Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Karen Renaud and Lewis Mackenzie (2013)jasss.soc.surrey.ac.uk/16/3/3/3.pdf · significant peer...
21
©Copyright JASSS Karen Renaud and Lewis Mackenzie (2013) SimPass: Quantifying the Impact of Password Behaviours and Policy Directives on an Organisation's Systems Journal of Artificial Societies and Social Simulation 16 (3) 3 <http://jasss.soc.surrey.ac.uk/16/3/3.html> Received: 13-Feb-2012 Accepted: 28-Dec-2012 Published: 30-Jun-2013 Abstract Users are often considered the weakest link in the security chain because of their natural propensity for choosing convenience over safe practice. One area with a vast amount of evidence related to poor user behaviour is that of password management. For example, when hackers gain unauthorised access to public websites, subsequent analysis generally confirms that compromised passwords are to blame. We have a pretty good idea of the extent to which careless behaviour impacts on the individual user's personal security. However, we don't fully understand the impact on the organisation as a whole when such laxity is aggregated across a large number of employees, nor do we know how best to intervene so as to improve the level of protection of critical systems. Current wisdom mandates the use of increasingly draconian policies to curb insecure behaviours but it is clear that this approach has limited effectiveness. Unfortunately, no one really understands how the individual directives contained in these policies impact on the security of the systems in an organisation. Sometimes a mandated tightening of policy can have unexpected side-effects which are not easily anticipated and may indeed prove entirely counterproductive. It would be very difficult to investigate these issues in a real-life environment so here we describe a simulation model, which seeks to replicate a typical organisation, with employee agents using a number of systems over an extended period. The model is configurable, allowing adjustment of particular input parameters in order to reflect different policy dictats so as to determine their impact on the security of the simulated organisation's IT infrastructure. This tool will support security specialists developing policies within their organisations by quantifying the longitudinal impacts of particular rules Keywords: Passwords, Policies, Organisation, Security, Authentication Introduction 1.1 "Good Practice" in information security states that at least the following password rules must be included in information security policies, and enforced within organisations FIPS (1985). Do not recycle passwords, use a different password on each system. Use strong passwords. Do not write passwords down. Do not share passwords: never tell anyone your password. 1.2 The thinking behind these rules is depicted in Figure 1. The term "weak password" in the figure refers to so-called common passwords (See Section 4.4): e.g. a password which is a variant of a user's own name (Brown et al. 2004) or the system name (Bishop & Klein 1995) or a variation of a previous password (reuse) (Riley 2006) etc. A very common practice is recycling (Inglesant & Sasse, 2010), the use of the same password on more than one system. 1.3 The arrows in the diagram indicate a conventionally assumed causal relationship. So, for example, as more passwords are written down, so more will leak (become known to others), and this will reduce overall system security. The potential for increased security incidents increases, thus escalating the vulnerability of the systems. The dashed line indicates a more tenuous link: this causative will only occur if passwords leak outside the organisation. The certain danger is internal since most recorded passwords will be easily accessed by people within the trusted interior. The four causatives are on the left of the diagram and one http://jasss.soc.surrey.ac.uk/16/3/3.html 1 15/10/2015
Transcript of Karen Renaud and Lewis Mackenzie (2013)jasss.soc.surrey.ac.uk/16/3/3/3.pdf · significant peer...
©CopyrightJASSS
KarenRenaudandLewisMackenzie(2013)
SimPass:QuantifyingtheImpactofPasswordBehavioursandPolicyDirectivesonanOrganisation'sSystems
JournalofArtificialSocietiesandSocialSimulation 16(3)3<http://jasss.soc.surrey.ac.uk/16/3/3.html>
Received:13-Feb-2012Accepted:28-Dec-2012Published:30-Jun-2013
Abstract
Usersareoftenconsideredtheweakestlinkinthesecuritychainbecauseoftheirnaturalpropensityforchoosingconvenienceoversafepractice.Oneareawithavastamountofevidencerelatedtopooruserbehaviouristhatofpasswordmanagement.Forexample,whenhackersgainunauthorisedaccesstopublicwebsites,subsequentanalysisgenerallyconfirmsthatcompromisedpasswordsaretoblame.Wehaveaprettygoodideaoftheextenttowhichcarelessbehaviourimpactsontheindividualuser'spersonalsecurity.However,wedon'tfullyunderstandtheimpactontheorganisationasawholewhensuchlaxityisaggregatedacrossalargenumberofemployees,nordoweknowhowbesttointervenesoastoimprovethelevelofprotectionofcriticalsystems.Currentwisdommandatestheuseofincreasinglydraconianpoliciestocurbinsecurebehavioursbutitisclearthatthisapproachhaslimitedeffectiveness.Unfortunately,noonereallyunderstandshowtheindividualdirectivescontainedinthesepoliciesimpactonthesecurityofthesystemsinanorganisation.Sometimesamandatedtighteningofpolicycanhaveunexpectedside-effectswhicharenoteasilyanticipatedandmayindeedproveentirelycounterproductive.Itwouldbeverydifficulttoinvestigatetheseissuesinareal-lifeenvironmentsoherewedescribeasimulationmodel,whichseekstoreplicateatypicalorganisation,withemployeeagentsusinganumberofsystemsoveranextendedperiod.Themodelisconfigurable,allowingadjustmentofparticularinputparametersinordertoreflectdifferentpolicydictatssoastodeterminetheirimpactonthesecurityofthesimulatedorganisation'sITinfrastructure.Thistoolwillsupportsecurityspecialistsdevelopingpolicieswithintheirorganisationsbyquantifyingthelongitudinalimpactsofparticularrules
Keywords:Passwords,Policies,Organisation,Security,Authentication
Introduction
1.1 "GoodPractice"ininformationsecuritystatesthatatleastthefollowingpasswordrulesmustbeincludedininformationsecuritypolicies,andenforcedwithinorganisationsFIPS(1985).
Donotrecyclepasswords,useadifferentpasswordoneachsystem.Usestrongpasswords.Donotwritepasswordsdown.Donotsharepasswords:nevertellanyoneyourpassword.
1.2 ThethinkingbehindtheserulesisdepictedinFigure1.Theterm"weakpassword"inthefigurereferstoso-calledcommonpasswords(SeeSection4.4):e.g.apasswordwhichisavariantofauser'sownname(Brownetal.2004)orthesystemname(Bishop&Klein1995)oravariationofapreviouspassword(reuse)(Riley2006)etc.Averycommonpracticeisrecycling(Inglesant&Sasse,2010),theuseofthesamepasswordonmorethanonesystem.
1.3 Thearrowsinthediagramindicateaconventionallyassumedcausalrelationship.So,forexample,asmorepasswordsarewrittendown,somorewillleak(becomeknowntoothers),andthiswillreduceoverallsystemsecurity.Thepotentialforincreasedsecurityincidentsincreases,thusescalatingthevulnerabilityofthesystems.Thedashedlineindicatesamoretenuouslink:thiscausativewillonlyoccurifpasswordsleakoutsidetheorganisation.Thecertaindangerisinternalsincemostrecordedpasswordswillbeeasilyaccessedbypeoplewithinthetrustedinterior.Thefourcausativesareontheleftofthediagramandone
http://jasss.soc.surrey.ac.uk/16/3/3.html 1 15/10/2015
canseetheattractionofattemptingtotightensecuritybyforbiddingthem.Theassumptionisclearlythatremovalofthesetriggerswilleliminatethosefactorsthatleadtopoorersystemsecurity.
Figure1.CommonlyDeployedCopingTacticstocopewithMultiplePasswords
1.4 Unfortunately,theprevalenceofthesetriggersshowsthatthepracticesinquestionwillnotbeeasytoeradicate.Thereisevidencethatusersengageinthesepotentiallydamaginguserbehavioursascopingtactics(Adams&Sasse,1999),aninevitableresultofpeoplebeingunrealisticallyoverloadedwithpasswordswhilehavingonlylimitedhumancapabilitytocopewiththememorialload.
1.5 WhenaprominentsystemsuchasSony,isbreached,researchersinvariablyreportonthelargepercentageof"common"passwordschosenandthelimitednumberofstrongonesinuse(SeeSection4.4).Thisconfirmsthatalargepercentageofuserschooseweakpasswords,eventhoughtheyareprobablyawarethattheiraccountscouldeasilybecompromisedasaconsequence.
1.6 Someuserbehaviourshaveawiderimpactthanothers.Forexample,ausermayusethesamepasswordonalltheirsystemsatworkand,ifthispasswordbecomesknowntoanotheremployee,thereisanopportunityformuchmoredamagethanifnosuchrecyclinghasbeenpractised.Ofcourse,ifausershareshisorhercredentialsandanotheruserlogsinusingthese,thereisnoevidencethatthismasqueradinghasoccurred.Anauditmightwellconcludethataparticularorganisation'ssecurityissatisfactorywithoutrealisingthatpeopleareusingeachother'scredentials.Sincenon-repudiationissuchacoreconceptofinformationsecuritythisuserbehaviourmustbeseenasconstitutingathreatofafundamentalnature.
