The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
The SOX email storage requirements can be fulfilled using the
GFI MailArchiver
SOX Advertisers
Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - IT - Password Control - Deficiencies
Posted: Mon Sep 19, 2005 11:14 am Post subject: IT - Password Control - Deficiencies
2 questions:
1. Our company is contemplating a policy that says you NEVER have to change your network password. Is this a de facto violation of the SarBox IT General Controls standards?
2. Interested in any deficiencies / comments they have received in relation to password controls, good or bad. Thanks!
have you assessed the risk of not changing your password?
what controls do you have in place to ensure against password cracking and unauthorized use?
I think your external auditors will have an issue with never changing your passwords. They will be looking for controls to prevent unathorized access to data. Most external auditors expect to find passwords to be changed at least quarterly if not more frequently.
An example of a password policy is below:
sans.org/resources/policies/Password_Policy.doc
apart from a periodic change of passwords the passwords needs to be changed when someone with critical account ( like System Admin, Network Admin, DB admin) or someone with Super User access in the application leaves the organization.
Management at this company has a policy of not changing network or application passwords. It is felt that the risk is adequately mitigated by having account lockouts after three failed log in attempts (that must be reset by system admins). Our auditors did not agree, and we received a deficiency related to this policy.
Posted: Tue Sep 20, 2005 2:25 pm Post subject: Re: IT - Password Control - Deficiencies
Tri wrote:
2 questions:
It is a violation of all norms. If your company has the policy to dont change the password, what kind of control it has? I think that if you dont change the pwd, the fraud risk is growing.
A policy is something you share, even with your partners. It is not wise to disclose such a policy, and there are a lot of reasons for that. Security reasons for example. You ask them to hack you with that policy.
If you have any problem and try to persuade any court, you will also have serious difficulties. _________________ George Lekatis
President of the Sarbanes Oxley Compliance Professionals Association (SOXCPA)
www.sarbanes-oxley-association.com
Joined: Nov 25, 2004 Posts: 787 Location: London, UK
Posted: Tue Sep 27, 2005 8:51 am Post subject: Re: IT - Password Control - Deficiencies
Tri wrote:
2 questions:
1. Our company is contemplating a policy that says you NEVER have to change your network password. Is this a de facto violation of the SarBox IT General Controls standards?
It is not a de facto violation although it is not best practice. I have seen it argued that infrequent changes to strong passwords is better than frequent changes to weak ones though.
You have to look at user access as a collection of controls and say on balance are they sufficient. Infrequent password changes may be acceptable if other password parameters are strong.
If password parameters are too strong and users have, say, a monthly forced change then they can resort to writing them down _________________ "The art of life is to deal with problems as they arise, rather than destroy one's spirit by worrying about them too far in advance" - Cicero
There are few aspects of password history that you have to consider.
The first aspect to consider is the risk of a brute force attack, if you have a password of 8 characters and is complex requiring upper, lower, numbers it would take a single CPU 8 years to run through all possible combinations. If the user changes thier password once or twice a year then ideally a user could never crack a password in time before its been changed.
The second risk is human interaction in the office, over time users could over see or obtain a users password. Changing passwords every 90 days helps midigate this risk, changing passwords more frequently increase the risk as users will write it down.
The third is the nature of the data, for instance if your data is stored on a laptop changing your password will not prevent someone from stealing your laptop and using forensic tools to read your hard drive and your information. Where as if you are accessing a terminal to access data then there enforcing password history would make more sense.
Joined: Nov 25, 2004 Posts: 787 Location: London, UK
Posted: Thu Dec 08, 2005 7:15 am Post subject:
KnightX wrote:
There are few aspects of password history that you have to consider.
The first aspect to consider is the risk of a brute force attack, if you have a password of 8 characters and is complex requiring upper, lower, numbers it would take a single CPU 8 years to run through all possible combinations. If the user changes thier password once or twice a year then ideally a user could never crack a password in time before its been changed.
This is incorrect these days and also makes the incrrect assumption that you need to cover all possible combinations to brute force a password.
Quote:
The second risk is human interaction in the office, over time users could over see or obtain a users password. Changing passwords every 90 days helps midigate this risk, changing passwords more frequently increase the risk as users will write it down.
Very true. It's all a balancing act, if password change rules are too stringent then users do resort to writing them down.
Quote:
The third is the nature of the data, for instance if your data is stored on a laptop changing your password will not prevent someone from stealing your laptop and using forensic tools to read your hard drive and your information. Where as if you are accessing a terminal to access data then there enforcing password history would make more sense
Again agreed. Where practical sensitive information should be kept on shared drives in preference to c drives. _________________ "The art of life is to deal with problems as they arise, rather than destroy one's spirit by worrying about them too far in advance" - Cicero
I guess I explained that improperly, I was not assuming that you need to run through all possible combinations to brute force a password however i as trying to say that with a realitively lengthy and complex password and a frequent password expiry policy the chances of someone actually using brute force to gain acess before the password has changed is signifigantly minimized.
Length = 8
Complex = Upper lower, numbers 62 possible combinations
62^8 = 218340105584896
Key Rate = 200 000 per second
62^8 / 200 000 keys per second / 60 Seconds / 60 minutes / 24 Hours / 365 Days / 1 Cpu = 34.61 Years to run through all possible combinations not nessassarly to crack a given password.
Currently Running LC5 on my 1.5 ghz PC I am getting a 10,000 key rate.
Any insight to possible key rates verus processing power would be appreciated.
Joined: Sep 21, 2004 Posts: 149 Location: Northern Europe
Posted: Mon Dec 12, 2005 4:01 am Post subject:
It is the same technology you use to crack word and zip file passwords.
An 8 char. string does not take 8 years... I tested it on one of my own files once on a p4 2.5 ghz... took less than 5 hours to guess my "standard" 8 char password with random numbers and both big and small chars. (For educational purpose ofcourse)
Oh, and yes, I have 3 more letters than you in my alphabet, so that makes 6 more chars available for the password. _________________ Sarbanes Oxley Advisor
It looks like my Key Rate/second is definitely way off, I stand corrected and will have to do some more testing and research into this. Thank you for the information.
Joined: Jan 18, 2006 Posts: 122 Location: Chennai- India
Posted: Mon Feb 13, 2006 12:25 am Post subject:
IrquiM wrote:
It is the same technology you use to crack word and zip file passwords.
An 8 char. string does not take 8 years... I tested it on one of my own files once on a p4 2.5 ghz... took less than 5 hours to guess my "standard" 8 char password with random numbers and both big and small chars. (For educational purpose ofcourse)
Oh, and yes, I have 3 more letters than you in my alphabet, so that makes 6 more chars available for the password.
very very well said,
umpteen number of PW craking tools in the net available, there are so many friends in our net environment who wanna take up the PW cracking challenge
All times are GMT - 6 Hours Goto page 1, 2, 3, 4Next
Page 1 of 4
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
