A new Computer Security Audit Report was released by Legislative Division of Post Audit State of Kansas in July 2009 providing an overview of computer and network security for five state agencies. The audit found weak password controls and missing security patches for servers and 39 percent of one unnamed agency’s passwords were cracked within five minutes using free software that can be easily downloaded from the Internet.
To breach an agency’s passwords, hackers scan vulnerable servers that may not have the latest security patches applied and then locate an encrypted list of passwords they can copy and use password cracking software to reveal users’ passwords.
Both of the primary weaknesses targeted in this audit – server patches and weak passwords – reveal how a lack of implementation can lead to critical gaps that can lead to expensive and embarrassing incidents.
Just because an agency or organization has policies in a binder or on an intranet, does not mean that the policies and procedures are implemented.
The last line of the article was quite insightful regarding the importance of implementation stating:
“Even the agency that had relatively strong policies and settings had 35 percent of its passwords cracked within five minutes.”
Lesson Learned: Just because an agency or organization has policies and does once-a-year general training, does not mean the policies are implemented. People (managers, employees, IT personnel, partners, contractors, vendors, etc.) must understand and accept responsibility for implementing policies so they can become a layer of security rather than a gap in your security.