1.7 Itisinherentlydifficulttomeasurethetrueimpactofpasswordcopingtacticsonthesecurityofthesystemsofanyparticularorganisation.Passwordpoliciesmustbeevaluatedwithinthecontextoftheentireorganisationalstructureandnotbasedonthebehaviourofafewindividuals.Moreover,itisclearthattheviewdepictedinFigure1israthernaïvebecauseitdoesnotconsiderwhypeoplearetemptedtousethesecopingtactics.Thereisanimplicationthatundesirablepasswordpracticescanbeattributedtoinnatehumanweaknesswhereas,infact,thesystemwithinwhichthehumanfunctionsclearlyplaysakeyroleininducingtheseuserbehaviours;inconsequence,merelyfocusingonthesymptomsandtryingtoeliminatethemwithoutidentifyingunderlyingcausesisboundtofail.Figure2expandsonepartofsystemsdiagramslightly,showingtheinteractionofafewmorefactorsthatcommonsensesuggestscouldplayaroleinleadingtoleakedpasswords.
Figure2.SystemCausativesandtheirRoleinLeadingtoUndesirablePasswordPractices
1.8 Forexample,theresponsetoasecuritybreachisoftenastrengtheningofpasswordrequirements(linkfrom"securityincident"to"requiredpasswordstrength"inthediagram).Tarietal.(2006)haveshownthatthemorecomplexapassword,themoreeasilyitcanbeobservedbyanotheruser(linkfrom"requiredpasswordstrength"to"observability").Complexpasswordsarealsomoreeasilyforgotten,sousersareprobablymorelikelytowritethemdown.Hencethisefforttostrengthenpasswordsmayactuallyleadtomorepasswordsbeingleaked.
http://jasss.soc.surrey.ac.uk/16/3/3.html 2 15/10/2015
1.9 Usersdonotoperateinisolation:anumberoffactorsmayencouragethemtobehaveinaparticularway,andtheyoftenfeeltheyhavenooptionbuttobreakruleswhichareverydifficultortooconstrictingtoobey.Hencegreatcareneedstobetakentoensurethatpolicyrulesareindeedpossibletofollow,donotpresentuserswithanethicaldilemmaanddonotrequiretoomucheffort(Inglesant&Sasse2010).
1.10 Forexample,weknowthatwhenpeopleworktogetheringroupstheywillstarttotrustoneanotherandshareinformation.Sharingpasswordsisanaturalextensioninmanyscenariosandinsistingthatcolleaguesdonotdosomaypresentthemwithanethicaldilemmawherethegroupseesitselfasworkingtogethertowardsacommonpurpose.Denyingacolleaguetheuseofyourpasswordwhenheorsheneedstomakeacontributiontothiscommonpurposemaybeseenasunhelpfulandsoincursignificantpeerpressure(Renaud2012).
1.11 Giventhecomplexnatureofthepsychologicalandsocialfactorsatplay,thetypicaldegreeofheterogeneityofthesystemsinvolvedandtheinfeasibilityofconductinglivefieldstudiesinarealorganisationalenvironment,itishardlyeverfeasibletogaugetheimpactofuserpasswordbehavioursonthesecurityofanorganisation'ssystemsbyexperimentalmeansalone.Aviablealternativeistheuseofcomputer,awell-establishedapproach(Simon1969)wherebyasoftwaremodelisabstractedfromknowledgegarneredfromasetofobservedrealsystemsandthenrunwitharangeofinputparametersofinterest.Itmustalwaysbeborneinmindthatobservationofarealsystemistheonlysurewaytoestablishthelevelofaccuracyofsimulationpredictionsandthusvalidatethemodelinquestion.However,aswecannot,ingeneral,testpredictionsacrossthewholeparameterspace,weextrapolatethatavalidatedmodelwillbeabletomakecorrectpredictionsacrossageneralisedsubsetoftheparameterspacewhereconditionsaresimilartothevalidationpoints.Withsuchreservationsinmind,simulationsarehelpfulintwoways:theycan"explain"(inthesenseofidentifyingaunifyingmodel)retrospectivelywhathasalreadybeenobserved;moreimportantly,theycangiveinsightintothefunctioningofsystemsofthemodelledtype,inparticular,predictinguserbehaviourinpreviouslyunexploredregionsoftheparameterspace.
1.12 Itmustbeacknowledged,attheoutset,thatasimulationisonlyasgoodastheassumptionsthatarebuiltintoitandinwhatfollowsanefforthasbeenmadetoensurethatthemodelrulesanddefaultinputparametersaregroundedintheliteraturewhereversuitablestudiesexist.Itisreasonabletoassumethatsuchasimulationcanprovideunderstandingandinsightwhichissimplyimpossibletogaininareal-lifesetting.Itcanalsohelpustounderstandthewidereffectsofvariationsinindividualhumanbehavioursintegratedacrossorganisations,somethingalmostimpossibletogaugeexperimentallyintherealworld.Asaresult,itcanassistusinunderstandingtheoftenunexpectedeffectsofparticularpolicydirectives.So,forexample,iftheorganisation'sauditorsrequirepasswordchangesmorefrequentlythanpreviously,thisrequirementcanbe"pluggedinto"thesimulation,andtheneteffectcanbecharted.
1.13 Thispaperreportsonanactualimplementationofjustsuchasimulator,SimPass,anenginewhichmodelsuserpasswordusagewithinanorganisation.InaSimPassorganisation,usersauthenticateusingusernamesandpasswords,onavarietyofdifferentsystems.Overtimetheymanifestthekindsofbehaviourstheirreallifecounterpartsengagein.Thesimulationalsoincludeshackeragentsandmaliciousagents,bothattemptingtobreachuseraccounts.Attheendofthesimulationtheengineprovidessummarydatarelatedtothesecurityofthesystemafteraperiodoftime,reflectingtheimpactofparticularagentbehaviours.
1.14 Therestofthepaperisstructuredasfollows.Section2brieflydescribesthesimulationmodel:themainentitiesabstractedfromreal-worldscenariosforthepurposesofthesimulationmodelandthebehaviouroftheagentswithinthesimulation.Section3explainshowtheenginewasimplemented.Section4explainshowthesystemisconfiguredinordertotesttheeffectsofdifferentpolicyandoverallsystemsettings.Section5givesanexampleofhowaparticularpolicychangewastestedusingSimPassandSection6concludes.
SimulationModel
2.1 Employeesusuallyhaveanassignedpositionwithinahierarchicalorganisationalstructure,asshowninFigure3.Employeesoftenworkcloselywithotherpeopleintheir"branch"ofthestructure,withinfrequentinteractionswithotherbranches.Theybuildrelationshipswiththeirbranchcolleagues,andworktowardsacommonpurpose.Incarryingouttheirdutiestheymakeuseofoneormorecomputersystemswhichcanbeinternalorexternal,withrespecttovisibilitytotheoutsideworld.Systemscanbeattackedbyoutsidehackersandbyinternalmaliciousemployeesbutthesecurityoftheorganisationisalsoatriskfromtheill-advisedactionsofwell-intentionedemployees.
http://jasss.soc.surrey.ac.uk/16/3/3.html 3 15/10/2015
Figure3.OrganisationalEcosystemComposedofAgentsusingSystems
ModelEntities
2.2 ThekeyentitieswhichSimPassabstractsareemployeesandsystems.Webeginbybrieflyexaminingthenatureofeachinturn.
Employees
2.3 Employeesworkwithinaparticularenvironment,andaresubjecttothepressuresofthatenvironment:theirpositionwithinthehierarchy,thetaskstheyarepaidtoundertake,theirworkload,thecultureoftheorganisationandthequalityoftherelationshipwiththeircolleagues(Figure4).Theyarealsoconstrainedbyvariousinformationsecuritypolicies.
Figure4.PressuresonEmployees
2.4 Employees,asuniquehumanbeingswithvaryingbackgroundsandhistories,comeintotheorganisationwithdifferentapproachestolife.Theyvaryinnumerousways,butforthepurposesofthisdiscussionweareinterestedinalimitednumberofrelevantcharacteristicswhichwillimpactontheirpasswordpractices,asshowninFigure5.Forexample,someonewhoispreparedtobedishonestmightbetemptedtostealapasswordfromanotheremployee.Someemployeesarewillingtosharepasswordsandothersarenot.Differentindividualsfavourdifferentpasswordcopingtactics:someusevariantsoftheirownnames,whileothersusetheirtelephonenumbers,stillothersthenamesofpetsetc.Sometimesemployeesbecomedisenchantedanddecidetododamagetothecompany,sotheycanbeconsideredmalicious.
http://jasss.soc.surrey.ac.uk/16/3/3.html 4 15/10/2015
Figure5.EmployeePropensities
Systems
2.5 Anorganisationwilltypicallyhaveanumberofsoftwaresystems,executingondifferenthardware.Suchsystemsareeithervisibletotheoutsideworld,orhiddenbehindafirewall.Somesystemsissuepasswordswhileothersallowemployeestochoosetheirown.Furthermore,systemscanbeconfiguredtoimplementparticularorganisationalrules,suchas,forexamplepasswordlength,lockoutsetc.SimPass'smodelofasystemhousedwithintheorganisationalcontextisshowninFigure6.
