Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Karen Renaud and Lewis Mackenzie (2013)jasss.soc.surrey.ac.uk/16/3/3/3.pdf · significant peer...
Transcript of Karen Renaud and Lewis Mackenzie (2013)jasss.soc.surrey.ac.uk/16/3/3/3.pdf · significant peer...
©CopyrightJASSS
KarenRenaudandLewisMackenzie(2013)
SimPass:QuantifyingtheImpactofPasswordBehavioursandPolicyDirectivesonanOrganisation'sSystems
JournalofArtificialSocietiesandSocialSimulation 16(3)3<http://jasss.soc.surrey.ac.uk/16/3/3.html>
Received:13-Feb-2012Accepted:28-Dec-2012Published:30-Jun-2013
Abstract
Usersareoftenconsideredtheweakestlinkinthesecuritychainbecauseoftheirnaturalpropensityforchoosingconvenienceoversafepractice.Oneareawithavastamountofevidencerelatedtopooruserbehaviouristhatofpasswordmanagement.Forexample,whenhackersgainunauthorisedaccesstopublicwebsites,subsequentanalysisgenerallyconfirmsthatcompromisedpasswordsaretoblame.Wehaveaprettygoodideaoftheextenttowhichcarelessbehaviourimpactsontheindividualuser'spersonalsecurity.However,wedon'tfullyunderstandtheimpactontheorganisationasawholewhensuchlaxityisaggregatedacrossalargenumberofemployees,nordoweknowhowbesttointervenesoastoimprovethelevelofprotectionofcriticalsystems.Currentwisdommandatestheuseofincreasinglydraconianpoliciestocurbinsecurebehavioursbutitisclearthatthisapproachhaslimitedeffectiveness.Unfortunately,noonereallyunderstandshowtheindividualdirectivescontainedinthesepoliciesimpactonthesecurityofthesystemsinanorganisation.Sometimesamandatedtighteningofpolicycanhaveunexpectedside-effectswhicharenoteasilyanticipatedandmayindeedproveentirelycounterproductive.Itwouldbeverydifficulttoinvestigatetheseissuesinareal-lifeenvironmentsoherewedescribeasimulationmodel,whichseekstoreplicateatypicalorganisation,withemployeeagentsusinganumberofsystemsoveranextendedperiod.Themodelisconfigurable,allowingadjustmentofparticularinputparametersinordertoreflectdifferentpolicydictatssoastodeterminetheirimpactonthesecurityofthesimulatedorganisation'sITinfrastructure.Thistoolwillsupportsecurityspecialistsdevelopingpolicieswithintheirorganisationsbyquantifyingthelongitudinalimpactsofparticularrules
Keywords:Passwords,Policies,Organisation,Security,Authentication
Introduction
1.1 "GoodPractice"ininformationsecuritystatesthatatleastthefollowingpasswordrulesmustbeincludedininformationsecuritypolicies,andenforcedwithinorganisationsFIPS(1985).
Donotrecyclepasswords,useadifferentpasswordoneachsystem.Usestrongpasswords.Donotwritepasswordsdown.Donotsharepasswords:nevertellanyoneyourpassword.
1.2 ThethinkingbehindtheserulesisdepictedinFigure1.Theterm"weakpassword"inthefigurereferstoso-calledcommonpasswords(SeeSection4.4):e.g.apasswordwhichisavariantofauser'sownname(Brownetal.2004)orthesystemname(Bishop&Klein1995)oravariationofapreviouspassword(reuse)(Riley2006)etc.Averycommonpracticeisrecycling(Inglesant&Sasse,2010),theuseofthesamepasswordonmorethanonesystem.
1.3 Thearrowsinthediagramindicateaconventionallyassumedcausalrelationship.So,forexample,asmorepasswordsarewrittendown,somorewillleak(becomeknowntoothers),andthiswillreduceoverallsystemsecurity.Thepotentialforincreasedsecurityincidentsincreases,thusescalatingthevulnerabilityofthesystems.Thedashedlineindicatesamoretenuouslink:thiscausativewillonlyoccurifpasswordsleakoutsidetheorganisation.Thecertaindangerisinternalsincemostrecordedpasswordswillbeeasilyaccessedbypeoplewithinthetrustedinterior.Thefourcausativesareontheleftofthediagramandone
http://jasss.soc.surrey.ac.uk/16/3/3.html 1 15/10/2015
canseetheattractionofattemptingtotightensecuritybyforbiddingthem.Theassumptionisclearlythatremovalofthesetriggerswilleliminatethosefactorsthatleadtopoorersystemsecurity.
Figure1.CommonlyDeployedCopingTacticstocopewithMultiplePasswords
1.4 Unfortunately,theprevalenceofthesetriggersshowsthatthepracticesinquestionwillnotbeeasytoeradicate.Thereisevidencethatusersengageinthesepotentiallydamaginguserbehavioursascopingtactics(Adams&Sasse,1999),aninevitableresultofpeoplebeingunrealisticallyoverloadedwithpasswordswhilehavingonlylimitedhumancapabilitytocopewiththememorialload.
1.5 WhenaprominentsystemsuchasSony,isbreached,researchersinvariablyreportonthelargepercentageof"common"passwordschosenandthelimitednumberofstrongonesinuse(SeeSection4.4).Thisconfirmsthatalargepercentageofuserschooseweakpasswords,eventhoughtheyareprobablyawarethattheiraccountscouldeasilybecompromisedasaconsequence.
1.6 Someuserbehaviourshaveawiderimpactthanothers.Forexample,ausermayusethesamepasswordonalltheirsystemsatworkand,ifthispasswordbecomesknowntoanotheremployee,thereisanopportunityformuchmoredamagethanifnosuchrecyclinghasbeenpractised.Ofcourse,ifausershareshisorhercredentialsandanotheruserlogsinusingthese,thereisnoevidencethatthismasqueradinghasoccurred.Anauditmightwellconcludethataparticularorganisation'ssecurityissatisfactorywithoutrealisingthatpeopleareusingeachother'scredentials.Sincenon-repudiationissuchacoreconceptofinformationsecuritythisuserbehaviourmustbeseenasconstitutingathreatofafundamentalnature.
1.7 Itisinherentlydifficulttomeasurethetrueimpactofpasswordcopingtacticsonthesecurityofthesystemsofanyparticularorganisation.Passwordpoliciesmustbeevaluatedwithinthecontextoftheentireorganisationalstructureandnotbasedonthebehaviourofafewindividuals.Moreover,itisclearthattheviewdepictedinFigure1israthernaïvebecauseitdoesnotconsiderwhypeoplearetemptedtousethesecopingtactics.Thereisanimplicationthatundesirablepasswordpracticescanbeattributedtoinnatehumanweaknesswhereas,infact,thesystemwithinwhichthehumanfunctionsclearlyplaysakeyroleininducingtheseuserbehaviours;inconsequence,merelyfocusingonthesymptomsandtryingtoeliminatethemwithoutidentifyingunderlyingcausesisboundtofail.Figure2expandsonepartofsystemsdiagramslightly,showingtheinteractionofafewmorefactorsthatcommonsensesuggestscouldplayaroleinleadingtoleakedpasswords.
Figure2.SystemCausativesandtheirRoleinLeadingtoUndesirablePasswordPractices
1.8 Forexample,theresponsetoasecuritybreachisoftenastrengtheningofpasswordrequirements(linkfrom"securityincident"to"requiredpasswordstrength"inthediagram).Tarietal.(2006)haveshownthatthemorecomplexapassword,themoreeasilyitcanbeobservedbyanotheruser(linkfrom"requiredpasswordstrength"to"observability").Complexpasswordsarealsomoreeasilyforgotten,sousersareprobablymorelikelytowritethemdown.Hencethisefforttostrengthenpasswordsmayactuallyleadtomorepasswordsbeingleaked.
http://jasss.soc.surrey.ac.uk/16/3/3.html 2 15/10/2015
1.9 Usersdonotoperateinisolation:anumberoffactorsmayencouragethemtobehaveinaparticularway,andtheyoftenfeeltheyhavenooptionbuttobreakruleswhichareverydifficultortooconstrictingtoobey.Hencegreatcareneedstobetakentoensurethatpolicyrulesareindeedpossibletofollow,donotpresentuserswithanethicaldilemmaanddonotrequiretoomucheffort(Inglesant&Sasse2010).
1.10 Forexample,weknowthatwhenpeopleworktogetheringroupstheywillstarttotrustoneanotherandshareinformation.Sharingpasswordsisanaturalextensioninmanyscenariosandinsistingthatcolleaguesdonotdosomaypresentthemwithanethicaldilemmawherethegroupseesitselfasworkingtogethertowardsacommonpurpose.Denyingacolleaguetheuseofyourpasswordwhenheorsheneedstomakeacontributiontothiscommonpurposemaybeseenasunhelpfulandsoincursignificantpeerpressure(Renaud2012).
