|
-
September 28th, 2005, 07:21 AM
#31
Originally posted here by ghostmachine
thanks for all your input.
The main concern on my part is how , in the scenario mentioned, the staff B is going to identify that helpdesk is who they are.
So firstly, helpdesk should not ask for passwords from users at all. This is enforced by policy.
secondly, users should just say no, no and no when being asked for password (enforced by policy )
lastly, as a identifying mechanism, use caller ID...
thanks
well, as pointed out in Mitnick's book, caller ID can be tricked too, if the S.E is really motivated and skilled....So, it cant be relied upon as a "final id mechanism" 100% of the time...
my $0.02
-z3
-
September 28th, 2005, 08:55 AM
#32
A long complex isn't necessarily good. It just forces more people to write them down. We use 8 an 8 character minimum which mush contain numbers, letters in upper and lower case. I think this is probably the upper limit that staff can cope with.
Schneier advises that you can make staff use very hard passwords but you have to let them write them down. Put the note in your wallet. Most people keep their wallets pretty safe.
It's a view that a lot of people are coming round to here. Especially with some pressure for single sign in happening.
I belive the best practice for development within an organisation is to have it on a seperate network logical or physical. Develpment should never occurr on the business network. Development data should be synthetic or at least sanitised but must be analogous with live data.
-
September 28th, 2005, 11:40 AM
#33
Of course people tend to fixate on passwords, things like how long is yours, does it have special characters, etc. In my experiance the biggest internal security threat comes from people simply not locking their workstation when they run to get coffee or go to talk to their supervisor, etc. I've had devellopers thinking they were smart and by passing our lock out policy. That stopped quickly after a couple of them left for the weekend and didnt log out. when they came back monday they had sent an e-mail inviting everyone in their team and the tech support team for a drink to celebrate their birthday.  .
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)
-
September 28th, 2005, 11:41 AM
#34
Aspman
You move with the eloquence of disintegrating fuselage.
Must send that one to some of my RAF mates?..............the compliment generator at the bottom of your posts is a real hoot
You are right about the development environment...............hell I would not have any of my team messing in the live environment..............we have a subspecies called "catches" (catch 22 )......errrrrr "auditors".................I do not think that they would be impressed?
-
September 28th, 2005, 12:07 PM
#35
 I am an auditer 
(a large part of my job at least)
-
September 28th, 2005, 12:24 PM
#36
-
September 28th, 2005, 01:08 PM
#37
I got this one :
You have not yet reached the height of your depravity.
Sounds about right for me.....
As for the rest of it a developer sniffing around a live system 
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)
-
September 28th, 2005, 01:21 PM
#38
It's not my fault. They didn't mention the 'A' word when I took the job 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