Figure6.SystemCharacteristics
ModelAgentBehaviour
3.1 SimPassisamulti-agentsystemwhichsimulatestheorganisationalEcosystemasdescribedintheprevioussection.ASimPassagentisdescribedasa4-tuple:Agent=(Sit,Act,Dat,fAgent)where
Sitisthesetofsituationstheagentcanbein,Actisthesetofactionsthattheagentcanperform,Datisthesetofpossiblevaluecombinationsoftheagent'sindividualsettings,andfAgentistheagent'sdecisionfunction,andcanbeexpressedasfollows:
fAgent:DatxSit→Act.Therearefourkindsofagentsrepresentingregularemployees,systemadministrators,maliciousemployeesandhackers(outsiders).Theseagentsdonotoperateinisolationbutinteractwithotheragentsregularlyandinavarietyofways.
3.2 Whentheenginestarts,systemsandagentsarecreatedandconfiguredwithcharacteristicstailoredasdiscussedinSection4.Theconfigurationsettingsareenumeratedintheappendix.Regularagents,AgentRegular=(Sit,Act,Dat,fRegular)aresimplytryingtodotheirjobsbyusingthevarioussystemstheyhavecredentialstoaccess.
Sitconstraintsarecontextual,depictingthesituationanagentisin.Forexample,anagentwantstologin,orneedstoenrolforanewsystem.Actisthesetofactionsthattheagentcanperforminasituation.Forexample,ifanagentforgetsapassword,itcanbelockedout,trytogetasharedpassword,ortrytostealapassword.Datisthesetofpossiblevaluecombinationsoftheagent'sinternalsettings,asshowninFigure5.
3.3 Theotheragentshavemorespecificnatures.
MaliciousagentsAgentMalicious=(Sit,Act,Dat,fMalicious)willusetheirsystemsasusual,butsometimestheymighttrytotrytouseanotheragents'credentialsperhapsbecausetheyhaveagrudgeagainsttheirvictimsorbecausetheywishtocarryoutfraudulentactivity(attacksarerandomlygenerated).Iftheydecidetodothis,theywilluseshared,stolenorguessedpasswordstogainaccesstoaccountswithotheremployees'credentials.Allsuchloginsaretermed"bad".HackeragentsAgentHacker=(Sit,Act,Dat,f(Hacker)trytoattackthesystemfromoutside:tryingtoguesscredentialswithouttheabilitytofindwrittenrecords,andonlybeingabletoaccessvisiblesystems.Hackerscantrytobreachsystemsusingwell-knowndefaultsystempasswords,whichmightnothavebeenresetbylessconscientioussystem
http://jasss.soc.surrey.ac.uk/16/3/3.html 5 15/10/2015
administrators.Theycouldalsotrytogainaccesstopasswordfiles,whichtheycantryusinbruteforce.Failingthis,theycantryacombinationofusernamesandpasswordstoattempttoaccessthesystem.Successfulhackerloginsarealsotermed"bad".SysadminagentsAgentSysadmin=(Sit,Act,Dat,fSysadmin)administeroneormoreofthesystemsinSimPass.Theseemployeesaregenerallyconsideredtobehonest:theydonotengageinanyoftheharmfulcopingbehavioursmentionedabove.Howeverasysadminmayoccasionallyfailtoattendtoitsdutiesby,forexample,failingtopatchasystemforwhichitisresponsible.
3.4 Agentsarerandomlyassignedtoanorganisationalmanagementhierarchythusensuringthattheyworkingroups,withanumberoftrusted"colleagues"whomtheycouldonoccasionasktosharepasswordswiththem.Agentsareinitiallygivenaccesstoalimitednumberofsystems.Eachweekthereafterarandomnumberofagentswillberequiredtoenrolforadditionalsystems,asisthecasewhenonegainsexperienceinatypicalorganisation.
RegularAgents
3.5 Tosupporttheinformationsecurityprinciplesofnon-repudiationandauthorisation,agentsaregiventheirowncredentials,usernameandpasswordforeachofthesystemstowhichtheyhaveaccess,andforagivenindividualthenumberofsuchsystemstendstoincreasethelongerheorsheisemployed.Eachagentthus"owns"asetofcredentialsforeachsystemwhichtheyuse.Passwordsareselectedbasedonthecharacteristicsofboththeagentandthesysteminvolved,asshowninFigure7.Forexample,ifanagentsometimesrecyclesitmightwelluseoneofitsexistingpasswordsratherthanchoosinganewone.Newpasswordsarechosenfromarepresentativepasswordrepository(asdescribedinSection4.4).
Figure7.ActionsForaRegularAgentEnrolingforaNewSystem
3.6 Foreachoftheagent'ssystemsa"nextusage"israndomlychosentobeoneofthefollowingnumberofdays:1,2,3,7,14,30,60,or90,reflectingdaily,frequent,weekly,bi-weekly,monthlyandthree-monthlyusage.Thechoiceisweightedtofavourfrequentaccessesmorethaninfrequentones.Thisisachievedbyselectingoneoftheappropriatetimeintervalsfromalistaccordingtoprobabilitiesdeterminedbyassociatedweightsasfollows:10,9,9,10,10,5,1,1.Thusdailyusagewillappear10timesmoreoftenthan3monthlyusage.
3.7 AsshowninFigure8,agentA,whenpromptedtouseitssystems,willattempttologin.Ifthepasswordisremembereditwilldosowithoutincident.Ifnot,anumberofactionscanresult.Itcanacceptthatitislockedout,whichmeansthatitcannotcompleteitstasksforthedayandmustwaitforareplacementpassword.Iftheworkisurgentitcouldtrytoobtaincredentialsfromanotheragent,B,eitherbecausethelatterhaswillinglysharedthem,orbecauseAhasmanagedtoobtainthemdishonestly.Thesystemsbeingloggedintowillneveruncoverthiskindofactivity,sinceitappearstobelegitimateusebyagentBandsotheprincipleofnon-repudiationisbroken.
http://jasss.soc.surrey.ac.uk/16/3/3.html 6 15/10/2015
Figure8.ActionsforaRegularAgentLoggingin
3.8 Insummary,ifanagenttriestologinbutthepasswordhasbeen"forgotten",ithasthreeoptions:requestanewpasswordandbelockedoutofthesystem;askafellowagenttoshareitspassword;,ortrytostealone.Thetacticischosenrandomlybutwithprobabilitiesdependingontheagent'spropensities.Forexample,onlydishonestagentswillstealpasswords.SeeFigure9.
Figure9.ActionsforaRegularAgentTryingtoLogin
3.9 Ifanagentsharesorstealsapasswordandlogsintothesystemusingit,thatistermeda"bad"login.Anagentwhologsintothesystemusingitsowncredentialsexecutesa"good"login.
MaliciousAgents
3.10 AMaliciousagentisanotherwiseregularagentwho,forwhateverreason(e.g.revenge,fraud),triesmasqueradeasanotheragentcredentialstogainaccesstosystems.Theattackingagentwillusethefollowingtacticstologintothetarget'saccountonsomesystem:
1. Checkwhetherthetargetagenthas,sometimeinthepast,sharedapasswordwiththeattacker.Theagentwilltesttoseewhetheritisstillvalid.
2. Checkwhetherthetargethasrecordeditspassword,andnotsecuredit.Trytoaccessthesystemusingthispassword.3. Opportunisticallytrythefollowingstrategies:
a. arandomlychosencommonalphanumericpasswordstringfromalistmaintainedbySimPass.Examplesare123456,password1,orqwerty;
b. avariationoftheusername,egJohn1;orc. avariationofthesystemnameegAmazon1.
3.11 Ifthemaliciousagentmanagestobreachthetarget'saccount,itwilltrytousethesamepasswordonothersystems,inthehopethatthetargetagentrecyclespasswords.Itmightalsochoosetochangethetargetagent'spassword,thuslockingthevictimout,anddisruptingitsabilitytodoitsjob(seeFigure10).
http://jasss.soc.surrey.ac.uk/16/3/3.html 7 15/10/2015
Figure10.ActionsforMaliciousInsiderAgentAttackingColleague
HackerAgents
3.12 Hackersoftentargetspecificorganisations,fordifferentreasons.Newspaperstoriesoftheirexploitsareeasytofind(BBC2011).Hackerswillfirsttrythedefaultpasswordofallvisiblesystems(vanDoorn1992)inthehopethatthesystemadministratorwillnothaveresetthese(Workman2008).Hackerswillalsotrytogetholdofthepasswordfileifitthisisnotsecuredproperly.Withaccesstothisfile,abruteforceattackwillbecarriedouttotrytodeterminethepasswordsforthelistedagentnames.Correctlyguessedcombinationswillbeusedtobreakintosystems.TheirtacticsaredepictedinFigure11.