1.11 Giventhecomplexnatureofthepsychologicalandsocialfactorsatplay,thetypicaldegreeofheterogeneityofthesystemsinvolvedandtheinfeasibilityofconductinglivefieldstudiesinarealorganisationalenvironment,itishardlyeverfeasibletogaugetheimpactofuserpasswordbehavioursonthesecurityofanorganisation'ssystemsbyexperimentalmeansalone.Aviablealternativeistheuseofcomputer,awell-establishedapproach(Simon1969)wherebyasoftwaremodelisabstractedfromknowledgegarneredfromasetofobservedrealsystemsandthenrunwitharangeofinputparametersofinterest.Itmustalwaysbeborneinmindthatobservationofarealsystemistheonlysurewaytoestablishthelevelofaccuracyofsimulationpredictionsandthusvalidatethemodelinquestion.However,aswecannot,ingeneral,testpredictionsacrossthewholeparameterspace,weextrapolatethatavalidatedmodelwillbeabletomakecorrectpredictionsacrossageneralisedsubsetoftheparameterspacewhereconditionsaresimilartothevalidationpoints.Withsuchreservationsinmind,simulationsarehelpfulintwoways:theycan"explain"(inthesenseofidentifyingaunifyingmodel)retrospectivelywhathasalreadybeenobserved;moreimportantly,theycangiveinsightintothefunctioningofsystemsofthemodelledtype,inparticular,predictinguserbehaviourinpreviouslyunexploredregionsoftheparameterspace.
1.12 Itmustbeacknowledged,attheoutset,thatasimulationisonlyasgoodastheassumptionsthatarebuiltintoitandinwhatfollowsanefforthasbeenmadetoensurethatthemodelrulesanddefaultinputparametersaregroundedintheliteraturewhereversuitablestudiesexist.Itisreasonabletoassumethatsuchasimulationcanprovideunderstandingandinsightwhichissimplyimpossibletogaininareal-lifesetting.Itcanalsohelpustounderstandthewidereffectsofvariationsinindividualhumanbehavioursintegratedacrossorganisations,somethingalmostimpossibletogaugeexperimentallyintherealworld.Asaresult,itcanassistusinunderstandingtheoftenunexpectedeffectsofparticularpolicydirectives.So,forexample,iftheorganisation'sauditorsrequirepasswordchangesmorefrequentlythanpreviously,thisrequirementcanbe"pluggedinto"thesimulation,andtheneteffectcanbecharted.
1.13 Thispaperreportsonanactualimplementationofjustsuchasimulator,SimPass,anenginewhichmodelsuserpasswordusagewithinanorganisation.InaSimPassorganisation,usersauthenticateusingusernamesandpasswords,onavarietyofdifferentsystems.Overtimetheymanifestthekindsofbehaviourstheirreallifecounterpartsengagein.Thesimulationalsoincludeshackeragentsandmaliciousagents,bothattemptingtobreachuseraccounts.Attheendofthesimulationtheengineprovidessummarydatarelatedtothesecurityofthesystemafteraperiodoftime,reflectingtheimpactofparticularagentbehaviours.
1.14 Therestofthepaperisstructuredasfollows.Section2brieflydescribesthesimulationmodel:themainentitiesabstractedfromreal-worldscenariosforthepurposesofthesimulationmodelandthebehaviouroftheagentswithinthesimulation.Section3explainshowtheenginewasimplemented.Section4explainshowthesystemisconfiguredinordertotesttheeffectsofdifferentpolicyandoverallsystemsettings.Section5givesanexampleofhowaparticularpolicychangewastestedusingSimPassandSection6concludes.
SimulationModel
2.1 Employeesusuallyhaveanassignedpositionwithinahierarchicalorganisationalstructure,asshowninFigure3.Employeesoftenworkcloselywithotherpeopleintheir"branch"ofthestructure,withinfrequentinteractionswithotherbranches.Theybuildrelationshipswiththeirbranchcolleagues,andworktowardsacommonpurpose.Incarryingouttheirdutiestheymakeuseofoneormorecomputersystemswhichcanbeinternalorexternal,withrespecttovisibilitytotheoutsideworld.Systemscanbeattackedbyoutsidehackersandbyinternalmaliciousemployeesbutthesecurityoftheorganisationisalsoatriskfromtheill-advisedactionsofwell-intentionedemployees.
http://jasss.soc.surrey.ac.uk/16/3/3.html 3 15/10/2015
Figure3.OrganisationalEcosystemComposedofAgentsusingSystems
ModelEntities
2.2 ThekeyentitieswhichSimPassabstractsareemployeesandsystems.Webeginbybrieflyexaminingthenatureofeachinturn.
Employees
2.3 Employeesworkwithinaparticularenvironment,andaresubjecttothepressuresofthatenvironment:theirpositionwithinthehierarchy,thetaskstheyarepaidtoundertake,theirworkload,thecultureoftheorganisationandthequalityoftherelationshipwiththeircolleagues(Figure4).Theyarealsoconstrainedbyvariousinformationsecuritypolicies.
Figure4.PressuresonEmployees
2.4 Employees,asuniquehumanbeingswithvaryingbackgroundsandhistories,comeintotheorganisationwithdifferentapproachestolife.Theyvaryinnumerousways,butforthepurposesofthisdiscussionweareinterestedinalimitednumberofrelevantcharacteristicswhichwillimpactontheirpasswordpractices,asshowninFigure5.Forexample,someonewhoispreparedtobedishonestmightbetemptedtostealapasswordfromanotheremployee.Someemployeesarewillingtosharepasswordsandothersarenot.Differentindividualsfavourdifferentpasswordcopingtactics:someusevariantsoftheirownnames,whileothersusetheirtelephonenumbers,stillothersthenamesofpetsetc.Sometimesemployeesbecomedisenchantedanddecidetododamagetothecompany,sotheycanbeconsideredmalicious.
http://jasss.soc.surrey.ac.uk/16/3/3.html 4 15/10/2015
Figure5.EmployeePropensities
Systems
2.5 Anorganisationwilltypicallyhaveanumberofsoftwaresystems,executingondifferenthardware.Suchsystemsareeithervisibletotheoutsideworld,orhiddenbehindafirewall.Somesystemsissuepasswordswhileothersallowemployeestochoosetheirown.Furthermore,systemscanbeconfiguredtoimplementparticularorganisationalrules,suchas,forexamplepasswordlength,lockoutsetc.SimPass'smodelofasystemhousedwithintheorganisationalcontextisshowninFigure6.
Figure6.SystemCharacteristics
ModelAgentBehaviour
3.1 SimPassisamulti-agentsystemwhichsimulatestheorganisationalEcosystemasdescribedintheprevioussection.ASimPassagentisdescribedasa4-tuple:Agent=(Sit,Act,Dat,fAgent)where
Sitisthesetofsituationstheagentcanbein,Actisthesetofactionsthattheagentcanperform,Datisthesetofpossiblevaluecombinationsoftheagent'sindividualsettings,andfAgentistheagent'sdecisionfunction,andcanbeexpressedasfollows:
fAgent:DatxSit→Act.Therearefourkindsofagentsrepresentingregularemployees,systemadministrators,maliciousemployeesandhackers(outsiders).Theseagentsdonotoperateinisolationbutinteractwithotheragentsregularlyandinavarietyofways.
3.2 Whentheenginestarts,systemsandagentsarecreatedandconfiguredwithcharacteristicstailoredasdiscussedinSection4.Theconfigurationsettingsareenumeratedintheappendix.Regularagents,AgentRegular=(Sit,Act,Dat,fRegular)aresimplytryingtodotheirjobsbyusingthevarioussystemstheyhavecredentialstoaccess.
Sitconstraintsarecontextual,depictingthesituationanagentisin.Forexample,anagentwantstologin,orneedstoenrolforanewsystem.Actisthesetofactionsthattheagentcanperforminasituation.Forexample,ifanagentforgetsapassword,itcanbelockedout,trytogetasharedpassword,ortrytostealapassword.Datisthesetofpossiblevaluecombinationsoftheagent'sinternalsettings,asshowninFigure5.
