Infosec Communicator is moving
I’m moving my Infosec Communicator blog to benwoelk.com. Please visit me there!
I’m moving my Infosec Communicator blog to benwoelk.com. Please visit me there!
My thoughts on another challenge facing infosec offices in higher education. It reflects my thoughts, and not necessarily those of my employer.
We had the privilege of being puppy raisers for Guiding Eyes for the Blind, an organization that provides assistance dogs for the visually impaired. Our role was to help the puppy become a mature adult who was able to fulfill his role as an enabler. Yes, it’s a stretch, but it’s also what an Information Security Officer does when “raising” an information security program. A mature information security program becomes an enabler for the business and users it supports. A mature guide dog enables the user it supports to go about his or her daily business. (And no, I’m not going to try to keep drawing parallels between the two experiences!)
In a university setting, maturing a security program and successfully accomplishing initiatives depends on cooperation and collaboration. In my experience, there is very little that can be mandated, unless required for legal compliance; even then, there may be significant resistance. Understanding the business needs of an institution will enable the Information Security Office to set the best balance between security strategies and other priorities at the campus level; thus, opening doors to acceptance of security initiatives.
Meeting these challenges is best accomplished by building relationships and goodwill with key influencers in business divisions and colleges, especially with those individuals who are your detractors. One way to build relationships is to meet regularly with key individuals to ensure that the Information Security Office understands the needs of the business. (Recognition that a “one-size-fits-all” model isn’t the best approach and building reasonable business-sensitive solutions will help people view Information Security as an enabler, not an impediment.) These meetings will also provide opportunities for key individuals to understand the need for specific security initiatives. It’s helpful to articulate “what’s in it for them.”
One model that has worked previously in some higher education environments is the establishment of three teams: security advisors, security coordinators, and an extended team that reviewed proposed standards. Working with security advisors (a subteam of leadership of divisions and colleges) helps ensure the reasonability of proposed requirements for the university and to provide a direct communication link to the Information Security Office. Working with security coordinators helps with the implementation of security requirements and assisting their end users. An extended review team reviewing draft standards/requirements before they are submitted for final approval helps ensure their suitability to executive leadership.
Increasing and maintaining security awareness is another key enabler for maturing an information security program. Effective messaging will raise awareness and help the university community work towards a common goal in information security as they understand their role in practicing Digital Self Defense–protecting themselves and everyone else.
My thoughts on one of the challenges facing infosec offices in higher education. It reflects my thoughts, and not necessarily those of my employer.
The institutional challenge of creating centralized cost-effective efficiencies in an environment with a strong tradition of localized, decentralized IT solutions and personnel is normative in higher education.
An Information Security Office can create centralized efficiencies by:
In general, overcoming the existing decentralized model is about selling the value proposition of centralization to the various colleges and departments who use localized support. Can they better use their limited resources if they do not have the burden of providing support to systems and networks that can be centrally managed?
RIT InfoSec Awareness an Interview With Ben Woelk.
Read my interview with RIT alumnus Neil DuPaul on the Veracode Blog where we discuss how we’re increasing information security awareness at the Rochester Institute of Technology. What do you think of the cards?
Let’s be honest. Passwords are a pain. We all know that it’s important to have different passwords for different places and we all know that they need to be fairly complex. We also know that remembering numerous passwords, especially strong passwords, can be a challenge. So what’s the best strategy?
In this article, I’ll talk about how to create memorable (but strong) passwords and suggest a tool that will make constructing and remembering strong passwords easier.
In general, the strength of a password depends on two factors: length and complexity. Although there’s some disagreement, length is more important than complexity. (For a humorous illustration of password complexity, read the XKCD comic at http://xkcd.com/936/)
Increased complexity makes it more difficult to create a password that you can remember. The idea of a long complex password may be overwhelming. However, increasing password length alone can result in a password that’s memorable and stronger. Because of the way Windows stores some passwords, the “magic number” is 15 characters or more. A traditional complex password of 15 characters might look like this: “qV0m$$#owc2h0X5”. I don’t know about you, but there’s no way I’m going to remember a password like that. You COULD write it down and store it securely, but it’s not the easiest password to enter on a keyboard, and storing passwords in a browser or in a desktop application is insecure.
Here are a couple of strategies for strong passwords.
Because length is more important than complexity, using a passphrase, even if it’s relative simple, provides a sufficiently strong password.
For example, you may have heard of the Bulwer-Lytton Fiction Contest (bulwer-lytton.com). Bulwer-Lytton was a novelist whose opening sentence, “It was a dark and stormy night,” was immortalized in a Charles Schulz Peanuts cartoon where Snoopy was typing a novel. With a few modifications, that phrase makes a pretty strong password: “ItwasaDark2&StormyNight” That’s a 23-character passphrase that most of us could remember. If you need to change the password, you could do it by incrementing the number. I recommend choosing the first line of a book or song and turning that into a passphrase.
You’ll find that you may need quite a few different passwords. Creating different passphrases is a great way to create strong passwords, but you would still need to remember quite a few different ones. A good way to manage multiple passwords is by using a password safe or vault. A password safe stores multiple passwords and may be configured to prompt you with the needed password when you visit a password-protected website. You may want to use a password safe called LastPass. LastPass provides browser plugins for multiple browsers and there’s a version that will work with smartphones. LastPass will generate one of those long complex impossible-to-remember passwords on command and store that password for you. You should protect your password safe with a long passphrase constructed as described above. LastPass is just one example of good password safes. Other popular password safes include Password Gorilla, KeePass, and RoboForm.
A strong password is a key component in protecting information and unauthorized access. I hope you find these recommendations helpful.
This article was submitted for publication in the RIT IACA Quaestor Newsletter.