3.13 Thenextstepwillbetotryusername-passwordcombinations.Sincetheseattacksareusuallyconductedwithoutpersonalknowledgeofsystemusers,atargetedapproach,wherethehackerguessesapasswordforaspecificuserbasedonpersonalknowledge,isnotusuallyfeasible.SimPasshackeragentsuseagenericapproach,simplytryingvarioususernameandpasswordcombinationstoseewhethertheycangainaccess:
arandomlychosencommonpasswordfromalistmaintainedbySimPass.Examplesare123456,password1,orqwerty;avariationoftheusername,egJohn1;avariationofthesystemname,egAmazon1
3.14 Ifthehackeragentbreachesanaccountitmightalsochangethevictim'spassword,thuslockingitout,anddisruptingitsabilitytocarryoutitstasks.
Figure11.ActionsforaHackerAgentAttackingSystem
SystemsAdminAgents
3.15 Systemsadminagentsareresponsibleforoneormoresystemsintowhichtheywillrandomlylogin.Iftheyaretrained,theywillchangetheirsystems'adminpasswords,andkeepthesystemspatchedandthepasswordfilessecured.Untrainedsystemsadministratorsmightwellneglecttheseresponsibilitiesandmakeitmorelikelythatahackercanbreachthesystems.
Summary
3.16 Table1summarisestheinternalsettingsofthedifferentagents(Dat)
http://jasss.soc.surrey.ac.uk/16/3/3.html 8 15/10/2015
Table1:AgentInternalConfigurations
Dishonest Malicious Forgetful SharingRegular Yes/No No Yes Yes/NoMalicious Yes Yes Yes Yes/NoSystemAdministrators No No No NoHackers Yes Yes No No
Thefollowingsectionexplainshowtheenginehasbeenimplemented.
SimulationEngine
Figure12.SimPassArchitecture
4.1 SimPassisimplementedinJava,asamulti-threadedapplicationwhichgeneratesdiscreteeventsatregularintervals,asshowninFigure12.Onstartupitwillreadaconfigurationfile,andinitialisethesimulationasfollows:
1. Anobjectiscreatedtorepresenteachagentandathreadlaunchedforeach(regular,malicious,sysadminandhacker)2. Asystemobjectiscreatedforeach"system"inthesimulation.3. Atimemanagerobjectensuresthatthesimulationrunsforasmanydaysasspecified.Aseach"day"starts,thetime
managerpromptseachagenttologintothosesystemsscheduledforuseonthatday.Thetimemanageradvancesthedaycounterwhenallagentshaveconcludedtheirday'stasks.
a. Everytimetheagentlogsin,thesystemrandomlygeneratesa"nextuse"untilthesimulationends.Whenthe"nextuse"dayischosenthesystemwilldecidewhethertheagentwillforgetthepasswordornot,basedontheliteratureonmemorability(Section4.1.1).
b. Thesamemechanismappliestomaliciousandhackeragentswhowill,atrandomintervals,carryoutattacks.4. Agentsinteractwithoneanotherastheycarryouttheirdailytasks.
a. Sharingpasswordswithcolleagues.b. Tryingtofindotheragents'recordedpasswordsie.stealingthem.c. Observingeachothertypinginpasswords.Whereastheftisgoal-directedandwillhappenasaresultofan
agent'seitherhavinglosttheirownpasswordormaliciouslywantingtobreachsomeone'saccount,observationcanhappencasually.Agentswillnotalways"remember"anobservedpassword:this,too,israndomised.
5. Agentsandsystemslogalltheiractivitiestoindividuallogfiles.Attheendofthesimulationasummaryofallactivityisprintedtoasummarylogfiletosupportfurtheranalysis.
6. SimPasskeepsatallyofparticulareventsinthesystemtosupportquantificationofoverallsystemsecurity,asshowninTable2.
http://jasss.soc.surrey.ac.uk/16/3/3.html 9 15/10/2015
Table2:EventsofInterestintheSimulation
Goodlogin AloginwheretheagentuseshisowncredentialsBadlogin Aloginwheretheagentusessomeoneelse'scredentials(shared,observed,guessedor
stolen)Lockout WhenauserhashadtorequestapasswordresetStolenPassword
Apasswordwhichhasbeenobserved,andrecorded,byanotheragentorwhereawrittenrecordofapasswordisdiscoveredbyanotheragent.
SharedPassword
Apasswordwhichtheagenthaswillinglyallowedsomeoneelsetouse
SimulationModelSettings
AgentCharacteristics
5.1 VariouscopingtacticsarecommonlyusedbypeopleworkingwithITsystems(Figure13)andagentsaredesignedtoreflecttheseuserbehaviours.Eachagentwilldeploysome,allornoneofthesemechanismsandwillbesubjecttolimitationsreflectingthoseofaveragehumans.AgentcharacteristicsandhowtheyhelpselectdefaultvaluesfortheinputparameterstoSimPassarediscussedinthefollowingsubsections.Needlesstosay,eachparametercanbevariedfromtheselecteddefaultifdesired,inordertoexplorethecorrespondingdimensionoftheinputspace.
Figure13.AgentCharacteristics:Dat(Regular/Malicious)
Forgetting
5.2 Anumberofresearchershaveinvestigatedforgettingrates.Florencio&Herley(2007)reportedthat4.28%ofregularlyusedpasswordsareforgotten.Bunnell(1997)reportson27%forgettingratesafter2weeks.ZviranandHaga(1993)reportedona75%forgettingrateafter3months.ThiswasconfirmedbyBeedenbender(1990)whoreported72.8%forgettingafter3months.
5.3 Somesurveyshaveaskeduserstoreportonhowmanypasswordsforgottenafteramonth(Brown2004),(Tamiletal.2007;ElcomsoftProactiveSoftware2009;Campbell&Bryant2004).Ifthenumbersofrespondentsaretallied,itbecomesclearthat30%ofpasswordsareforgottenafteramonthofnonuse.ThisisconfirmedbythestudycarriedoutbyTheusingerandHuber(2000)andbyBrownetal.(2004),whofoundthat32%and31%ofpasswordswereforgottenbysystemuserswithinamonth.
5.4 AsdiscussedinthepsychologicalliteratureEbbinghaus(1885),thesefiguresareagoodfittoaparabolawiththeformula:
y=(-0.002)x2+0.96x+3.04TheforgettingratesusedinSimPass,showninTable3,reflectthisrelationship.
Table3:ForgettingRates
Intervals 1 2 3 7 14 30 60 90Forgetting% 4 5 6 10 16 30 53 73
5.5 InSimPasstheseforgettingrateswillbetailoreddependingonhowmanytimesaspecificpasswordhasbeenusedinthepast.A
http://jasss.soc.surrey.ac.uk/16/3/3.html 10 15/10/2015
frequentlyusedpasswordislesslikelytobeforgottenthananinfrequentlyusedpasswordsothesystemwillfactorinprevioususewhendecidingwhetherornotapasswordwillbeforgotten.Figure14showstheforgettingratesinatypicalsimulationrun.Theupperlinedepictsthevaluesgivenintheabovetable,andthelinebelowthosegeneratedbySimPassitself.
Figure14.ForgettingRatesinaTypicalSimulation(lowerline=Simulation,upper-linebasedonforgettingrates)
SharingofPasswords
5.6 Passwordsharingisstrictlyforbiddenbymostorganisationsyettherealityisthatitiswidelypracticed.Anumberofpasswordusesurveysreportontheprevalenceofsharing(oratleastreportsonthosewhowilladmittosharing).Martinson(2005)reports38.1%,Bryant&Campbell(2006)reports42%,Stantonetal.(2005)reports34%,Tamiletal.(2007)reports33.9%andCampbellandBryant(2004)report40%.However,Hoonakker,BornoeandCarayon(2009)reportthatonly5%ofrespondentsadmittedtosharingpasswords.Itispossiblethatsharingisorganisation-specific,buttheremaybeotherunreportedfactorsatplayhere.
5.7 Sincethemajorityofsurveysreportthatclosetoathirdofrespondentsshare,andsincemostorganisationsfinditdifficulttoacceptanysharingatall,thedefaultsharingpercentagewillbesetto33%but,aswithallthesevalues,thiscanbeoverrideninanySimPasssimulationtoexploretheeffectofdifferentscenarios.
StealingofPasswords
5.8 Usingastolenpasswordisundeniablydishonest.Howlikelyisitthatanemployeewilldothis?Aquicklookatdishonestbehaviourinothersettingsisenlightening.KarstedtandFarrall(2006)foundthat65%ofpeople,givensufficientmotivation,wouldbehavedishonestly.VonLohman(2004)reportsonstudiesofP2Pmusicsharing.Whereas88%oftherespondentsinthestudybelievedthatthissharingwaswrong,56%stilladmitteddownloadingmusicillegally.Wilkes(1978)carriedoutastudyintodishonestcustomerbehaviourandfoundthatforsomeoffencesbetween70and80percentofcustomerswouldoffend.Thisstudyadmittedlyreportsoncustomerbehaviour,whereasSimPassismodellingemployeebehaviour.Howhonestcanweexpectemployeestobe?Wilson(2009)reportsonastudybyCyberArk,whosurveyed600workersinNewYorkandLondon.Asurprising48%saidthattheywouldstealtheircompany'sdataiftheywerefired.Perhapsbeingfiredconstitutessufficientmotivation,butwhatabouteverydaybehaviour?Wilkes(1978)citesastudybyTathum(1974)whichreportsthat50%ofemployeeshadadmittedtostealingfromtheiremployers.BoyeandJones(1997)presenteddetailsofastudyofrestaurantemployeeswhichshowedthat60%ofrespondentshadstolenfromtheiremployers.Thereissomeagreementthatsomeorganisationshavemoreofacultureofdishonestythanothers(Kidwell&Kochanowski2005;Johnson&Philips2003)andhencethedishonestyprevalencecanbeconfigured.ThedefaultprevalenceofdishonestyinSimPassis65%,takenfromKarstedtandFarrall(2006).