3.3 Theotheragentshavemorespecificnatures.
MaliciousagentsAgentMalicious=(Sit,Act,Dat,fMalicious)willusetheirsystemsasusual,butsometimestheymighttrytotrytouseanotheragents'credentialsperhapsbecausetheyhaveagrudgeagainsttheirvictimsorbecausetheywishtocarryoutfraudulentactivity(attacksarerandomlygenerated).Iftheydecidetodothis,theywilluseshared,stolenorguessedpasswordstogainaccesstoaccountswithotheremployees'credentials.Allsuchloginsaretermed"bad".HackeragentsAgentHacker=(Sit,Act,Dat,f(Hacker)trytoattackthesystemfromoutside:tryingtoguesscredentialswithouttheabilitytofindwrittenrecords,andonlybeingabletoaccessvisiblesystems.Hackerscantrytobreachsystemsusingwell-knowndefaultsystempasswords,whichmightnothavebeenresetbylessconscientioussystem
http://jasss.soc.surrey.ac.uk/16/3/3.html 5 15/10/2015
administrators.Theycouldalsotrytogainaccesstopasswordfiles,whichtheycantryusinbruteforce.Failingthis,theycantryacombinationofusernamesandpasswordstoattempttoaccessthesystem.Successfulhackerloginsarealsotermed"bad".SysadminagentsAgentSysadmin=(Sit,Act,Dat,fSysadmin)administeroneormoreofthesystemsinSimPass.Theseemployeesaregenerallyconsideredtobehonest:theydonotengageinanyoftheharmfulcopingbehavioursmentionedabove.Howeverasysadminmayoccasionallyfailtoattendtoitsdutiesby,forexample,failingtopatchasystemforwhichitisresponsible.
3.4 Agentsarerandomlyassignedtoanorganisationalmanagementhierarchythusensuringthattheyworkingroups,withanumberoftrusted"colleagues"whomtheycouldonoccasionasktosharepasswordswiththem.Agentsareinitiallygivenaccesstoalimitednumberofsystems.Eachweekthereafterarandomnumberofagentswillberequiredtoenrolforadditionalsystems,asisthecasewhenonegainsexperienceinatypicalorganisation.
RegularAgents
3.5 Tosupporttheinformationsecurityprinciplesofnon-repudiationandauthorisation,agentsaregiventheirowncredentials,usernameandpasswordforeachofthesystemstowhichtheyhaveaccess,andforagivenindividualthenumberofsuchsystemstendstoincreasethelongerheorsheisemployed.Eachagentthus"owns"asetofcredentialsforeachsystemwhichtheyuse.Passwordsareselectedbasedonthecharacteristicsofboththeagentandthesysteminvolved,asshowninFigure7.Forexample,ifanagentsometimesrecyclesitmightwelluseoneofitsexistingpasswordsratherthanchoosinganewone.Newpasswordsarechosenfromarepresentativepasswordrepository(asdescribedinSection4.4).
Figure7.ActionsForaRegularAgentEnrolingforaNewSystem
3.6 Foreachoftheagent'ssystemsa"nextusage"israndomlychosentobeoneofthefollowingnumberofdays:1,2,3,7,14,30,60,or90,reflectingdaily,frequent,weekly,bi-weekly,monthlyandthree-monthlyusage.Thechoiceisweightedtofavourfrequentaccessesmorethaninfrequentones.Thisisachievedbyselectingoneoftheappropriatetimeintervalsfromalistaccordingtoprobabilitiesdeterminedbyassociatedweightsasfollows:10,9,9,10,10,5,1,1.Thusdailyusagewillappear10timesmoreoftenthan3monthlyusage.
3.7 AsshowninFigure8,agentA,whenpromptedtouseitssystems,willattempttologin.Ifthepasswordisremembereditwilldosowithoutincident.Ifnot,anumberofactionscanresult.Itcanacceptthatitislockedout,whichmeansthatitcannotcompleteitstasksforthedayandmustwaitforareplacementpassword.Iftheworkisurgentitcouldtrytoobtaincredentialsfromanotheragent,B,eitherbecausethelatterhaswillinglysharedthem,orbecauseAhasmanagedtoobtainthemdishonestly.Thesystemsbeingloggedintowillneveruncoverthiskindofactivity,sinceitappearstobelegitimateusebyagentBandsotheprincipleofnon-repudiationisbroken.
http://jasss.soc.surrey.ac.uk/16/3/3.html 6 15/10/2015
Figure8.ActionsforaRegularAgentLoggingin
3.8 Insummary,ifanagenttriestologinbutthepasswordhasbeen"forgotten",ithasthreeoptions:requestanewpasswordandbelockedoutofthesystem;askafellowagenttoshareitspassword;,ortrytostealone.Thetacticischosenrandomlybutwithprobabilitiesdependingontheagent'spropensities.Forexample,onlydishonestagentswillstealpasswords.SeeFigure9.
Figure9.ActionsforaRegularAgentTryingtoLogin
3.9 Ifanagentsharesorstealsapasswordandlogsintothesystemusingit,thatistermeda"bad"login.Anagentwhologsintothesystemusingitsowncredentialsexecutesa"good"login.
MaliciousAgents
3.10 AMaliciousagentisanotherwiseregularagentwho,forwhateverreason(e.g.revenge,fraud),triesmasqueradeasanotheragentcredentialstogainaccesstosystems.Theattackingagentwillusethefollowingtacticstologintothetarget'saccountonsomesystem:
1. Checkwhetherthetargetagenthas,sometimeinthepast,sharedapasswordwiththeattacker.Theagentwilltesttoseewhetheritisstillvalid.
2. Checkwhetherthetargethasrecordeditspassword,andnotsecuredit.Trytoaccessthesystemusingthispassword.3. Opportunisticallytrythefollowingstrategies:
a. arandomlychosencommonalphanumericpasswordstringfromalistmaintainedbySimPass.Examplesare123456,password1,orqwerty;
b. avariationoftheusername,egJohn1;orc. avariationofthesystemnameegAmazon1.
3.11 Ifthemaliciousagentmanagestobreachthetarget'saccount,itwilltrytousethesamepasswordonothersystems,inthehopethatthetargetagentrecyclespasswords.Itmightalsochoosetochangethetargetagent'spassword,thuslockingthevictimout,anddisruptingitsabilitytodoitsjob(seeFigure10).
http://jasss.soc.surrey.ac.uk/16/3/3.html 7 15/10/2015
Figure10.ActionsforMaliciousInsiderAgentAttackingColleague
HackerAgents
3.12 Hackersoftentargetspecificorganisations,fordifferentreasons.Newspaperstoriesoftheirexploitsareeasytofind(BBC2011).Hackerswillfirsttrythedefaultpasswordofallvisiblesystems(vanDoorn1992)inthehopethatthesystemadministratorwillnothaveresetthese(Workman2008).Hackerswillalsotrytogetholdofthepasswordfileifitthisisnotsecuredproperly.Withaccesstothisfile,abruteforceattackwillbecarriedouttotrytodeterminethepasswordsforthelistedagentnames.Correctlyguessedcombinationswillbeusedtobreakintosystems.TheirtacticsaredepictedinFigure11.
3.13 Thenextstepwillbetotryusername-passwordcombinations.Sincetheseattacksareusuallyconductedwithoutpersonalknowledgeofsystemusers,atargetedapproach,wherethehackerguessesapasswordforaspecificuserbasedonpersonalknowledge,isnotusuallyfeasible.SimPasshackeragentsuseagenericapproach,simplytryingvarioususernameandpasswordcombinationstoseewhethertheycangainaccess:
arandomlychosencommonpasswordfromalistmaintainedbySimPass.Examplesare123456,password1,orqwerty;avariationoftheusername,egJohn1;avariationofthesystemname,egAmazon1
3.14 Ifthehackeragentbreachesanaccountitmightalsochangethevictim'spassword,thuslockingitout,anddisruptingitsabilitytocarryoutitstasks.
Figure11.ActionsforaHackerAgentAttackingSystem
SystemsAdminAgents
3.15 Systemsadminagentsareresponsibleforoneormoresystemsintowhichtheywillrandomlylogin.Iftheyaretrained,theywillchangetheirsystems'adminpasswords,andkeepthesystemspatchedandthepasswordfilessecured.Untrainedsystemsadministratorsmightwellneglecttheseresponsibilitiesandmakeitmorelikelythatahackercanbreachthesystems.
Summary
3.16 Table1summarisestheinternalsettingsofthedifferentagents(Dat)
http://jasss.soc.surrey.ac.uk/16/3/3.html 8 15/10/2015
Table1:AgentInternalConfigurations
Dishonest Malicious Forgetful SharingRegular Yes/No No Yes Yes/NoMalicious Yes Yes Yes Yes/NoSystemAdministrators No No No NoHackers Yes Yes No No
Thefollowingsectionexplainshowtheenginehasbeenimplemented.
