Security and SOX

Nearly everyone who works with a computer has gotten some version of the ‘Password Memo’.

The Password Memo lays out lots of rules for passwords – i.e., they must be at least eight characters long; they must include numbers, upper and lower case, and punctuation; they shouldn’t be your user name, names of family members or pets; they shouldn’t be (or even include) dictionary words; and they should never be reused. Oh, and you should never ever write them down and you should plan on coming up with a new one every thirty days.

Computer security experts greet these sorts of rules with a certain disdain, because the more complicated the rules, the harder it is to come up with a memorable password. Combined with the requirement to change passwords often, the effect is usually to force people into writing the passwords down (the one rule that a computer system can’t check) and hiding them, commonly on Post-It notes in a desk drawer or on the last page of a desk calendar. [Okay, don’t raise your hands, but how many of you have done just that? Don’t run and change it just now, but remember that any reasonably sophisticated 15-year-old hacker knows this trick. Instead, invest in a password wallet program: I use Wallet from Acrylic, but there are lots of good ones out there.]

What these rules do, mostly, is give the impression that the IT people are doing something about security, and thus make everyone feel safer — a trick known in the trade as “security theater.” But this piece of security theater is particularly odd, because on balance it actually makes systems less secure. It tempts people into breaking the rules in the riskiest possible fashion. What’s worse, some of these rules are so restrictive that an attacker who knows the rules needs fewer guesses to uncover a valid password, mainly because there are so few valid passwords.

So, you might ask, if these rules don’t do any good, why are they implemented?

The usual excuse is that it’s “required by Sarbanes-Oxley.” That is, “Public Company Accounting Reform and Investor Protection Act of 2002”, which is usually known as the “Sarbanes-Oxley Act,” “SarbOx”, or even just “SOX”.

Reading the text of the law doesn’t help explain how it happens. SOX, passed in response to the Enron and WorldCom accounting scandals, doesn’t say a word about passwords. What it does is make CEOs and CFOs criminally liable for failures in their accounting controls, without necessarily explaining what is or isn’t acceptable. That’s left to professional organizations, much as accounting standards are established. Only, if you follow those organizations and their rules, you’ll find that they don’t actually make explicit password policy recommendations either. Instead, they say that external auditors should ensure that properly stringent rules are applied.

Thus, the auditing firms are left to themselves to decide what these “properly stringent” rules are; but as with the example of Arthur Anderson (R.I.P.), they certainly see no particular reward in finding a reasonable accommodation. With possible criminal penalties hanging over their heads, it’s a rare CEO or CFO who will insist on weaker rules that can actually be followed, instead of going with extreme rules the auditors recommend.

The result: rules that reduce the real security, while providing lots of “security theater” that can be produced in court if necessary. It’s very much like “defensive medicine”; companies are incurring unproductive costs for questionable security, just as doctors end up ordering potentially unnecessary tests rather than be faced with questions during a malpractice suit.

The worst part is that there’s no easy way to compute what the additional costs might be, so it’s nearly impossible to make a cost-benefits analysis. We do know what the costs of disclosed passwords can be — as the recent Twitter hacks have shown — but what about the cost of lost productivity, day to day, across millions of computer users, when those costs are just a few lost minutes for each person?

But even if we can’t compute them, it doesn’t mean those costs don’t exist — and a few minutes per person, over perhaps a hundred million computer users, begin to add up. But when those costs don’t actually add to security, when they actually increase the risks, we can be certain that the cost-benefit doesn’t work out.

So, once again, we find ourselves taking measures not to prevent bad consequences, but to protect ourselves from bad litigation. And, incredibly, we find ourselves – in the most unlikely of places – once again running into that economic bête noire of our time: Sarbanes-Oxley.