Recently in Security Policy Category

Catching out dodgy security policies

By Rory2 on December 10, 2008 7:47 PM | 1 Comment

Here's a question to ask your security policy people, to see whether their recommendations are actually risk based or just "best guesses"...

"Have you updated the minimum password length/complexity requirements due to recent advances in password cracking speeds?"

I was reading a couple of posts on the Red Database Security blog (here and here, and it occurred to me that despite the increases that have been made in password cracking speeds over the last couple of years, I've not seen a lot of movement in minimum password length/strength requirements to go along with it...

Obviously password policies should be tailored to mitigate the threats to the systems they protect and the primary risk that long passwords mitigate is an offline attack where the attacker has access to the encrypted password. (the more common online brute-force is better mitigated by account lockout and security monitoring in most cases)

So if crackers are getting faster, passwords should obviously get longer...

17799 User Group

By Rory2 on August 23, 2005 10:45 AM

ISO 17799 and BS7799 User Group

A useful source of information about 17799.

PCI link and commentary

By Rory2 on June 23, 2005 5:46 PM

Network and IT Security Management Blog: Correlation Central - Network Security Blog: MasterCard PCI / SDP Framework


An interesting posting about the credit card industry's PCI security standard, and some commentary on it.

Interesting Article about Security Policies

By Rory2 on June 21, 2004 10:03 PM

An interesting article at nwfusion give us The scoop on security policies. There are some good points in the article about keeping the policy short and to the point, although I've tended to find that in larger companies it is a real challenge to convey all the information that you need to, to your userbase in a very short policy. There are other alternatives of course, like splitting the information up over multiple documents, but that can lead to people reading the first one and none of the rest.

One other point to note, is that even more important that the security policy itself is the communication method and the periodic reminders. If you only give someone the policy once and then never revisit it, most people WILL forget whats in it.......

« Security Learning Resources | Main Index | Archives | Security Tools »

Categories

Monthly Archives

About this Archive

This page is an archive of recent entries in the Security Policy category.

Security Learning Resources is the previous category.

Security Tools is the next category.

Find recent content on the main index or look in the archives to find all content.

Pages

Powered by Movable Type 4.37

Search

About this Archive

This page is an archive of recent entries in the Security Policy category.

Security Learning Resources is the previous category.

Security Tools is the next category.

Find recent content on the main index or look in the archives to find all content.