SimulationEngine
Figure12.SimPassArchitecture
4.1 SimPassisimplementedinJava,asamulti-threadedapplicationwhichgeneratesdiscreteeventsatregularintervals,asshowninFigure12.Onstartupitwillreadaconfigurationfile,andinitialisethesimulationasfollows:
1. Anobjectiscreatedtorepresenteachagentandathreadlaunchedforeach(regular,malicious,sysadminandhacker)2. Asystemobjectiscreatedforeach"system"inthesimulation.3. Atimemanagerobjectensuresthatthesimulationrunsforasmanydaysasspecified.Aseach"day"starts,thetime
managerpromptseachagenttologintothosesystemsscheduledforuseonthatday.Thetimemanageradvancesthedaycounterwhenallagentshaveconcludedtheirday'stasks.
a. Everytimetheagentlogsin,thesystemrandomlygeneratesa"nextuse"untilthesimulationends.Whenthe"nextuse"dayischosenthesystemwilldecidewhethertheagentwillforgetthepasswordornot,basedontheliteratureonmemorability(Section4.1.1).
b. Thesamemechanismappliestomaliciousandhackeragentswhowill,atrandomintervals,carryoutattacks.4. Agentsinteractwithoneanotherastheycarryouttheirdailytasks.
a. Sharingpasswordswithcolleagues.b. Tryingtofindotheragents'recordedpasswordsie.stealingthem.c. Observingeachothertypinginpasswords.Whereastheftisgoal-directedandwillhappenasaresultofan
agent'seitherhavinglosttheirownpasswordormaliciouslywantingtobreachsomeone'saccount,observationcanhappencasually.Agentswillnotalways"remember"anobservedpassword:this,too,israndomised.
5. Agentsandsystemslogalltheiractivitiestoindividuallogfiles.Attheendofthesimulationasummaryofallactivityisprintedtoasummarylogfiletosupportfurtheranalysis.
6. SimPasskeepsatallyofparticulareventsinthesystemtosupportquantificationofoverallsystemsecurity,asshowninTable2.
http://jasss.soc.surrey.ac.uk/16/3/3.html 9 15/10/2015
Table2:EventsofInterestintheSimulation
Goodlogin AloginwheretheagentuseshisowncredentialsBadlogin Aloginwheretheagentusessomeoneelse'scredentials(shared,observed,guessedor
stolen)Lockout WhenauserhashadtorequestapasswordresetStolenPassword
Apasswordwhichhasbeenobserved,andrecorded,byanotheragentorwhereawrittenrecordofapasswordisdiscoveredbyanotheragent.
SharedPassword
Apasswordwhichtheagenthaswillinglyallowedsomeoneelsetouse
SimulationModelSettings
AgentCharacteristics
5.1 VariouscopingtacticsarecommonlyusedbypeopleworkingwithITsystems(Figure13)andagentsaredesignedtoreflecttheseuserbehaviours.Eachagentwilldeploysome,allornoneofthesemechanismsandwillbesubjecttolimitationsreflectingthoseofaveragehumans.AgentcharacteristicsandhowtheyhelpselectdefaultvaluesfortheinputparameterstoSimPassarediscussedinthefollowingsubsections.Needlesstosay,eachparametercanbevariedfromtheselecteddefaultifdesired,inordertoexplorethecorrespondingdimensionoftheinputspace.
Figure13.AgentCharacteristics:Dat(Regular/Malicious)
Forgetting
5.2 Anumberofresearchershaveinvestigatedforgettingrates.Florencio&Herley(2007)reportedthat4.28%ofregularlyusedpasswordsareforgotten.Bunnell(1997)reportson27%forgettingratesafter2weeks.ZviranandHaga(1993)reportedona75%forgettingrateafter3months.ThiswasconfirmedbyBeedenbender(1990)whoreported72.8%forgettingafter3months.
5.3 Somesurveyshaveaskeduserstoreportonhowmanypasswordsforgottenafteramonth(Brown2004),(Tamiletal.2007;ElcomsoftProactiveSoftware2009;Campbell&Bryant2004).Ifthenumbersofrespondentsaretallied,itbecomesclearthat30%ofpasswordsareforgottenafteramonthofnonuse.ThisisconfirmedbythestudycarriedoutbyTheusingerandHuber(2000)andbyBrownetal.(2004),whofoundthat32%and31%ofpasswordswereforgottenbysystemuserswithinamonth.
5.4 AsdiscussedinthepsychologicalliteratureEbbinghaus(1885),thesefiguresareagoodfittoaparabolawiththeformula:
y=(-0.002)x2+0.96x+3.04TheforgettingratesusedinSimPass,showninTable3,reflectthisrelationship.
Table3:ForgettingRates
Intervals 1 2 3 7 14 30 60 90Forgetting% 4 5 6 10 16 30 53 73
5.5 InSimPasstheseforgettingrateswillbetailoreddependingonhowmanytimesaspecificpasswordhasbeenusedinthepast.A
http://jasss.soc.surrey.ac.uk/16/3/3.html 10 15/10/2015
frequentlyusedpasswordislesslikelytobeforgottenthananinfrequentlyusedpasswordsothesystemwillfactorinprevioususewhendecidingwhetherornotapasswordwillbeforgotten.Figure14showstheforgettingratesinatypicalsimulationrun.Theupperlinedepictsthevaluesgivenintheabovetable,andthelinebelowthosegeneratedbySimPassitself.
Figure14.ForgettingRatesinaTypicalSimulation(lowerline=Simulation,upper-linebasedonforgettingrates)
SharingofPasswords
5.6 Passwordsharingisstrictlyforbiddenbymostorganisationsyettherealityisthatitiswidelypracticed.Anumberofpasswordusesurveysreportontheprevalenceofsharing(oratleastreportsonthosewhowilladmittosharing).Martinson(2005)reports38.1%,Bryant&Campbell(2006)reports42%,Stantonetal.(2005)reports34%,Tamiletal.(2007)reports33.9%andCampbellandBryant(2004)report40%.However,Hoonakker,BornoeandCarayon(2009)reportthatonly5%ofrespondentsadmittedtosharingpasswords.Itispossiblethatsharingisorganisation-specific,buttheremaybeotherunreportedfactorsatplayhere.
5.7 Sincethemajorityofsurveysreportthatclosetoathirdofrespondentsshare,andsincemostorganisationsfinditdifficulttoacceptanysharingatall,thedefaultsharingpercentagewillbesetto33%but,aswithallthesevalues,thiscanbeoverrideninanySimPasssimulationtoexploretheeffectofdifferentscenarios.
StealingofPasswords
5.8 Usingastolenpasswordisundeniablydishonest.Howlikelyisitthatanemployeewilldothis?Aquicklookatdishonestbehaviourinothersettingsisenlightening.KarstedtandFarrall(2006)foundthat65%ofpeople,givensufficientmotivation,wouldbehavedishonestly.VonLohman(2004)reportsonstudiesofP2Pmusicsharing.Whereas88%oftherespondentsinthestudybelievedthatthissharingwaswrong,56%stilladmitteddownloadingmusicillegally.Wilkes(1978)carriedoutastudyintodishonestcustomerbehaviourandfoundthatforsomeoffencesbetween70and80percentofcustomerswouldoffend.Thisstudyadmittedlyreportsoncustomerbehaviour,whereasSimPassismodellingemployeebehaviour.Howhonestcanweexpectemployeestobe?Wilson(2009)reportsonastudybyCyberArk,whosurveyed600workersinNewYorkandLondon.Asurprising48%saidthattheywouldstealtheircompany'sdataiftheywerefired.Perhapsbeingfiredconstitutessufficientmotivation,butwhatabouteverydaybehaviour?Wilkes(1978)citesastudybyTathum(1974)whichreportsthat50%ofemployeeshadadmittedtostealingfromtheiremployers.BoyeandJones(1997)presenteddetailsofastudyofrestaurantemployeeswhichshowedthat60%ofrespondentshadstolenfromtheiremployers.Thereissomeagreementthatsomeorganisationshavemoreofacultureofdishonestythanothers(Kidwell&Kochanowski2005;Johnson&Philips2003)andhencethedishonestyprevalencecanbeconfigured.ThedefaultprevalenceofdishonestyinSimPassis65%,takenfromKarstedtandFarrall(2006).
