October 6th, 2003, 04:39 PM
Front line security--screen savers
Activating a password-protected screensaver on users' desktops often provides more protection from unauthorized access than by issuing them with strong network login passwords, according to TruSecure.
The risk management company claims companies are wasting money on expensive security measures and procedures that can actually increase an organizations' vulnerability to attackers instead of reducing it.
Jay Heiser, chief analyst at TruSecure, told ZDNet UK that most unauthorized access occurs inside an organization because users leave their desktops unattended and unprotected: "When someone sits down at a logged-in terminal they are able to rifle through that user's files and send or read their email. Screen-locking--activating a password-protected screensaver--is one of the most effective things you can do internally," he said.
Heiser said that when users are given long and complicated passwords, they are more likely to write them down: "They are going to write them down on Post-it notes next to their monitor or stick them under the keyboard," he said.
Research has found that companies are hit hard in the pocket when their employees forget their passwords and call the corporate helpdesk. Earlier this year, analyst group Meta calculated that each of these calls costs the company approximately US$25.
According to Heiser, regardless of whether passwords are complex or simple, there are lots of tools available on the Web that can crack them. A better policy is to use a hardware device, such as a token or smartcard to reinforce access rights. He said: "You always know if your hardware has been stolen but you don't know if your password has been stolen."
Heiser also dismissed the practice of updating antivirus signatures every day because it is a reactive action rather than a proactive one. "There is not a huge difference in updating antivirus signatures on a daily basis and on a monthly basis. Antivirus software is a band-aid--it isn't worth spending large amounts of time and effort optimizing it because there are other ways to reduce risk for a lower cost," he added.
I find this quite funny that a screensaver password can be considered a great form of protection. I just want to know what the AO community thinks about this.
AntiOnline Quick Forum Version 2b Click Here
October 6th, 2003, 04:55 PM
Ah but security is a series of tools and layers (it's like an onion --- no, not smelly... no, well, maybe makes you cry... Oh you know what I mean!!). Basically, a screen saver, especially on the admin side but just as much on the user side, can make it more difficult for a "malicious" type to put something on the machine, add a new admin or what-have-you.
Anything that can slow down an attacker, IMHO, is a good thing. And even a simple screensaver can do just that..
October 6th, 2003, 05:16 PM
I would have to agree with you spools..as one who knows absolutely nothing, I can get around that.
On the other hand, it might be just enough of a deterrent to cause someone to move on to the next box. Kind of like the difference between a door being open, and a door being closed..
October 6th, 2003, 08:41 PM
This might be just me but just like the screensaver password, every security has a flaw. Eventhought some are easier than others, it is still possible to get around them. When you rely on one security program or type you leave yourself open to danger. Some people might not know how to get around it but i can assure you that someone can. For every other security program or type you add, you make it that much harder to get pass. Even if someone knows how to get past your first security they still have to crack the others. And i can assure you that very few people have the knowledge to crack multiple securities.
To sum up my post... As small as a screensaver password might seem, it still has the power to slow down a cracker.
AntiOnline Quick Forum Version 2b Click Here
October 6th, 2003, 08:51 PM
I suggest to everyone who works inside my office to have a password protected screen saver and I completely agree with Mittens onion theory. The more security the better. And it's right on to say that if somebody is walking around and the person sees that your computer is just sitting there with Outlook (or whatever mail client) open that it is very tempting to look at.
I also suggest that people lock their computers as soon as they go away from their desks.
The one thing that I do tend to enforce is that our vpn users have more complex passwords.
I am more worried about security of the people who are on the internet with broadband (even if they have a router/firewall) than I am about our internal networks being attacked from the outside.
October 6th, 2003, 09:16 PM
On my network, (Win2k), the passwrod protected login screensaver is mandated in the domain security policy. When I first intsituted it the users pitched the proverbial bitch fit since it was set for 5 minutes..... My department got no end of calls and complaints that it was a pain and too short. I told them it was mandated and that it wouldn't change.... Then, after 2 days I changed it to 10 minutes and told no-one.... To this day this is my dirty little secret...well, one of many.... and I still maintain it is set for 5 minutes......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides