A company recently hired me specifically to improve its password policy. At five characters long, zero complexity, and no forced expiration changes, these passwords would be considered nearly nonexistent to most hackers -- and the client knew it.
I quickly learned that the client had several other significant security problems, including porous firewall rules, outdated antimalware software, horrible patching, and hundreds of domain admin accounts, not to mention the fact that every end-user had admin rights to his or her desktop. Unsurprisingly, the client's entire environment was already rife with malicious hackers and their programs.
[ InfoWorld Security Adviser Roger Grimes also recommends compiling a top 10 list of security priorities | Take control of your security destiny with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
I told them that even though they had hired me to improve its password policy, the security overhaul should concentrate on other issues first. When they resisted this suggestion, intent on dealing with the password problem, I asked how they'd been so thoroughly compromised. In every story they shared, successful attacks were caused by an elevated end-user being tricked into running Trojan horse programs sent via emails.
I asked them what they were doing to stop that particular attack vector. They said they'd delayed implementing defenses because the task was difficult, time consuming, and resource intensive. They wanted to tackle the password issue first. The company's decision-makers were so intent on changing their password policy that it could not see the forest for the trees. Unfortunately, it's a common scenario.
If you want to reduce your company's security risk as efficiently as possible, you have to start by taking stock of your network security holes. Document all the ways your company is successfully compromised and figure out the percentage each attack vector is responsible for. As the saying goes, past behavior is a reliable indicator of future behavior -- and attacks.
Your threat modeling documentation will probably mention initial attack vectors, which include how the attacker/malware first gained access to your environment, and secondary attacks, or the means by which attackers/malware gained further access and privileges. For example, an initial attack may be through a malicious PDF file sent to a senior executive. The secondary attack may involve password guessing against NetBIOS shares, installing remote access Trojans, or dumping the hashes from password databases. The initial attack vectors are far more important, although minimizing the secondary attacks is part of the defense plan, too.