5.9 Giventhefactthatsomeoneisdishonest,doesthatnecessarilymeanthathe/shewillengageinstealingpasswords?AccordingtoCressey(1973),threeelementsmustbepresentforapersontoengageindishonestbehaviour: motivation,rationalisationand
http://jasss.soc.surrey.ac.uk/16/3/3.html 11 15/10/2015
opportunity.Thelattercouldoccurifsomeoneseesanotherpersonenteringtheirpassword,orifhe/shefindsapasswordthathasbeenwrittendown.Rationalisationcanbeassumedifapersonisinclinedtobedishonest:tovaryingdegreesitorshewillfindanexcuseforthedishonestbehaviour.Motivationcouldbeafunctionoftheurgencyofthetasktheagentistryingtoengagein.Aforgottenpasswordthatinterfereswithhisneedtousethesystemdoesnotnecessarilyprovidesufficientmotivationsincetheuseofthatsystemmightnotbeurgent.SimPasswillrandomlygenerateanurgencyforeachaction,andthisurgencywillhavetoexceedaparticularthresholdlevelbeforesufficientmotivationcanbeassumed.SimPassthusreflectstheinteractionofthesethreeantecedents.SimPasswillrandomlychooseanumberbetween0and9toreflecturgency.Ifthenumberisgreaterthanthethreshold,defaultsettingof5,thatisconsideredsufficientpressuretoleadtodishonesty.
5.10 Certainlythereisevidencethatpeopledoindeedstealpasswords(Kidwell&Kochanowski2005;Forbath2005).butthereisnohardevidenceintheliteraturewhichquantifiestheextentoftheproblem.Intheabsenceofevidencewearguethat,humannaturebeingwhatitis,theliteraturementionedinthepreviousparagraphsisareasonablepredictorofwhetherpeoplewillrationalisedishonestbehaviourornot,inthiscasestealingandusingsomeoneelse'spassword.
5.11 Reflectingtheirhumancounterparts,SimPassagentsarealsocategorisedas"dishonest"or"honest";thelatterwillneverstealapassword,theformer,givensufficientmotivation,willrationalisetheuseofanother'spassword.Agentscanstealpasswordsthatotheragentshavewrittendownorrecordedinsomeotherunsecuredway(theprevalenceofthisisdiscussedinSection4.1.8).Theformermay,inadditiontodeliberatelystealingapassword,observeanotheragententeringapasswordandrecorditforlateruse.Theobservationrateforasimplepasswordissetat1%andforacomplexpassworditissetto2%.Moreover,anagentwillonlyobserveandrecordapasswordifithassufficientmotivation.Themotivationinthiscaseisthatanagenthaspreviouslyforgottenapasswordorpasswordsandthereforehasareasontowanttoguardagainstthiseventualityinthefuture.
UsernameVariants
5.12 Brownetal.(2004)reportedthat45%ofusersusedavariantoftheirownnameastheirpassword.ThiswasconfirmedbyHaradaandKuroki(1996)whofoundaprevalenceof42%.SimPassusesadefaultof45%.
SystemNameVariants
5.13 Somepeopletrytolinktheirpasswordtothesystemitisbeingusedon,soastoincreasetheirchancesofrememberingit.So,forexample,theycoulduseAmazon1astheirpasswordfortheAmazonwebsite.BishopandKlein(1995)reportedthat11%of
usersemployedofthistactic.Interestingly,however,Schneier[1]carriedoutananalysisofMySpacepasswordsandfoundthecorrespondingfiguretobeonly0.11%,whichsuggeststhatthisprevalencevariesacrossuserpopulations.SimPassusesadefaultof11%forthissetting.
Recycling
5.14 Manyusersrememberafewpasswordsandthenusethemacrossanumberofsystems.Thiscopingtacticisprobablythemostcommon.Beingabletopredictthetrueprevalenceofthiscopingtechniqueisdifficult,duetothedifferentpercentagesreportedbydifferentstudies.Inordertousearealisticpercentageatallywasmadeofallrespondentswhoadmittedtothispracticefromthestudiesreportedby:(Hoonakkeretal.2009;Campbell&Bruyant2004;Riley2006;Zviran&Haga1993;Tamiletal.2007;Martinson2005;Brownetal.2004).1592ofthetotalof2966respondentsadmittedtorecyclingpasswordscomprising54%ofthosesurveyed.AdamsandSasse(1999)reporteda50%prevalenceandSummersandBosworth(2004)report55%.Ananalysisofactualleakedpasswordsfrommultiplesystemsshowarecyclingprevalenceof92%(Hunt2011),andasurveyreportedbySecurityWeek(2010)reportsthat75%ofpeoplerecycledpasswords.Thissuggeststhatmanyfewerpeoplearepreparedtoadmittothispracticethanactuallyengageinit.SimPassusesadefaultof54%basedontheabovecompositetally.
5.15 FlorencioandHerley(2007)foundthatuserstendedtomaintainanaverageof6.5passwords,soSimPassagentsdothesame,thesystemensuringthattheyhaveamaximumof6distinctpasswordsiftheydoindeedrecycletheirpasswords.
Reuse
5.16 Someuserswill,whenrequiredtoprovideanewpasswordforasystem,simplyvarythepreviousone:herethisisreferredtoasreuse.Twostudieshavereportedontheprevalenceofthispractice(Riley2006;Hoonakkeretal.2009).672respondentsoutofatotalor1164admittedtothispractice(58%),whichisusedastheSimPassdefault.
WritingDownPasswords
5.17 Usersoftenresorttowritingdowntheirpasswords,orrecordingtheminsomeotherfashion.Thefollowingstudieswereconsulted:(Zviran&Haga1993;Brownetal.2004;Martinson2005;Hoonakkeretal.2009;Bryant&Campbell2006;Stantonetal.2005;Tamiletal.2007;Riley2006).Outofatotalof3386respondents,1309admittedtowritingtheirpasswordsdown(39%).OnlyHoonakkeraskedwhethertheyalsosecuredthispasswordrecordand18%saidtheydidthis.ThesevaluesareusedastheSimPassdeafultsettings.
http://jasss.soc.surrey.ac.uk/16/3/3.html 12 15/10/2015
PasswordStrength
5.18 Thereissomeevidencethatusers,whenforcedtochangetheirpasswords,willchooseaweakerpassword(Martinson2005).Adefaultof68%waschosenbasedonthisstudy.
SystemAdminConscienciousness
5.19 Wewillassumethat77%ofsystemadministratorswillpatchsystemsandchangepasswords,with23%leavingtheirsystemsunprotected.ThisisbasedonastudypublishedbyMicrosoft(Forbathetal.2005)whichstatedthatonly77%ofsystemswerepatched,onaverage.
Threats
5.20 Threatsareclassifiedasinternalorexternaldependingonwhethertheyareinitiatedbyagentsof,respectively,themaliciousorhackertypes.InSimPass,ifamalicious(insider)agentorahackergainsaccesstoanagent'saccountitcandecidetoleavethingsastheyare,ortochangetheagent'spassword.Intheformercase,detailsarealwaysretainedforlaterusesothatifthehackedagentdoesnotdiscoverthehacker'sactivitythedoorisleftopenforlateraccess.Ifthehackerdecidestochangethevictim'spasswordthenthelatterispreventedfromaccessingitsaccountandwillhavethesamechoicesasithaswhenitforgetsitspassword.
5.21 Ifanattackerofeitheroftheabovetypessucceedsinbreachingoneaccount,itwilltrytogetintotheowner'sotheraccountsusingthesamepassword,intheknowledgethatmanyusersrecycle.
Insider(Malicious)Threats
5.22 Maliciousinsiderscancauseagreatdealofdamage(Probstetal.2010).Predd,HunkerandBulford(2008)citeasurveybytheComputerSecurityInstitutewhichreportedthattheorganisationsthatrespondedtotheirsurveyhadattributed40%oftheirlossestoinsideractivities.Itismuchhardertopredicttheincidenceofmaliciousinsiderssincemanyareundetected.PriceWaterhouseCooper's2010InformationSecuritySurveyfoundthat19%oflargeorganisationsand5%ofsmallorganisationshadreportedstaffusingtheirsystemsfortheftorfraud.
5.23 A2008ForresterResearchreport[2]proposedthat30%ofsecuritybreacheswerecausedbymaliciousinsideractivity.PriceWaterhouse(2010)reportsthatorganisationsexperiencedanaverageof45incidentslastyear,suggestingthatanaverageof13perorganisationwerecausedbyinsiders.Thisargumentcannot,however,beusedtoarriveatanestimationofthenumberofmaliciousinsiderssincemultipleincidentscouldbecausedbythesameperson.AsCalderargues,itisdifficulttoarriveatareliableestimateoftheaverageincidenceofmaliciousemployeesinorganisations(Calder1987).
5.24 Whatisinterestingisevidencethat,forwhateverreason,incidentsofthistypeareincreasingyearonyear(PriceWaterhouse2010).In1969Robin(1969)reportedonmalicioususerbehaviourinthreecompanies.Thenumberofemployeesapprehendedwas0.48%perannum.However,ChooandTan(2007)refertoresearchattheUniversityofCaliforniaatBerkeleywhichreporteda115%increasestudentdishonestycasesbetween1995and2000.Theformerincreasecouldwellbeattributedtoincreasinguseofcomputersystemsbutthelatterislesseasytoexplain.
