I’m moving my Infosec Communicator blog to benwoelk.com. Please visit me there!
We had the privilege of being puppy raisers for Guiding Eyes for the Blind, an organization that provides assistance dogs for the visually impaired. Our role was to help the puppy become a mature adult who was able to fulfill his role as an enabler. Yes, it’s a stretch, but it’s also what an Information Security Officer does when “raising” an information security program. A mature information security program becomes an enabler for the business and users it supports. A mature guide dog enables the user it supports to go about his or her daily business. (And no, I’m not going to try to keep drawing parallels between the two experiences!)
In a university setting, maturing a security program and successfully accomplishing initiatives depends on cooperation and collaboration. In my experience, there is very little that can be mandated, unless required for legal compliance; even then, there may be significant resistance. Understanding the business needs of an institution will enable the Information Security Office to set the best balance between security strategies and other priorities at the campus level; thus, opening doors to acceptance of security initiatives.
Meeting these challenges is best accomplished by building relationships and goodwill with key influencers in business divisions and colleges, especially with those individuals who are your detractors. One way to build relationships is to meet regularly with key individuals to ensure that the Information Security Office understands the needs of the business. (Recognition that a “one-size-fits-all” model isn’t the best approach and building reasonable business-sensitive solutions will help people view Information Security as an enabler, not an impediment.) These meetings will also provide opportunities for key individuals to understand the need for specific security initiatives. It’s helpful to articulate “what’s in it for them.”
One model that has worked previously in some higher education environments is the establishment of three teams: security advisors, security coordinators, and an extended team that reviewed proposed standards. Working with security advisors (a subteam of leadership of divisions and colleges) helps ensure the reasonability of proposed requirements for the university and to provide a direct communication link to the Information Security Office. Working with security coordinators helps with the implementation of security requirements and assisting their end users. An extended review team reviewing draft standards/requirements before they are submitted for final approval helps ensure their suitability to executive leadership.
Increasing and maintaining security awareness is another key enabler for maturing an information security program. Effective messaging will raise awareness and help the university community work towards a common goal in information security as they understand their role in practicing Digital Self Defense–protecting themselves and everyone else.
My thoughts on one of the challenges facing infosec offices in higher education. It reflects my thoughts, and not necessarily those of my employer.
The institutional challenge of creating centralized cost-effective efficiencies in an environment with a strong tradition of localized, decentralized IT solutions and personnel is normative in higher education.
An Information Security Office can create centralized efficiencies by:
- Modeling an effective centralized service organization that is responsive to the individual needs of specific departments. (One way to accomplish this is by regular meetings with stakeholders to ensure that the Information Security Office can enable their business, rather than create barriers with unreasonable requirements.)
- Providing centralized security services such as vulnerability scanning of web and servers and security reviews of proposed solutions.
- Managing compliance initiatives such as private information remediation centrally, leveraging an extended team composed of empowered college and division representatives.
- Supporting cloud-based sharing solutions that do not require localized site support and that could be more effectively managed centrally.
- Supporting efforts to centralize authentication mechanisms.
- Administering a centralized security project budget.
- Driving centralization by drafting and gaining consensus on comprehensive technical standards, especially for servers and network that make it obvious that it’s more effective and desirable for these areas to be supported centrally.
- Recognizing that one size does not fit all and that the Information Security Office may need to provide appropriate service level agreements in certain areas.
- Communicating clearly to Deans and VPs that continued use of local support indicates that they are willing to accept all associated risks, especially those risks related to compliance.
In general, overcoming the existing decentralized model is about selling the value proposition of centralization to the various colleges and departments who use localized support. Can they better use their limited resources if they do not have the burden of providing support to systems and networks that can be centrally managed?
Read my interview with RIT alumnus Neil DuPaul on the Veracode Blog where we discuss how we’re increasing information security awareness at the Rochester Institute of Technology. What do you think of the cards?
Let’s be honest. Passwords are a pain. We all know that it’s important to have different passwords for different places and we all know that they need to be fairly complex. We also know that remembering numerous passwords, especially strong passwords, can be a challenge. So what’s the best strategy?
In this article, I’ll talk about how to create memorable (but strong) passwords and suggest a tool that will make constructing and remembering strong passwords easier.
In general, the strength of a password depends on two factors: length and complexity. Although there’s some disagreement, length is more important than complexity. (For a humorous illustration of password complexity, read the XKCD comic at http://xkcd.com/936/)
Increased complexity makes it more difficult to create a password that you can remember. The idea of a long complex password may be overwhelming. However, increasing password length alone can result in a password that’s memorable and stronger. Because of the way Windows stores some passwords, the “magic number” is 15 characters or more. A traditional complex password of 15 characters might look like this: “qV0m$$#owc2h0X5”. I don’t know about you, but there’s no way I’m going to remember a password like that. You COULD write it down and store it securely, but it’s not the easiest password to enter on a keyboard, and storing passwords in a browser or in a desktop application is insecure.
Here are a couple of strategies for strong passwords.
Strategy One: Use Passphrases
Because length is more important than complexity, using a passphrase, even if it’s relative simple, provides a sufficiently strong password.
For example, you may have heard of the Bulwer-Lytton Fiction Contest (bulwer-lytton.com). Bulwer-Lytton was a novelist whose opening sentence, “It was a dark and stormy night,” was immortalized in a Charles Schulz Peanuts cartoon where Snoopy was typing a novel. With a few modifications, that phrase makes a pretty strong password: “ItwasaDark2&StormyNight” That’s a 23-character passphrase that most of us could remember. If you need to change the password, you could do it by incrementing the number. I recommend choosing the first line of a book or song and turning that into a passphrase.
Strategy Two: Use a Password Safe/Vault
You’ll find that you may need quite a few different passwords. Creating different passphrases is a great way to create strong passwords, but you would still need to remember quite a few different ones. A good way to manage multiple passwords is by using a password safe or vault. A password safe stores multiple passwords and may be configured to prompt you with the needed password when you visit a password-protected website. You may want to use a password safe called LastPass. LastPass provides browser plugins for multiple browsers and there’s a version that will work with smartphones. LastPass will generate one of those long complex impossible-to-remember passwords on command and store that password for you. You should protect your password safe with a long passphrase constructed as described above. LastPass is just one example of good password safes. Other popular password safes include Password Gorilla, KeePass, and RoboForm.
A strong password is a key component in protecting information and unauthorized access. I hope you find these recommendations helpful.
This article was submitted for publication in the RIT IACA Quaestor Newsletter.