More than Half of Security Pros Rarely Change their ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

Joe Stanganelli,
User Rank: Ninja
4/7/2017 | 1:23:49 PM

Red Herring

This is a red herring issue, I strongly suspect.

Talk to most die-hard security pros -- the really good ones, and the ones who do nothing OTHER than cybersecurity for a living -- and their use of social networks is minimal (if not non-existent). Moreover, they put minimal -- if any -- true PII on those social networks. So their risk is already quite small.

Moreover, it is becoming increasingly the viewpoint of the top InfoSec pros and punditry that changing passwords frequently is NOT a best practice -- and can actually be detrimental.

The study may be headline grabbing, but I am unconcerned.

Reply | Post Message | Messages List | Start a Board

50%

AndrewfOP,
User Rank: Moderator
4/4/2017 | 1:13:36 PM

Problematic Password Practice Advice

Clearly, if security pros can't follow their own advice, it just means the advice itself was problematic. Secure IT policy should be clear and easy to follow, otherwise IT/Security team is obviously not doing, or not able to do its job. One account with periodic password change is difficult enough. Keeping good tracks of multiple accounts as with most of office working environment is practically impossible.

Single sign-on/ password vaults, or one single password for all accounts, essentially presents the same security weak point. The only way to maintain the good security should be user behavior tracking and analysis: any excessive access entries outside of users' normal work environment, excessive access outside normal work hours or excessive amount of access entries are potential breaches to look out for.

Continued reliance on difficult to follow password practices would only weaken IT security in the long run regardless of any potential technology that could replace passwords.

Reply | Post Message | Messages List | Start a Board

50%

lakers85,
User Rank: Strategist
4/3/2017 | 12:42:39 PM

Password Vaults

Any recomendations on Password Vaults? What if they are breached? Who watches the watchers?

Reply | Post Message | Messages List | Start a Board

50%

Breezcar,
User Rank: Apprentice
4/3/2017 | 11:14:58 AM

I agree

I should change more often also

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

How Attackers Used Look-Alike Domains to Steal $1 Million From a Chinese VC

Jai Vijayan, Contributing Writer, 12/6/2019

US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts

Jai Vijayan, Contributing Writer, 12/5/2019

VPN Flaw Allows Criminal Access to Everything on Victims' Computers

Dark Reading Staff 12/5/2019

Live Events

Webinars

[Video] Shaping the Future of IT CIO Lightning Series - Interop19

[Video] An (Ir)rational Approach to Interoperability - Interop19

Get Insights: Cisco vs Microsoft & More at EC20 Orlando

More Informa Tech Live Events

White Papers

Splunk Security Predictions 2020

In Today's Age of Digital Transformation, How Does Your Firewall Measure Up?

2019 Malware Trends of the Phishing Landscape

SANS Report: Cloud Security Survey

Definitive Guide to Securing DevOps

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win a Starbucks Card! Click Here

Latest Comment: Our Endpoint Protection system is a little outdated...

Cartoon Archive

Current Issue

The Year in Security: 2019

This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Rethinking Enterprise Data Defense

Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.

Download Now!

Assessing Cybersecurity Risk in Today's Enterprise

0 comments

2019 Online Malware and Threats

0 comments

The State of IT Operations and Cybersecurity Operations

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2019-16246
PUBLISHED: 2019-12-12

Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.

CVE-2019-17358
PUBLISHED: 2019-12-12

Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...

CVE-2019-17428
PUBLISHED: 2019-12-12

An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.

CVE-2019-18345
PUBLISHED: 2019-12-12

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...

CVE-2019-19198
PUBLISHED: 2019-12-12

The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]