SYSTEM SECURITY LEVELS by Santostefano Giovanni contact: idmgiovanni@libero.it last update: 18 - May - 2007 INDEX: 1. Instructions 2. System Security Levels 3. Password Security Levels 1. Instructions This paper defines an hierarchically based security level structure to protect the system from intrusions derived by direct access to the computer. Protect a computer by a direct access attack is quite impossible but you can prevent a weak intrusion simply using some rules. These rules are divided by System Security Levels indexed by a number Password Security levels indexed by a letter. The lowest number is the strongest protection. The lowest letter (you can take the ascii as reference) is the strongest password ("A" is the strongest password). The security level of the system is composed by the user, joining a System Security Level (cumulative) followed by a dot "." followed by a Password Security Level (that is an average of the strengt of the passwords of the system). The System B.I.O.S. password is assumed as strongest and its not counted on the average of the password classes. An example of security level is 130.h that defines a password level "h" and a System level that is a sum of level 130+140+...+1225+... All the security chart is built to be extended in future releases both in the weakness and in the strongness. 2.System Security Levels 100 -Phisical Extraction of the storage devices from the computer to protect datas. -Phisical Extraction of the network devices (Lan/Modems) to avoid connections with your MAC address 110 -Disable all the peripherals (storage devices ecc...) from the BIOS 120 -Encrypt all the datas 130 -System BIOS password 140 -Disable automatic boot from floppy, CD/DVD and other external and network devices 150 -Operating System password 160 -Use in normal routines a non root account 170 -Use a *nix system 180 -Leave from writing passwords 190 -Leave from attatching post-it with passwords on the monitor... or on other things 200 -Don't leave your room when you are logged-in and not protected by passwords 3. Password Security Levels h -password composed by over 11 chars, that include letters, numbers and symbols (the password is completely non-sense) The sequence is calculated by mixing strong combinations designed to fall only after several hours on a brute force attack j -password composed by over 11 chars, that include letters, numbers and symbols (the password have sense) l -password between 6 and 11 chard, that include letters, numbers and symbols (preference to a non-sense password) n -password composed only by alphabetic chars. p -password composed by a long number sequence or a long symbols sequence w -your password is your phone number... Stupid! in a brute force attack they get soon the password... and also they steal your phone number!!! x -your password is your name or the name of your relatives... or your birthdate or the birthdate of your relatives y -your password is qwerty or abcd or similar z -your password is 123... or similar