5.9 Giventhefactthatsomeoneisdishonest,doesthatnecessarilymeanthathe/shewillengageinstealingpasswords?AccordingtoCressey(1973),threeelementsmustbepresentforapersontoengageindishonestbehaviour: motivation,rationalisationand
http://jasss.soc.surrey.ac.uk/16/3/3.html 11 15/10/2015
opportunity.Thelattercouldoccurifsomeoneseesanotherpersonenteringtheirpassword,orifhe/shefindsapasswordthathasbeenwrittendown.Rationalisationcanbeassumedifapersonisinclinedtobedishonest:tovaryingdegreesitorshewillfindanexcuseforthedishonestbehaviour.Motivationcouldbeafunctionoftheurgencyofthetasktheagentistryingtoengagein.Aforgottenpasswordthatinterfereswithhisneedtousethesystemdoesnotnecessarilyprovidesufficientmotivationsincetheuseofthatsystemmightnotbeurgent.SimPasswillrandomlygenerateanurgencyforeachaction,andthisurgencywillhavetoexceedaparticularthresholdlevelbeforesufficientmotivationcanbeassumed.SimPassthusreflectstheinteractionofthesethreeantecedents.SimPasswillrandomlychooseanumberbetween0and9toreflecturgency.Ifthenumberisgreaterthanthethreshold,defaultsettingof5,thatisconsideredsufficientpressuretoleadtodishonesty.
5.10 Certainlythereisevidencethatpeopledoindeedstealpasswords(Kidwell&Kochanowski2005;Forbath2005).butthereisnohardevidenceintheliteraturewhichquantifiestheextentoftheproblem.Intheabsenceofevidencewearguethat,humannaturebeingwhatitis,theliteraturementionedinthepreviousparagraphsisareasonablepredictorofwhetherpeoplewillrationalisedishonestbehaviourornot,inthiscasestealingandusingsomeoneelse'spassword.
5.11 Reflectingtheirhumancounterparts,SimPassagentsarealsocategorisedas"dishonest"or"honest";thelatterwillneverstealapassword,theformer,givensufficientmotivation,willrationalisetheuseofanother'spassword.Agentscanstealpasswordsthatotheragentshavewrittendownorrecordedinsomeotherunsecuredway(theprevalenceofthisisdiscussedinSection4.1.8).Theformermay,inadditiontodeliberatelystealingapassword,observeanotheragententeringapasswordandrecorditforlateruse.Theobservationrateforasimplepasswordissetat1%andforacomplexpassworditissetto2%.Moreover,anagentwillonlyobserveandrecordapasswordifithassufficientmotivation.Themotivationinthiscaseisthatanagenthaspreviouslyforgottenapasswordorpasswordsandthereforehasareasontowanttoguardagainstthiseventualityinthefuture.
UsernameVariants
5.12 Brownetal.(2004)reportedthat45%ofusersusedavariantoftheirownnameastheirpassword.ThiswasconfirmedbyHaradaandKuroki(1996)whofoundaprevalenceof42%.SimPassusesadefaultof45%.
SystemNameVariants
5.13 Somepeopletrytolinktheirpasswordtothesystemitisbeingusedon,soastoincreasetheirchancesofrememberingit.So,forexample,theycoulduseAmazon1astheirpasswordfortheAmazonwebsite.BishopandKlein(1995)reportedthat11%of
usersemployedofthistactic.Interestingly,however,Schneier[1]carriedoutananalysisofMySpacepasswordsandfoundthecorrespondingfiguretobeonly0.11%,whichsuggeststhatthisprevalencevariesacrossuserpopulations.SimPassusesadefaultof11%forthissetting.
Recycling
5.14 Manyusersrememberafewpasswordsandthenusethemacrossanumberofsystems.Thiscopingtacticisprobablythemostcommon.Beingabletopredictthetrueprevalenceofthiscopingtechniqueisdifficult,duetothedifferentpercentagesreportedbydifferentstudies.Inordertousearealisticpercentageatallywasmadeofallrespondentswhoadmittedtothispracticefromthestudiesreportedby:(Hoonakkeretal.2009;Campbell&Bruyant2004;Riley2006;Zviran&Haga1993;Tamiletal.2007;Martinson2005;Brownetal.2004).1592ofthetotalof2966respondentsadmittedtorecyclingpasswordscomprising54%ofthosesurveyed.AdamsandSasse(1999)reporteda50%prevalenceandSummersandBosworth(2004)report55%.Ananalysisofactualleakedpasswordsfrommultiplesystemsshowarecyclingprevalenceof92%(Hunt2011),andasurveyreportedbySecurityWeek(2010)reportsthat75%ofpeoplerecycledpasswords.Thissuggeststhatmanyfewerpeoplearepreparedtoadmittothispracticethanactuallyengageinit.SimPassusesadefaultof54%basedontheabovecompositetally.
5.15 FlorencioandHerley(2007)foundthatuserstendedtomaintainanaverageof6.5passwords,soSimPassagentsdothesame,thesystemensuringthattheyhaveamaximumof6distinctpasswordsiftheydoindeedrecycletheirpasswords.
Reuse
5.16 Someuserswill,whenrequiredtoprovideanewpasswordforasystem,simplyvarythepreviousone:herethisisreferredtoasreuse.Twostudieshavereportedontheprevalenceofthispractice(Riley2006;Hoonakkeretal.2009).672respondentsoutofatotalor1164admittedtothispractice(58%),whichisusedastheSimPassdefault.
WritingDownPasswords
5.17 Usersoftenresorttowritingdowntheirpasswords,orrecordingtheminsomeotherfashion.Thefollowingstudieswereconsulted:(Zviran&Haga1993;Brownetal.2004;Martinson2005;Hoonakkeretal.2009;Bryant&Campbell2006;Stantonetal.2005;Tamiletal.2007;Riley2006).Outofatotalof3386respondents,1309admittedtowritingtheirpasswordsdown(39%).OnlyHoonakkeraskedwhethertheyalsosecuredthispasswordrecordand18%saidtheydidthis.ThesevaluesareusedastheSimPassdeafultsettings.
http://jasss.soc.surrey.ac.uk/16/3/3.html 12 15/10/2015
PasswordStrength
5.18 Thereissomeevidencethatusers,whenforcedtochangetheirpasswords,willchooseaweakerpassword(Martinson2005).Adefaultof68%waschosenbasedonthisstudy.
SystemAdminConscienciousness
5.19 Wewillassumethat77%ofsystemadministratorswillpatchsystemsandchangepasswords,with23%leavingtheirsystemsunprotected.ThisisbasedonastudypublishedbyMicrosoft(Forbathetal.2005)whichstatedthatonly77%ofsystemswerepatched,onaverage.
Threats
5.20 Threatsareclassifiedasinternalorexternaldependingonwhethertheyareinitiatedbyagentsof,respectively,themaliciousorhackertypes.InSimPass,ifamalicious(insider)agentorahackergainsaccesstoanagent'saccountitcandecidetoleavethingsastheyare,ortochangetheagent'spassword.Intheformercase,detailsarealwaysretainedforlaterusesothatifthehackedagentdoesnotdiscoverthehacker'sactivitythedoorisleftopenforlateraccess.Ifthehackerdecidestochangethevictim'spasswordthenthelatterispreventedfromaccessingitsaccountandwillhavethesamechoicesasithaswhenitforgetsitspassword.
5.21 Ifanattackerofeitheroftheabovetypessucceedsinbreachingoneaccount,itwilltrytogetintotheowner'sotheraccountsusingthesamepassword,intheknowledgethatmanyusersrecycle.
Insider(Malicious)Threats
5.22 Maliciousinsiderscancauseagreatdealofdamage(Probstetal.2010).Predd,HunkerandBulford(2008)citeasurveybytheComputerSecurityInstitutewhichreportedthattheorganisationsthatrespondedtotheirsurveyhadattributed40%oftheirlossestoinsideractivities.Itismuchhardertopredicttheincidenceofmaliciousinsiderssincemanyareundetected.PriceWaterhouseCooper's2010InformationSecuritySurveyfoundthat19%oflargeorganisationsand5%ofsmallorganisationshadreportedstaffusingtheirsystemsfortheftorfraud.