5.25 Here,itwasdecidedthattheincidenceofmaliciousemployeeswouldbesetat1%,inordertodepictarelativelyoptimisticscenariobut,ofcourse,thefigurecanbesetbythesimulationuser.Maliciousagentsmaydecidetargetspecificindividualsatrandomintervals,attemptingtobreachtheiraccountsinordertododamagetothem,ortousetheaccounttocarryoutnefariousactivities.
Outsider(Hacker)Threats
5.26 Thenumberofhackersthatwilltargetaparticularcompany'ssystemsoveraperiodofinterestmayvarywidely.Here,adefaultof3hackershasbeenchosen,butthisnumberisconfigurable.Hackerswillattackatrandomlyassignedintervals,andwilltargetamaximumof10agentaccountsonanysystembeforeretreatingtotryagainanotherday.Thistechniqueisdeployedbymanyhackers,whodonotwishtheiractivitytobetooeasilyspottedbyvigilantsystemsadministrators.
SystemCharacteristics
5.27 Manyaspectsofsystemscanbeconfigured(seeFigure6).Thedefaultvaluesaregroundedintheresearchliterature,aswithagentcharacteristics.Whensuchresearchisunavailable,thesimulationownermayprovidesettingstoexploredifferentscenarios.Thefollowingconfigurationaspectshavedefaultvaluesbutcanbevariedtoexploretheparameterspace.
SystemVisibility:Somesystemsarevisiblefromoutsidetheorganisation,othersresidebehindthefirewallandcannotbeaccessed.Visiblesystemsaresusceptibletooutsiderattacks.InSimPass,50%ofthesystemsarevisiblebydefault.System-IssuedvsSelf-ChosenPasswords:Somesystemsissuepasswordsandothersallowagentstochoosetheirown.Sincethereisnopublishedevidenceofthedistribution,anarbitraryproportionof10%ofsystemswilldotheformer
http://jasss.soc.surrey.ac.uk/16/3/3.html 13 15/10/2015
andtherestwillallowagentstochoosetheirownpasswords.
Somesystemcharacteristicsarespecifiedbytheorganisation,toalignwiththeirpolicydirectives.Examplesofthesefollow.
PasswordChanges:Thisdetermineswhetheragentsarerequiredtochangetheirpasswordsand,ifso,thenumberofdaysbetweenmandatorychanges.Thedefaultsettingisthatchangesarerequiredandthat30dayswilllapsebetweenpasswordchanges.Itisassumedthatagentscannotre-useapreviouslyusedpasswordbuttheycanaddanumeraltotheend,asiscommonlythecase.Lockout:Thisvaluemeasureswhetherauthenticationattemptsarelimited.Sincemanysystemsapplythepracticeofthreetimeslockout,thiswillbeappliedinSimPass.PasswordRequirements:Organisationsoftenimposeaminimumpasswordlengthandcomplexityontheiremployees,regardlessofwhatindividualsystemsrequire.Themostcommonoftheseisthatapasswordmusthaveaminimumnumberofcharacters,thatitshouldcontainanumeral,uppercasecharactersand/oraspecialcharacter.
PasswordCorpus
5.28 SimPassagentschoosepasswordsfortheirsystems,andarealisticpasswordcorpusisrequired.Varioussiteshavehadtheirpasswordsleakedand"postmortem"analyseshavesunsequentlybeencarriedout.Forexample:Schneier(2006)analysed34000passwords;Calin(2009)reportedonananalysisof9843Hotmailpasswords;Hunt(2011)analysed77millionSonypasswords;andphishedphpBBpasswordswereanalysedbyGraham(2009).AsummaryisgiveninTable4.
Table4:StolenPasswordAnalysis
MySpace Hotmail Sony phpBBCommonPasswords 2.7% 2.5% >10%NumbersOnly 1.3% 19%LowercaseOnly 9.6% 42% 45%DictionaryWord 64% 65%Alphanumeric 81% 30%Alphanumeric&SpecialChar 8.3% 6% 4%AverageLength 8 8 8 6
5.29 Disturbingly,4%ofphpBBpasswordswerevariationsoftheword"password".Whenanumberisused,in45%ofcasesitisthenumber1,andwhenaspecialcharacterisused,itismostoften"!",followedbythe".".Whatthesesurveysshowisthatwhilethepasswordsusedbyaparticularpopulationvarysignificantly,userswilloftenchoosesimplerandweakeroptionswhengiventheoptiontodoso.InSimPassthepasswordcorpuswillincluderealisticpercentagesofrepresentativecategoriesofmostmajoridentifiedpasswordtypes.
5.30 ThepasswordcollectionusedbySimPassusesthepercentagesofpasswordsineachofthefollowingcategoriesasshowninTable5.Notethata"peoplename"categoryhasbeenincluded,despitehavingnoevidencefromtheaboveanalysestosupportit.However,Medlinetal.(2005)foundthat19.3%ofthepeopleintheirstudychosepasswordswhichreflectedfamilynames.Suchasignificantnumberwasthusworthincluding.
Table5:SimPassPasswords
CommonPasswords 10%Numbersonly 5%OneWord 30%MovieNames 10%Peoplenames 10%Awordfollowedbyanumber 20%Twowords 5%Twowordsseparatedbyanumber 5%Alphanumericandaspecialchar 5%
5.31 ThelistofcommonpasswordswasobtainedfromWhatsMyPass(2008)andthewordswereminedfromanonlinedictionary.Thepasswordcorpusholds100000passwordsaltogether.Theminimumlengthofsuchpasswordsis6charactersandthelengthextendstoasmanycharactersasspecifiedbythesimulationuser.
http://jasss.soc.surrey.ac.uk/16/3/3.html 14 15/10/2015
SimulationExperiment
6.1 TodemonstratethepotentialofSimPassheretheissueofwritingdownpasswordswillbeaddressedtoassessitsimpactinascenariousingmostlythedeafultsettingsestablishedabove.Mostorganisationsofficiallyforbidtherecordingofpasswordsinthiswaybut,despitethis,manyusersdosoanywaysothattheywillnotforgettheirpasswords.Theperceivedriskisthatotherpeoplewillfindsuchrecordsandexploitthatknowledge,asdepictedinFigure15.
Figure15.WritingPasswordsDown
6.2 Whereasmostcurrentinformationsecuritypoliciesforbidtherecordingofpasswords,analternativeapproachmightbetofocusonreducingtheincidenceofforgottenpasswordsthusremovingmuchofthemotivationforpasswordstobestolen.Theexpecteddownsidewouldbeanincreaseinvulnerability,ifinsecurerecordingmethodsweretomakeiteasierformaliciousemployeestostealpasswordsshouldtheystillwishtodoso.
6.3 Totesttheeffectofwritingdownpasswordsonthesecurityofthesystem,twosimulationswereexecuted,spanning100dayswith100agentsusingupto27systemssimultaneously.Onemaliciousandthreehackeragentswereintroducedtoattempttobreachvisiblesystemsatrandomintervals.Thetwosimulationsvariedasfollows.
39%ofagentsrecordingtheirpasswords,eitherinsecurely(inaspreadsheet,forexample),orsecurely(usingapasswordmanagementapplication).100%ofagentsrecordingtheirpasswords,againsecurelyorinsecurely.Thesimulationwasexecuted100times,andtheresultingvaluesforthefollowingwereaveragedacrossall100simulations.Goodandbadlogins.%sharedand%stolenpasswords.Numberoflockoutevents.Numberofmaliciousloginsandnumberofhackerloginsduringthe100days.
Inordertoconfirmthechoiceofrunningthesimulation100timeswecalculatedthe95%confidenceintervals(t-distribution)for50and100runsasshowninTable6.
Table6:95%confidenceIntervalsforNumberofSimulations
ConfidenceIntervals%RecordingPasswords NumberofLockoutEvents NumberofBadLogins
50Simulations 39% 16.71%±0.48% 232.02±6.01100% 1.42%±0.31% 19.06±4.83
100Simulations 39% 16.78%±0.35% 233.03±6.30100% 1.63%±0.23% 22.59±3.35
6.4 Thesefiguresshowthattheextra50samplesdonotreallyimprovetheconfidence(alreadyveryhigh)thatthedifferencebetweenthe39%and100%casesisagenuineeffectandnotjustasamplingartefact.Wewerethussatisfiedthat100sampleswassufficienttodemonstratedifferencesduetoconfigurationsettings.
