Keeping a Level Head When Things Get Twitchy, Topsy, Turvy
Cyber security can be an embarrassing job. Something as simple as a failure to update a patch on time, or in worse cases, to release a patch on time, can cost a company millions and turn into click bait articles scattered across the web.
The recent incident with Lenovo serves as a great example of this. Already staunchly anti-Lenovo netizens took the opportunity to add fuel to a fire already raging because the company had confessed to pre-loading adware and bloatware on its hardware. The Lizard Squad was admittedly attacking Lenovo for this very reason and used its signature DNS-jacking tactic to take over Lenovo.com for all of four hours. The story remained in the media for days afterward, all the same.
Lazy Gamers Twitch Out
Twitch, the gamer video service acquired by Amazon last August, last month had a serious breach as well. Far more serious than a simple DNS jacking, their user database was breached and they were forced to reset all customer passwords. In a sensible move, they also required users to have longer passwords. The current wisdom on passwords is that 12 or more characters is the way to go, and never have a dictionary word. The Twitch team was going for something along these lines, demanding users have longer passwords with a more thorough audit at password generation time. Users took to social media in revolt, saying that Twitch was too demanding of their time. Security be damned, they were saying. The very antithesis of the cyber security professional’s efforts, that.
Also read: Lizard Squad Claims Lenovo DNS Attack
But the Twitch team capitulated, reducing the requirement back to eight characters. Surely this decision didn’t come from anyone in the cyber security department, whose implementations were likely faulted for the server breach in the first place. This came from customer relations, no doubt, people who have no business meddling in the affairs of the cyber security administrators. In its blog, Twitch wrote:
In order to create a secure password, we suggest you use a long random character string with a mix of character types (letters, numbers, symbols). To make it easy to remember, feel free to use words from the dictionary with multiple uncommon string substitutions. [Good and password examples.]
Edit #2: We’ve heard your concerns about overly-restrictive password requirements, and have reduced them to an 8 character minimum. Best practices regarding password security remain true.
This is a blunder that you can avoid by starting with strong password requirements. Then you won’t have a base of users who expect to be able to login with grandp4gr3at, and you won’t have a backlash when you are forced to up the requirements inevitably. The whole episode spelled out a pretty good lesson for security professionals: stick to your guns. When you know you’re right, just know that, and if decisions are made outside of you, well, consider your career options. It has to be kept in mind, and can’t be overstressed here, that the very people who were making these demands for higher security passwords were also the ones held responsible for the breach that initiated them. If bad security is going to be allowed at any level of the organization, the security department needs a good political stance to prove that they were ahead of this particular fireball, and their job should not be called into question as a result.
Security Important for Governmental Compliance
The United Kingdom recently announced new rules for cyber security compliance for firms who want to work on government projects. They include the following:
- Access control and privilege management
- Malware protection
- Secure configuration
- Installing boundary firewalls and Internet gateways
- Patch management
It’s only a matter of time before password best practices are added to lists like these. The US government has become far more serious about cyber security in recent months as well, a good sign for private firms who specialize in as much. New standards will soon apply to private firms contracting with the federal government, a market share that cannot be understated.
As the password paradigm ages into obsolescence, it’s getting to the point where some system administrators want to require new passwords every month along with two-factor authentication wherever possible. Companies that fail to implement strong security could be losing out on valuable government contracts and worse, regular consumer clients. So when it comes time to up the security standard, as Nike said, just do it.