5.23 A2008ForresterResearchreport[2]proposedthat30%ofsecuritybreacheswerecausedbymaliciousinsideractivity.PriceWaterhouse(2010)reportsthatorganisationsexperiencedanaverageof45incidentslastyear,suggestingthatanaverageof13perorganisationwerecausedbyinsiders.Thisargumentcannot,however,beusedtoarriveatanestimationofthenumberofmaliciousinsiderssincemultipleincidentscouldbecausedbythesameperson.AsCalderargues,itisdifficulttoarriveatareliableestimateoftheaverageincidenceofmaliciousemployeesinorganisations(Calder1987).
5.24 Whatisinterestingisevidencethat,forwhateverreason,incidentsofthistypeareincreasingyearonyear(PriceWaterhouse2010).In1969Robin(1969)reportedonmalicioususerbehaviourinthreecompanies.Thenumberofemployeesapprehendedwas0.48%perannum.However,ChooandTan(2007)refertoresearchattheUniversityofCaliforniaatBerkeleywhichreporteda115%increasestudentdishonestycasesbetween1995and2000.Theformerincreasecouldwellbeattributedtoincreasinguseofcomputersystemsbutthelatterislesseasytoexplain.
5.25 Here,itwasdecidedthattheincidenceofmaliciousemployeeswouldbesetat1%,inordertodepictarelativelyoptimisticscenariobut,ofcourse,thefigurecanbesetbythesimulationuser.Maliciousagentsmaydecidetargetspecificindividualsatrandomintervals,attemptingtobreachtheiraccountsinordertododamagetothem,ortousetheaccounttocarryoutnefariousactivities.
Outsider(Hacker)Threats
5.26 Thenumberofhackersthatwilltargetaparticularcompany'ssystemsoveraperiodofinterestmayvarywidely.Here,adefaultof3hackershasbeenchosen,butthisnumberisconfigurable.Hackerswillattackatrandomlyassignedintervals,andwilltargetamaximumof10agentaccountsonanysystembeforeretreatingtotryagainanotherday.Thistechniqueisdeployedbymanyhackers,whodonotwishtheiractivitytobetooeasilyspottedbyvigilantsystemsadministrators.
SystemCharacteristics
5.27 Manyaspectsofsystemscanbeconfigured(seeFigure6).Thedefaultvaluesaregroundedintheresearchliterature,aswithagentcharacteristics.Whensuchresearchisunavailable,thesimulationownermayprovidesettingstoexploredifferentscenarios.Thefollowingconfigurationaspectshavedefaultvaluesbutcanbevariedtoexploretheparameterspace.
SystemVisibility:Somesystemsarevisiblefromoutsidetheorganisation,othersresidebehindthefirewallandcannotbeaccessed.Visiblesystemsaresusceptibletooutsiderattacks.InSimPass,50%ofthesystemsarevisiblebydefault.System-IssuedvsSelf-ChosenPasswords:Somesystemsissuepasswordsandothersallowagentstochoosetheirown.Sincethereisnopublishedevidenceofthedistribution,anarbitraryproportionof10%ofsystemswilldotheformer
http://jasss.soc.surrey.ac.uk/16/3/3.html 13 15/10/2015
andtherestwillallowagentstochoosetheirownpasswords.
Somesystemcharacteristicsarespecifiedbytheorganisation,toalignwiththeirpolicydirectives.Examplesofthesefollow.
PasswordChanges:Thisdetermineswhetheragentsarerequiredtochangetheirpasswordsand,ifso,thenumberofdaysbetweenmandatorychanges.Thedefaultsettingisthatchangesarerequiredandthat30dayswilllapsebetweenpasswordchanges.Itisassumedthatagentscannotre-useapreviouslyusedpasswordbuttheycanaddanumeraltotheend,asiscommonlythecase.Lockout:Thisvaluemeasureswhetherauthenticationattemptsarelimited.Sincemanysystemsapplythepracticeofthreetimeslockout,thiswillbeappliedinSimPass.PasswordRequirements:Organisationsoftenimposeaminimumpasswordlengthandcomplexityontheiremployees,regardlessofwhatindividualsystemsrequire.Themostcommonoftheseisthatapasswordmusthaveaminimumnumberofcharacters,thatitshouldcontainanumeral,uppercasecharactersand/oraspecialcharacter.
PasswordCorpus
5.28 SimPassagentschoosepasswordsfortheirsystems,andarealisticpasswordcorpusisrequired.Varioussiteshavehadtheirpasswordsleakedand"postmortem"analyseshavesunsequentlybeencarriedout.Forexample:Schneier(2006)analysed34000passwords;Calin(2009)reportedonananalysisof9843Hotmailpasswords;Hunt(2011)analysed77millionSonypasswords;andphishedphpBBpasswordswereanalysedbyGraham(2009).AsummaryisgiveninTable4.
Table4:StolenPasswordAnalysis
MySpace Hotmail Sony phpBBCommonPasswords 2.7% 2.5% >10%NumbersOnly 1.3% 19%LowercaseOnly 9.6% 42% 45%DictionaryWord 64% 65%Alphanumeric 81% 30%Alphanumeric&SpecialChar 8.3% 6% 4%AverageLength 8 8 8 6
5.29 Disturbingly,4%ofphpBBpasswordswerevariationsoftheword"password".Whenanumberisused,in45%ofcasesitisthenumber1,andwhenaspecialcharacterisused,itismostoften"!",followedbythe".".Whatthesesurveysshowisthatwhilethepasswordsusedbyaparticularpopulationvarysignificantly,userswilloftenchoosesimplerandweakeroptionswhengiventheoptiontodoso.InSimPassthepasswordcorpuswillincluderealisticpercentagesofrepresentativecategoriesofmostmajoridentifiedpasswordtypes.
5.30 ThepasswordcollectionusedbySimPassusesthepercentagesofpasswordsineachofthefollowingcategoriesasshowninTable5.Notethata"peoplename"categoryhasbeenincluded,despitehavingnoevidencefromtheaboveanalysestosupportit.However,Medlinetal.(2005)foundthat19.3%ofthepeopleintheirstudychosepasswordswhichreflectedfamilynames.Suchasignificantnumberwasthusworthincluding.
Table5:SimPassPasswords
CommonPasswords 10%Numbersonly 5%OneWord 30%MovieNames 10%Peoplenames 10%Awordfollowedbyanumber 20%Twowords 5%Twowordsseparatedbyanumber 5%Alphanumericandaspecialchar 5%
5.31 ThelistofcommonpasswordswasobtainedfromWhatsMyPass(2008)andthewordswereminedfromanonlinedictionary.Thepasswordcorpusholds100000passwordsaltogether.Theminimumlengthofsuchpasswordsis6charactersandthelengthextendstoasmanycharactersasspecifiedbythesimulationuser.
http://jasss.soc.surrey.ac.uk/16/3/3.html 14 15/10/2015
SimulationExperiment
6.1 TodemonstratethepotentialofSimPassheretheissueofwritingdownpasswordswillbeaddressedtoassessitsimpactinascenariousingmostlythedeafultsettingsestablishedabove.Mostorganisationsofficiallyforbidtherecordingofpasswordsinthiswaybut,despitethis,manyusersdosoanywaysothattheywillnotforgettheirpasswords.Theperceivedriskisthatotherpeoplewillfindsuchrecordsandexploitthatknowledge,asdepictedinFigure15.
Figure15.WritingPasswordsDown
6.2 Whereasmostcurrentinformationsecuritypoliciesforbidtherecordingofpasswords,analternativeapproachmightbetofocusonreducingtheincidenceofforgottenpasswordsthusremovingmuchofthemotivationforpasswordstobestolen.Theexpecteddownsidewouldbeanincreaseinvulnerability,ifinsecurerecordingmethodsweretomakeiteasierformaliciousemployeestostealpasswordsshouldtheystillwishtodoso.
6.3 Totesttheeffectofwritingdownpasswordsonthesecurityofthesystem,twosimulationswereexecuted,spanning100dayswith100agentsusingupto27systemssimultaneously.Onemaliciousandthreehackeragentswereintroducedtoattempttobreachvisiblesystemsatrandomintervals.Thetwosimulationsvariedasfollows.
39%ofagentsrecordingtheirpasswords,eitherinsecurely(inaspreadsheet,forexample),orsecurely(usingapasswordmanagementapplication).100%ofagentsrecordingtheirpasswords,againsecurelyorinsecurely.Thesimulationwasexecuted100times,andtheresultingvaluesforthefollowingwereaveragedacrossall100simulations.Goodandbadlogins.%sharedand%stolenpasswords.Numberoflockoutevents.Numberofmaliciousloginsandnumberofhackerloginsduringthe100days.
Inordertoconfirmthechoiceofrunningthesimulation100timeswecalculatedthe95%confidenceintervals(t-distribution)for50and100runsasshowninTable6.