6.5 Figure16showsthatthenumberofbadloginsshrinksfrom14.35%to1.6%whenagentsrecordtheirpasswords.Thenumberoflockoutevents,asshowninFigure17,showsa90%decrease.Thisisalargeeffectfromarelativelysmalladjustmenttothesystem.
http://jasss.soc.surrey.ac.uk/16/3/3.html 15 15/10/2015
Figure16.GoodversusBadLogins
Figure17.LockOutEvents
6.6 Hasthesecurityofthesystembeencompromisedtothesameextent?AsFigure18shows,thenumberofpasswordseithersharedorstolenhasbeenreduced,withthepercentageofunleakedpasswordsincreasingfrom75.95%to97.04%.Thisreflectstheeffortsoflegitimateagentsinthesystem.Figure20depictsthenumbersofsystembreachesbymaliciousandhackeragents.Thereisindeedanincreaseinhackersuccesses.Onepossibleexplanationforthiscouldbethatforgottenpasswordsleadtopasswordchanges.SimPasssystemsdonotpermituseofpreviously-usedpasswords,sowhenpasswordsarefrequentlyforgottentheychangemoreoftenpresentinghackerswithafastermovingtarget.Evenso,theincreaseinthenumberofattacksisrelativelyminor:from15.34%to17.95%.Ontheotherhand,thenumberofmaliciousagentbreachesdecreases,theoppositeofwhatisexpected.Thisisduetothefactthatmaliciousagentscananddomakeuseofpasswordsthathavebeensharedwiththempreviously.Thatnolongerhappenssincenooneforgetspasswordsanymore(themaincausativebehindsharing).
6.7 Table5showsthe95%confidenceintervalsforthemaliciousandhackerlogins,whichdemonstratesthatthedifferencesaresignificant.Thusallowingpeopletowritetheirpasswordsdowndoesnotleadtoincreasedinsiderattacks-whichiscounter-intuitive.Itispossiblethatwecouldmitigatethesignificantincreaseinhackerattacksbyusingothermeasuressuchasmakingpasswordslongerormorecomplex(andthiswillnotimpactonmemorabilitysinceforgettingisnolongeranissue).
Table5:95%confidenceIntervalsforMaliciousandHackerLogins
ConfidenceIntervals%RecordingPasswords NumberofLockoutEvents NumberofBadLogins
50Simulations 39% 16.71%±0.48% 232.02±6.01100% 1.42%±0.31% 19.06±4.83
100Simulations 39% 16.78%±0.35% 233.03±6.30100% 1.63%±0.23% 22.59±3.35
http://jasss.soc.surrey.ac.uk/16/3/3.html 16 15/10/2015
Figure18.Shared&StolenPasswords
Figure19.Malicious&HackerLogins
6.8 Whatthesimulationsshowisthat,byremovingtheneedforpeopletostealandsharepasswords,ie.eliminateforgetting,youcanactuallystrengthenthesystem.Ifyouremovetheneedofwell-intentioneduserstoengageintheseactivitiesoneisleftwithonlytheeffortsofmaliciousemployeesandexternalhackerstocompromisethesecurityofthesystem.Thesethreatsarenotcontrolledbysecuritypolicies,butratherbyauditingandothertechnicalandmanagementcontrols.Moreover,considerthesignificantreductioninthenumberoflockouts.Eachlockouthasanassociatedexpensesincethepersonwillnotbeabletoworkwhilewaitingforthepasswordtobereplaced.Ifahelpdeskhastobeinvolvedinthereplacementtheexpensewillbegreaterstill.TheseresultsmakeitworthreturningtoFigure1andrevisingit,asshowninFigure20.Theapparentlyobviouscausativelinkfrompeoplewritingpasswordsdown,topasswordsleaking,andthesystems'securitybeingcompromised,isnotasclearcutasitappearstobe.Thesefindingsshouldgivesystemadministratorspause,andmakethemthinkagainbeforeforbiddingthewritingdownofpasswords.
6.9 Whatthesesimulationsshowatamoreabstractlevelisthatoneneedstotacklethecauseoftheproblemratherthanthesymptomstoincreasetheoverallsecurityofanorganisation.
http://jasss.soc.surrey.ac.uk/16/3/3.html 17 15/10/2015
Figure20.RevisedFigure1(witha?onthequestionablelink)
Conclusion
7.1 ThispaperhasdescribedtheSimPasssimulationmodelandengine,afirstattempttoprovideamechanismfortestingtheeffectsofsecuritypolicydirectives.Thistoolsimulatesanumberofdifferentpressuresandimpactsonusersandallowsresearcherstoexperimentwithdifferentsettingsinordertoarriveataparticularsetofpolicieswhichwilldeliverbettersecurity.Itisnecessarytoabandontraditionalthinkingwhichmandatesandforbidsparticularuserbehaviours,especiallywhensuchbehavioursareeffectivelynaturalattemptstocopewiththesurfeitofpasswordsthatissocharacteristicofmodernlife.Usingthetoolwecancomeupwithinterventionsandtestsuchinterventionsoncethesimulationhasbeenconfiguredaccordingtothespecificorganisation.Ineffect,itsupportsasystemicmeta-approachtotheproblemofsystemsecurity.Thefocusmovesawayfromtheusertotheorganisationandaddressestheissueofwhatpolicywriterscandotoachieverealsecurityimprovements.
7.2 Insummary,SimPassisaflexibletoolwithmanycustomisableinputparameters.Itmakesitpossibletotesttheeffectsonorganisationalsecurityofvaryingoneormoreoftheseparameters,whileholdingothersconstant.ItisideallysuitedtoallowITmanagerstoprojecttheeffectofsuggestedpolicychanges,includingregulationsandrecommendationsintendedtochangestaffbehaviour,ontheoverallabilityoftheorganisationtoresistattack.
Appendix
8.1 ThefollowingsimulationsettingsareconfigurableinSimPass:
ThenumberofdaysthesimulationshouldrunThepercentageofagentswhowritedownpasswordsThepercentageofagentswhosecuretheserecordsThepercentageofagentswhowillsharepasswordsDaysbetweenpasswordchangesNumberofhackersNumberofagentsInitialnumberofsystemstobeassignedtoagentsPercentagemaliciousagentsPercentageagentswhohavethepotentialtobedishonestPercentageoftrainedsystemadministratorsPercentagesystemsvisiblefromoutsideProbabilitythatagentschooseweakerpasswordsafterachangeNumberoftriesbeforelockoutWhetherlockoutsshouldbeimplementedornotPercentageofsystemsthatenforcepasswordchangesPercentageofsystemsthatissuepasswords(asopposedtoallowingagentstochoosethem)MinimumpasswordlengthWhetherpasswordsrequirenumeralsWhetherpasswordsrequireuppercaselettersWhetherpasswordsrequirespecialcharactersWhetheragentsworkinopenplanofficesornot(canpasswordentrybeobserved?
Acknowledgements
WethankJoergDenzingerforhisveryhelpfulcommentsonearlierdraftsofthispaper.
Notes
1http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
2http://www.forrester.com/rb/Research/state_of_enterprise_it_security_2008_to/q/id/47857/t/2
http://jasss.soc.surrey.ac.uk/16/3/3.html 18 15/10/2015
References
ADAMS,A.andSasse,M.A.(1999)Usersarenottheenemy:Whyuserscompromisesecuritymechanismsandhowtotakeremedialmeasures.CommunicationsoftheACM,42(12),40-46.[doi:10.1145/322796.322806]
BBC(2011)Sonyfaceslegalactionoverattackonplaystationnetwork.BBCNews,April.http://www.bbc.co.uk/news/technology-13192359.
BEEDENBENDER,M.G.(1990)Acomparisonofpasswordtechniques.Master'sthesis,NavalPostgraduateSchool.MontereyCA.
BISHOP,M.andKlein,D.V.(1995)Improvingsystemsecurityviaproactivepasswordchecking.Computers&Security,14(3),233-249.[doi:10.1016/0167-4048(95)00003-Q]
BOYE,M.andJones,J.(1997)Organizationalcultureandemployeecounterproductivity.InR.A.GiacaloneandJ.Greenberg,editors,Antisocialbehaviorinorganizations,pages172-184.ThousandOaks,CA:Sage.
BROWN,A.S.,Bracken,E.,Zoccoli,S.andDouglas,K.(2004)Generatingandrememberingpasswords.AppliedCognitivePsychology,18(6),641-651.[doi:10.1002/acp.1014]
BRYANT,K.andCampbell,J.(2006)Userbehavioursassociatedwithpasswordsecurityandmanagement.AustralasianJournalofInformationSystems,14(1).[doi:10.3127/ajis.v14i1.9]
BUNNELL,J.,Podd,J.,Henderson,R.,R.Napier,andKennedy-Moffat,J.(1997)Cognitive,associativeandconventionalpasswords:Recallandguessingrates.Computers&Security,16(7),629-641.[doi:10.1016/S0167-4048(97)00008-4]
CALDER,J.D.(1987)Newcorporatesecurity:Theautumnofcrimecontrolandthespringoffairnessanddueprocess.JournalofContemporaryCriminalJustice,3(1),1-34.[doi:10.1177/104398628700300402]
CALIN,B.(2009)Statisticsfrom10,000leakedhotmailpasswords,October.http://www.acunetix.com/blog/news/statistics-from-10000-leaked-hotmail-passwords//.
