Re: How do you conduct a password audit?



yes,that's very true.non-tech guys even at the higher posts are irritatingly ignorant about security issues!anyway,may be you can try recreating your network environment in vmware and do some recordings of weak and strong password cracking attempts...and then show it to the top management guys!
for password auditing not only the technical aspects ,training employees against social engineering and safe online behavior is also very important.

On Fri, 13 May 2011 22:58:21 +0530, Matthew Reed <mreed@xxxxxxx> wrote:

Speaking from a safe practice perspective:

Before ANY passwords are cracked, you should have specific permission from the highest possible source of management. This permission should be documented in writing.

Once permission has been granted, any passwords that have been cracked should be set for automatic password change by the user. If this is not in place there can be issues with repudiation of any security incidents. i.e. It has happened in the past that users who violated company policies/legal statutes were able to avoid sanctions by claiming that the integrity of their account was compromised by password audits.

These 2 practices will help anyone auditing passwords avoid potential issues.


MR

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Edd Burgess
Sent: Friday, May 13, 2011 10:14 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: How do you conduct a password audit?

I have seen an automatic audit setup on a linux server before as a cron
job; just running john the ripper against the shadow file once a week
and storing any weak results so the sysadmin can contact the relative users.

In other words, if you are worried about broaching the subject with
management, try to crack the passwords yourself - In my experience,
non-techs are more convinced by actual evidence; 'I managed to crack
your password in 3mins' than any amount of advice/information you can
throw at them. I had to actually ARP poison my boss and sniff an FTP
password to convince him to let me secure our office wifi!


On 13/05/2011 12:47, wyfr1972@xxxxxxxxx wrote:
Hi folks,

I have many questions on this. I've learnt a lot from SecBasics, but now I have a few questions of my own. I want to carry out a password audit for my company, but I'm not sure how to proceed.

Firstly, how do I broach the subject with management? Are there are standards/methodologies online that I can use to back up my request to management?

Then, how do you conduct the audit? We have a mix of devices Windows/Solaris/Unix/Checkpoint/Cisco/network printers/etc.

How do I phase the work for best effect? How do I present my findings?

Thanks for your advice and help in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


NOTICE: This message, as well as any attached document, contains information from Consolidated Graphics, Inc. that is confidential and/or privileged, or may contain attorney work product. The information is intended only for the use of the addressee(s) named above. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, forwarding, printing, copying, disclosure, or the taking of any action in reliance on the contents of this message or its attachments is strictly prohibited, and may be unlawful. If you have received this message in error, please destroy all copies (in any form) of this message and its attachments, if any, without disclosing the contents, and notify the sender immediately. Unintended transmission does not constitute waiver of the attorney-client privilege or any other privilege. Unless expressly stated in this email, nothing in this message should be construed as a digital or electronic signature. Thank you for your cooperation.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



--
Using Opera's revolutionary email client: http://www.opera.com/mail/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Re: Centralized firewall management and log analysis tools
    ... It also isnt a centralized management tool more like an audit and alerting tool for changes. ... --- Securing Apache Web Server with thawte Digital Certificate In ... this guide we examine the importance of Apache-SSL and who needs an SSL ... test, purchase, install and use a thawte Digital Certificate on your ...
    (Security-Basics)
  • RE: Corporate Antivirus Systems
    ... Once again I would advise avast it has a great management console and u can ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: Security Toolkit for dummies
    ... Subject: Security Toolkit for dummies ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: Huge hidden process and port in Linux server
    ... I install rootkinhunter, chkrootkit and unhide in my local linux box. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: Botnet Servers
    ... Subject: Firewall Review ... -- Securing Apache Web Server with thawte Digital Certificate In this ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)