Table6:95%confidenceIntervalsforNumberofSimulations
ConfidenceIntervals%RecordingPasswords NumberofLockoutEvents NumberofBadLogins
50Simulations 39% 16.71%±0.48% 232.02±6.01100% 1.42%±0.31% 19.06±4.83
100Simulations 39% 16.78%±0.35% 233.03±6.30100% 1.63%±0.23% 22.59±3.35
6.4 Thesefiguresshowthattheextra50samplesdonotreallyimprovetheconfidence(alreadyveryhigh)thatthedifferencebetweenthe39%and100%casesisagenuineeffectandnotjustasamplingartefact.Wewerethussatisfiedthat100sampleswassufficienttodemonstratedifferencesduetoconfigurationsettings.
6.5 Figure16showsthatthenumberofbadloginsshrinksfrom14.35%to1.6%whenagentsrecordtheirpasswords.Thenumberoflockoutevents,asshowninFigure17,showsa90%decrease.Thisisalargeeffectfromarelativelysmalladjustmenttothesystem.
http://jasss.soc.surrey.ac.uk/16/3/3.html 15 15/10/2015
Figure16.GoodversusBadLogins
Figure17.LockOutEvents
6.6 Hasthesecurityofthesystembeencompromisedtothesameextent?AsFigure18shows,thenumberofpasswordseithersharedorstolenhasbeenreduced,withthepercentageofunleakedpasswordsincreasingfrom75.95%to97.04%.Thisreflectstheeffortsoflegitimateagentsinthesystem.Figure20depictsthenumbersofsystembreachesbymaliciousandhackeragents.Thereisindeedanincreaseinhackersuccesses.Onepossibleexplanationforthiscouldbethatforgottenpasswordsleadtopasswordchanges.SimPasssystemsdonotpermituseofpreviously-usedpasswords,sowhenpasswordsarefrequentlyforgottentheychangemoreoftenpresentinghackerswithafastermovingtarget.Evenso,theincreaseinthenumberofattacksisrelativelyminor:from15.34%to17.95%.Ontheotherhand,thenumberofmaliciousagentbreachesdecreases,theoppositeofwhatisexpected.Thisisduetothefactthatmaliciousagentscananddomakeuseofpasswordsthathavebeensharedwiththempreviously.Thatnolongerhappenssincenooneforgetspasswordsanymore(themaincausativebehindsharing).
6.7 Table5showsthe95%confidenceintervalsforthemaliciousandhackerlogins,whichdemonstratesthatthedifferencesaresignificant.Thusallowingpeopletowritetheirpasswordsdowndoesnotleadtoincreasedinsiderattacks-whichiscounter-intuitive.Itispossiblethatwecouldmitigatethesignificantincreaseinhackerattacksbyusingothermeasuressuchasmakingpasswordslongerormorecomplex(andthiswillnotimpactonmemorabilitysinceforgettingisnolongeranissue).
Table5:95%confidenceIntervalsforMaliciousandHackerLogins
ConfidenceIntervals%RecordingPasswords NumberofLockoutEvents NumberofBadLogins
50Simulations 39% 16.71%±0.48% 232.02±6.01100% 1.42%±0.31% 19.06±4.83
100Simulations 39% 16.78%±0.35% 233.03±6.30100% 1.63%±0.23% 22.59±3.35
http://jasss.soc.surrey.ac.uk/16/3/3.html 16 15/10/2015
Figure18.Shared&StolenPasswords
Figure19.Malicious&HackerLogins
6.8 Whatthesimulationsshowisthat,byremovingtheneedforpeopletostealandsharepasswords,ie.eliminateforgetting,youcanactuallystrengthenthesystem.Ifyouremovetheneedofwell-intentioneduserstoengageintheseactivitiesoneisleftwithonlytheeffortsofmaliciousemployeesandexternalhackerstocompromisethesecurityofthesystem.Thesethreatsarenotcontrolledbysecuritypolicies,butratherbyauditingandothertechnicalandmanagementcontrols.Moreover,considerthesignificantreductioninthenumberoflockouts.Eachlockouthasanassociatedexpensesincethepersonwillnotbeabletoworkwhilewaitingforthepasswordtobereplaced.Ifahelpdeskhastobeinvolvedinthereplacementtheexpensewillbegreaterstill.TheseresultsmakeitworthreturningtoFigure1andrevisingit,asshowninFigure20.Theapparentlyobviouscausativelinkfrompeoplewritingpasswordsdown,topasswordsleaking,andthesystems'securitybeingcompromised,isnotasclearcutasitappearstobe.Thesefindingsshouldgivesystemadministratorspause,andmakethemthinkagainbeforeforbiddingthewritingdownofpasswords.
6.9 Whatthesesimulationsshowatamoreabstractlevelisthatoneneedstotacklethecauseoftheproblemratherthanthesymptomstoincreasetheoverallsecurityofanorganisation.
http://jasss.soc.surrey.ac.uk/16/3/3.html 17 15/10/2015
Figure20.RevisedFigure1(witha?onthequestionablelink)
Conclusion
7.1 ThispaperhasdescribedtheSimPasssimulationmodelandengine,afirstattempttoprovideamechanismfortestingtheeffectsofsecuritypolicydirectives.Thistoolsimulatesanumberofdifferentpressuresandimpactsonusersandallowsresearcherstoexperimentwithdifferentsettingsinordertoarriveataparticularsetofpolicieswhichwilldeliverbettersecurity.Itisnecessarytoabandontraditionalthinkingwhichmandatesandforbidsparticularuserbehaviours,especiallywhensuchbehavioursareeffectivelynaturalattemptstocopewiththesurfeitofpasswordsthatissocharacteristicofmodernlife.Usingthetoolwecancomeupwithinterventionsandtestsuchinterventionsoncethesimulationhasbeenconfiguredaccordingtothespecificorganisation.Ineffect,itsupportsasystemicmeta-approachtotheproblemofsystemsecurity.Thefocusmovesawayfromtheusertotheorganisationandaddressestheissueofwhatpolicywriterscandotoachieverealsecurityimprovements.
7.2 Insummary,SimPassisaflexibletoolwithmanycustomisableinputparameters.Itmakesitpossibletotesttheeffectsonorganisationalsecurityofvaryingoneormoreoftheseparameters,whileholdingothersconstant.ItisideallysuitedtoallowITmanagerstoprojecttheeffectofsuggestedpolicychanges,includingregulationsandrecommendationsintendedtochangestaffbehaviour,ontheoverallabilityoftheorganisationtoresistattack.
Appendix
8.1 ThefollowingsimulationsettingsareconfigurableinSimPass:
ThenumberofdaysthesimulationshouldrunThepercentageofagentswhowritedownpasswordsThepercentageofagentswhosecuretheserecordsThepercentageofagentswhowillsharepasswordsDaysbetweenpasswordchangesNumberofhackersNumberofagentsInitialnumberofsystemstobeassignedtoagentsPercentagemaliciousagentsPercentageagentswhohavethepotentialtobedishonestPercentageoftrainedsystemadministratorsPercentagesystemsvisiblefromoutsideProbabilitythatagentschooseweakerpasswordsafterachangeNumberoftriesbeforelockoutWhetherlockoutsshouldbeimplementedornotPercentageofsystemsthatenforcepasswordchangesPercentageofsystemsthatissuepasswords(asopposedtoallowingagentstochoosethem)MinimumpasswordlengthWhetherpasswordsrequirenumeralsWhetherpasswordsrequireuppercaselettersWhetherpasswordsrequirespecialcharactersWhetheragentsworkinopenplanofficesornot(canpasswordentrybeobserved?
Acknowledgements
WethankJoergDenzingerforhisveryhelpfulcommentsonearlierdraftsofthispaper.
Notes
1http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
2http://www.forrester.com/rb/Research/state_of_enterprise_it_security_2008_to/q/id/47857/t/2
http://jasss.soc.surrey.ac.uk/16/3/3.html 18 15/10/2015
References
ADAMS,A.andSasse,M.A.(1999)Usersarenottheenemy:Whyuserscompromisesecuritymechanismsandhowtotakeremedialmeasures.CommunicationsoftheACM,42(12),40-46.[doi:10.1145/322796.322806]
BBC(2011)Sonyfaceslegalactionoverattackonplaystationnetwork.BBCNews,April.http://www.bbc.co.uk/news/technology-13192359.
BEEDENBENDER,M.G.(1990)Acomparisonofpasswordtechniques.Master'sthesis,NavalPostgraduateSchool.MontereyCA.
BISHOP,M.andKlein,D.V.(1995)Improvingsystemsecurityviaproactivepasswordchecking.Computers&Security,14(3),233-249.[doi:10.1016/0167-4048(95)00003-Q]
BOYE,M.andJones,J.(1997)Organizationalcultureandemployeecounterproductivity.InR.A.GiacaloneandJ.Greenberg,editors,Antisocialbehaviorinorganizations,pages172-184.ThousandOaks,CA:Sage.
