
------------
see the movie "tommy boy" for that refference |
|
|
|