CAMPBELL,J.andK.Bryant.(2004)Passwordcompositionandsecurity:Anexploratorystudyofuserpractice.InS.Elliot,M.-A.Williams,S.Williams,andC.Pollard,editors,Proceedingsofthe15thAustralasianConferenceonInformationSystems.UniversityofTasmania,2004.
CHOO,FandTan,K.(2007)An"americandream"theoryofcorporateexecutivefraud.AccountingForum,31(2),203-215.[doi:10.1016/j.accfor.2006.12.004]
CRESSEY,D.R.(1973)Otherpeople'smoney.PattersonSmith,Montclair,1973.
EBBINGHAUS,H.(1885)Memory:AContributiontoExperimentalPsychology.OriginallypublishedinNewYorkbyTeachersCollege,ColumbiaUniversity.
ELCOMSOFTPROACTIVESOFTWARE.(2009)Passwordsecuritysurvey2009.http://www.siteglimpse.com/elcomsoft.com
FLORENCIO,DandHerley,C.(2007)Alarge-scalestudyofwebpasswordhabits.InWWW2007,Banff,BC.[doi:10.1145/1242572.1242661]
FIPS(1985)FederalInformationProcessingStandardsPublication112.StandardforPasswordUsage.http://www.itl.nist.gov/fipspubs/fip112.htm
FORBATH,T.,Kalaher,P.andO'Grady,T.(2005)Thetotalcostofsecuritypatchmanagement,[email protected].
GRAHAM,R.(2009)PhpBBpasswordanalysis,February2009.http://www.darkreading.com/blog/227700652/.
HARADA,Y.andKuroki,K.(1996)Astudyontheattitudeandbehaviourofcomputernetworkusersregardingsecurityadministration.ReportsofNationalResearchInstituteofPoliceScience,37,21-33.
HOONAKKER,P.,Bornoe,N.andCarayon,P.(2009)Passwordauthenticationfromahumanfactorsperspective:Resultsofasurveyamongend-users.InProceedingsoftheHumanFactorsandErgonomicsSociety53rdAnnualMeeting.[doi:10.1177/154193120905300605]
HUNT,T.(2011)Abriefsonypasswordanalysis,2011.http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html .
INGLESANT,P.G.andSasse,M.A.(2010)Thetruecostofunusablepasswordpolicies:passworduseinthewild.InProceedingsofthe28thinternationalconferenceonHumanfactorsincomputingsystems,CHI'10,pages383-392,NewYork,NY,USA.ACM.[doi:10.1145/1753326.1753384]
JOHNSON,L.andPhilips,B.(2003)AbsoluteHonesty-BuildingaCorporateCultureThatValuesStraightTalkandRewards
http://jasss.soc.surrey.ac.uk/16/3/3.html 19 15/10/2015
Integrity.Amacom,2003.
KARSTEDT,S.andS.Farrall.(2006)Themoraleconomyofeverydaycrime.BritishJournalofCrimonology,46:1011-1036,2006.[doi:10.1093/bjc/azl082]
MARTINSON,K.W..(2005)Passwords:Asurveyonusageandpolicy.Master'sthesis,AirForceInsitituteofTechnology.DepartmentoftheAirForce,AirUniversity.
MEDLIN,B.D.,Crazier,J.A.andDave,D.S.(2005)Passwordselectionbyendusersfromanecommercesite:Anempiricalstudy.InAmericasConferenceonInformationSystems(AMCIS),pages3296-3305,Omaha,NE,USA,11-14August2005.
PREDD,J.,Hunker,J.andBuklford,C.(2008)Insidersbehavingbadly.IEEESecurity&Privacy,6(4),66-70.[doi:10.1109/MSP.2008.87]
PRICEWATERHOUSE.(2010)Informationsecuritybreachessurvey2010.http://www.pwc.co.uk/audit-assurance/publications/isbs-survey-2010.jhtml.
PROBST,C.W.,Hunker,J.,Gollmann,D.andBishop,M.(2010)Aspectsofinsiderthreats.InC.W.Probst,J.Hunker,D.Gollmann,andM.Bishop,editors,InsiderThreatsinCyberSecurity.AdvancesinInformationSecurity49.Springer,2010.[doi:10.1007/978-1-4419-7133-3_1]
RENAUD,K.V.(2012)BlamingNon-ComplianceistooConvenient:WhatreallycausesInformationBreaches? IEEESecurity&Privacy.10(3),57-63.[doi:10.1109/MSP.2011.157]
RILEY,S.(2006)Passwordsecurity:whatusersknowandwhattheyactuallydo.UsabilityNews,8(1).
ROBIN,G.D.(1969)Employeesasoffenders.JournalofResearchinCrimeandDelinquency,6,17-33.[doi:10.1177/002242786900600103]
KIDWELL,J.RolandE.andKochanowski,S.M.(2005)Themoralityofemployeetheft:Teachingaboutethicsanddeviantbehaviorintheworkplace.JournalofManagementEducation,29,135.[doi:10.1177/1052562903261180]
SCHNEIER,B.(2006)Real-worldpasswords.http://www.schneier.com/blog/archives/2006/12/realworld_passw.html.
SECURITYWEEK.(2010)Studyreveals75percentofindividualsusesamepasswordforsocialnetworkingandemail,August2010.http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-social-networking-and-email.
SIMON,H.A.(1969)TheSciencesoftheArtificial.MITPress,1969.
STANTON,J.M.,Stam,K.R.,Mastrangelo,P.andJolton,J.(2005)Improvingsystemsecurityviaproactivepasswordchecking.Computers&Security.14(3),124-133.[doi:10.1016/j.cose.2004.07.001]
SUMMERS,W.C.andBosworth,E.(2004)Passwordpolicy:thegood,thebad,andtheugly.InProceedingsofthewinterinternationalsynposiumonInformationandcommunicationtechnologies,WISICT'04,pages1-6.TrinityCollegeDublin.
TAMIL,E.M.,Othman,A.H.,Abidin,S.A.Z.,Idris,M.Y.I.andZakaria,O.(2007)Passwordpolicies:Astudyonattitudestowardspasswordusageamonundergraduatestudentsinklangvalleymalaysia.JournalfortheAdvancementofScienceandArts.3.
TARI,F.,Ozok,A.A.andHolden,S.H.(2006)Acomparisonofperceivedandrealshoulder-surfingrisksbetweenalpahnumericandgraphicalpasswords.InProceedingsofthesecondsymposiumonUsablesecurity(SOUPS'06),pages56-66,NewYork.[doi:10.1145/1143120.1143128]
TATHUM,R.L.(1974)Employees'viewsontheftinretailing.JournalofRetailing,94,213-21.
THEUSINGER,C.andHuber,K.-P.(2000)Analyzingthefootstepsofyourcustomers-acasestudybyask-netandsasinstitutegmbh.InProceedingsWEBKDD,Boston,August2000.
VANDOORN,L.(1992)Computerbreak-ins:Acasestudy.InProcoftheannualUnixUserGroup(NLUUG)Conference,143-151.
VONLOHMAN,F.(2004)Issuingyourcustomersagoodidea?September29.Law.com.http://www.law.com/jsp/article.jsp?id=1095434496352
WHATSMYPASS?(2008)Thetop500worstpasswordsofalltime,November2008.http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time.
WILKES,R.E.(1978)Fraudulentbehaviourbycustomers.JournalofMarketing,42(4),67-75.[doi:10.2307/1250088]
WILSON,T.(2009)Employeeswillingtostealdata;companiesonthealert,Nov2009.http://www.darkreading.com.
WORKMAN,M.,Bommer,W.H.andStraub,D.(2008)Securitylapsesandtheomissionofinformationsecuritymeasures:A
http://jasss.soc.surrey.ac.uk/16/3/3.html 20 15/10/2015
threatcontrolmodelandempiricaltest.ComputersinHumanBehavior,24,2799-2816.[doi:10.1016/j.chb.2008.04.005]
ZVIRAN,M.andHaga,W.J.(1993)Acomparisonofpasswordtechniquesformultilevelauthenticationmechanisms.TheComputerJournal,36(3),227-237.[doi:10.1093/comjnl/36.3.227]
http://jasss.soc.surrey.ac.uk/16/3/3.html 21 15/10/2015