BROWN,A.S.,Bracken,E.,Zoccoli,S.andDouglas,K.(2004)Generatingandrememberingpasswords.AppliedCognitivePsychology,18(6),641-651.[doi:10.1002/acp.1014]
BRYANT,K.andCampbell,J.(2006)Userbehavioursassociatedwithpasswordsecurityandmanagement.AustralasianJournalofInformationSystems,14(1).[doi:10.3127/ajis.v14i1.9]
BUNNELL,J.,Podd,J.,Henderson,R.,R.Napier,andKennedy-Moffat,J.(1997)Cognitive,associativeandconventionalpasswords:Recallandguessingrates.Computers&Security,16(7),629-641.[doi:10.1016/S0167-4048(97)00008-4]
CALDER,J.D.(1987)Newcorporatesecurity:Theautumnofcrimecontrolandthespringoffairnessanddueprocess.JournalofContemporaryCriminalJustice,3(1),1-34.[doi:10.1177/104398628700300402]
CALIN,B.(2009)Statisticsfrom10,000leakedhotmailpasswords,October.http://www.acunetix.com/blog/news/statistics-from-10000-leaked-hotmail-passwords//.
CAMPBELL,J.andK.Bryant.(2004)Passwordcompositionandsecurity:Anexploratorystudyofuserpractice.InS.Elliot,M.-A.Williams,S.Williams,andC.Pollard,editors,Proceedingsofthe15thAustralasianConferenceonInformationSystems.UniversityofTasmania,2004.
CHOO,FandTan,K.(2007)An"americandream"theoryofcorporateexecutivefraud.AccountingForum,31(2),203-215.[doi:10.1016/j.accfor.2006.12.004]
CRESSEY,D.R.(1973)Otherpeople'smoney.PattersonSmith,Montclair,1973.
EBBINGHAUS,H.(1885)Memory:AContributiontoExperimentalPsychology.OriginallypublishedinNewYorkbyTeachersCollege,ColumbiaUniversity.
ELCOMSOFTPROACTIVESOFTWARE.(2009)Passwordsecuritysurvey2009.http://www.siteglimpse.com/elcomsoft.com
FLORENCIO,DandHerley,C.(2007)Alarge-scalestudyofwebpasswordhabits.InWWW2007,Banff,BC.[doi:10.1145/1242572.1242661]
FIPS(1985)FederalInformationProcessingStandardsPublication112.StandardforPasswordUsage.http://www.itl.nist.gov/fipspubs/fip112.htm
FORBATH,T.,Kalaher,P.andO'Grady,T.(2005)Thetotalcostofsecuritypatchmanagement,[email protected].
GRAHAM,R.(2009)PhpBBpasswordanalysis,February2009.http://www.darkreading.com/blog/227700652/.
HARADA,Y.andKuroki,K.(1996)Astudyontheattitudeandbehaviourofcomputernetworkusersregardingsecurityadministration.ReportsofNationalResearchInstituteofPoliceScience,37,21-33.
HOONAKKER,P.,Bornoe,N.andCarayon,P.(2009)Passwordauthenticationfromahumanfactorsperspective:Resultsofasurveyamongend-users.InProceedingsoftheHumanFactorsandErgonomicsSociety53rdAnnualMeeting.[doi:10.1177/154193120905300605]
HUNT,T.(2011)Abriefsonypasswordanalysis,2011.http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html .
INGLESANT,P.G.andSasse,M.A.(2010)Thetruecostofunusablepasswordpolicies:passworduseinthewild.InProceedingsofthe28thinternationalconferenceonHumanfactorsincomputingsystems,CHI'10,pages383-392,NewYork,NY,USA.ACM.[doi:10.1145/1753326.1753384]
JOHNSON,L.andPhilips,B.(2003)AbsoluteHonesty-BuildingaCorporateCultureThatValuesStraightTalkandRewards
http://jasss.soc.surrey.ac.uk/16/3/3.html 19 15/10/2015
Integrity.Amacom,2003.
KARSTEDT,S.andS.Farrall.(2006)Themoraleconomyofeverydaycrime.BritishJournalofCrimonology,46:1011-1036,2006.[doi:10.1093/bjc/azl082]
MARTINSON,K.W..(2005)Passwords:Asurveyonusageandpolicy.Master'sthesis,AirForceInsitituteofTechnology.DepartmentoftheAirForce,AirUniversity.
MEDLIN,B.D.,Crazier,J.A.andDave,D.S.(2005)Passwordselectionbyendusersfromanecommercesite:Anempiricalstudy.InAmericasConferenceonInformationSystems(AMCIS),pages3296-3305,Omaha,NE,USA,11-14August2005.
PREDD,J.,Hunker,J.andBuklford,C.(2008)Insidersbehavingbadly.IEEESecurity&Privacy,6(4),66-70.[doi:10.1109/MSP.2008.87]
PRICEWATERHOUSE.(2010)Informationsecuritybreachessurvey2010.http://www.pwc.co.uk/audit-assurance/publications/isbs-survey-2010.jhtml.
PROBST,C.W.,Hunker,J.,Gollmann,D.andBishop,M.(2010)Aspectsofinsiderthreats.InC.W.Probst,J.Hunker,D.Gollmann,andM.Bishop,editors,InsiderThreatsinCyberSecurity.AdvancesinInformationSecurity49.Springer,2010.[doi:10.1007/978-1-4419-7133-3_1]
RENAUD,K.V.(2012)BlamingNon-ComplianceistooConvenient:WhatreallycausesInformationBreaches? IEEESecurity&Privacy.10(3),57-63.[doi:10.1109/MSP.2011.157]
RILEY,S.(2006)Passwordsecurity:whatusersknowandwhattheyactuallydo.UsabilityNews,8(1).
ROBIN,G.D.(1969)Employeesasoffenders.JournalofResearchinCrimeandDelinquency,6,17-33.[doi:10.1177/002242786900600103]
KIDWELL,J.RolandE.andKochanowski,S.M.(2005)Themoralityofemployeetheft:Teachingaboutethicsanddeviantbehaviorintheworkplace.JournalofManagementEducation,29,135.[doi:10.1177/1052562903261180]
SCHNEIER,B.(2006)Real-worldpasswords.http://www.schneier.com/blog/archives/2006/12/realworld_passw.html.
SECURITYWEEK.(2010)Studyreveals75percentofindividualsusesamepasswordforsocialnetworkingandemail,August2010.http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-social-networking-and-email.
SIMON,H.A.(1969)TheSciencesoftheArtificial.MITPress,1969.
STANTON,J.M.,Stam,K.R.,Mastrangelo,P.andJolton,J.(2005)Improvingsystemsecurityviaproactivepasswordchecking.Computers&Security.14(3),124-133.[doi:10.1016/j.cose.2004.07.001]
SUMMERS,W.C.andBosworth,E.(2004)Passwordpolicy:thegood,thebad,andtheugly.InProceedingsofthewinterinternationalsynposiumonInformationandcommunicationtechnologies,WISICT'04,pages1-6.TrinityCollegeDublin.
TAMIL,E.M.,Othman,A.H.,Abidin,S.A.Z.,Idris,M.Y.I.andZakaria,O.(2007)Passwordpolicies:Astudyonattitudestowardspasswordusageamonundergraduatestudentsinklangvalleymalaysia.JournalfortheAdvancementofScienceandArts.3.
TARI,F.,Ozok,A.A.andHolden,S.H.(2006)Acomparisonofperceivedandrealshoulder-surfingrisksbetweenalpahnumericandgraphicalpasswords.InProceedingsofthesecondsymposiumonUsablesecurity(SOUPS'06),pages56-66,NewYork.[doi:10.1145/1143120.1143128]
TATHUM,R.L.(1974)Employees'viewsontheftinretailing.JournalofRetailing,94,213-21.
THEUSINGER,C.andHuber,K.-P.(2000)Analyzingthefootstepsofyourcustomers-acasestudybyask-netandsasinstitutegmbh.InProceedingsWEBKDD,Boston,August2000.
VANDOORN,L.(1992)Computerbreak-ins:Acasestudy.InProcoftheannualUnixUserGroup(NLUUG)Conference,143-151.
VONLOHMAN,F.(2004)Issuingyourcustomersagoodidea?September29.Law.com.http://www.law.com/jsp/article.jsp?id=1095434496352
WHATSMYPASS?(2008)Thetop500worstpasswordsofalltime,November2008.http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time.
WILKES,R.E.(1978)Fraudulentbehaviourbycustomers.JournalofMarketing,42(4),67-75.[doi:10.2307/1250088]
WILSON,T.(2009)Employeeswillingtostealdata;companiesonthealert,Nov2009.http://www.darkreading.com.
WORKMAN,M.,Bommer,W.H.andStraub,D.(2008)Securitylapsesandtheomissionofinformationsecuritymeasures:A
http://jasss.soc.surrey.ac.uk/16/3/3.html 20 15/10/2015
threatcontrolmodelandempiricaltest.ComputersinHumanBehavior,24,2799-2816.[doi:10.1016/j.chb.2008.04.005]
ZVIRAN,M.andHaga,W.J.(1993)Acomparisonofpasswordtechniquesformultilevelauthenticationmechanisms.TheComputerJournal,36(3),227-237.[doi:10.1093/comjnl/36.3.227]
http://jasss.soc.surrey.ac.uk/16/3/3.html 21 15/10/2015
