Do You Need A Safe Word?

  • Comments posted to this topic are about the item Do You Need A Safe Word?

  • We require that users set up answers to security questions (e.g. name of your favourite pet etc.)which are stored within the helpdesk software system and when a user requires any password reset they have to phone the helpdesk and answer the questions. If they haven't set any up it requires an email from their line manager on a corporate account. That's just for average users. Any privileged users are known personally to the helpdesk as they are generally IT staff so are verified by voice as well. We aren't a bank or financial business either!.

  • Not always easy: in a small company (in terms of number of employees) but with a fairly critical application I fought for months just to have people accepting that passwords must be at least 8 characters and with at least one non-alphanumerical character in them. Anything more elaborate would have been unacceptable for the customer. The funny thing is that nevertheless every single user seemed to have his or hers version of the 'security' of the web application in question as a first thought.

    Obviously hadn't I imposed a minumum of complexity on passwords the average complexity of a user password would have been '123' no matter how hard I would have argued on the matter with managers and users...

  • Simple solution. Do not do anything by email. Have them log into the corporate web site (they must know their credentials to do that) and have them fill out the request online. This solves many problems.

    1. Security is taken care of.

    2. You have a history of all requests that can be reviewed.

    3. You can build a work-flow process into the system.

    4. Any number of authorized people can fulfill the request regardless of vacations and/or sick days. Sending a message to a specific person might take a longer time to complete if they are out of the office.

    5. The requests can be queued and processed in the order they are received (or, if the company prefers, set a priority depending on the questions asked on the web site).

  • Financial institutions do this all the time with security questions. The user selects from a list of possible questions at account creation time and provides the correct answer for each. Later, when password resets are requested or even periodically upon normal access a security question is asked and the provided answer is compared to the one previously selected. If there is no match, then an alternate question is asked (in case of a genuine error). If no security question is answered appropriately, then the account is locked until the person contacts the help desk. I would even suggest that after such a reset, upon positive identification of course, that new security questions be selected and answered.

    Some would argue that small organization don't need to go through this hassle. Yet I would suggest that any organization that is concerned about security (which should be all!) should take such steps. After all, the size of the organization should not be the defining criteria but how secure system access needs to be.

  • Technical aspects aside, the real story is what the company that was compromised was intending to do and what made them a target. :angry:

  • All security systems are flawed. There is no perfect system. It depends on your level of risk acceptance versus the cost to the user if not able to log in.

    One place I worked at got hacked because an employee trusted a friend of a friend's nephew to borrow her personal laptop on which she stored, unprotected, all of her work and personal passwords. After all, they were all good friends. How does an organization deal with that?

  • OCTom (3/24/2011)


    One place I worked at got hacked because an employee trusted a friend of a friend's nephew to borrow her personal laptop on which she stored, unprotected, all of her work and personal passwords. After all, they were all good friends. How does an organization deal with that?

    There's really no absolute protection against stupidity!:crazy:

  • OCTom (3/24/2011)


    All security systems are flawed. There is no perfect system. It depends on your level of risk acceptance versus the cost to the user if not able to log in.

    One place I worked at got hacked because an employee trusted a friend of a friend's nephew to borrow her personal laptop on which she stored, unprotected, all of her work and personal passwords. After all, they were all good friends. How does an organization deal with that?

    The laptop should encrypt all the data on the system so if it gets lost or stolen, none of the data is easily compromised.

    The laptop is part of a domain so it prevents anyone from logging into it unless they have a corporate account. A guest is not able to sign in. If another employee uses the computer, they cannot decrypt the data from any other users of that same computer.

    To prevent someone from lending out the computer along with your userid and password, you could force the employees to connect to the corporate network with VPN hardware to sign in. That makes it more difficult to lend out because you would also have to give up part of your network for the borrower to use the laptop.

    Additionally, only grant access to data that is absolutely necessary for the employee to do their job. Anything extra is exposing the data to more risk.

  • There needs to be a mix of formal and informal systems.

    While several have commented on the formalized structure, there is also the common sense component? Is the request out of the ordinary (a request to change access certainly is)? Is it a natural followup in an existing project, or does it seem to come out of nowhere? Is it rush-rush? What is the reason they give for requesting it? Are they asking for more than read rights?

    I don't remember ever having a access change request out of the blue. There has always been a bit of a history, earlier discussions (both email and phone) where this would naturally fit in. A sudden request would certainly raise a flag and I would likely phone them or request more details.

    ...

    -- FORTRAN manual for Xerox Computers --

  • jay holovacs (3/24/2011)


    While several have commented on the formalized structure, there is also the common sense component?

    Unfortunately, in a world where common sense is becoming more uncommon, formalized procedures are too often necessary to make up for that lack. This is no different than McDonald's having to put warning labels on coffee cups because some folks don't have the common sense to know that it will be hot! Sad, but true.

  • Aaron N. Cutshall (3/24/2011)


    OCTom (3/24/2011)


    One place I worked at got hacked because an employee trusted a friend of a friend's nephew to borrow her personal laptop on which she stored, unprotected, all of her work and personal passwords. After all, they were all good friends. How does an organization deal with that?

    There's really no absolute protection against stupidity!:crazy:

    Absolutely Aaron, as in leaving an unlocked smartphone laying about. Duh. Put a secure passcode on it and make sure it and the default bypass passcode is not easily guessed either. Your phone provider can help you with this and also make sure they have a unique security question on your account known only to you as well (no birth dates), just in case anyone tries to call them up and impersonate you. Keep your cell phone locked at all times!!!! This is kind of a no brainer guys, and remember that 98% of security is just using plain old common sense. 😀

    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"

  • RE: Common Sense

    Is the request out of the ordinary (a request to change access certainly is)?

    Not really. We get access change requests pretty often. People change departments or roles pretty regularly, there is a regular amount of turnover. When you have several thousand users spread across tens of sites, IT no longer knows what is out of the ordinary.

    Are they asking for more than read rights?

    Even read rights can be dangerous.

    I don't remember ever having a access change request out of the blue. There has always been a bit of a history, earlier discussions (both email and phone) where this would naturally fit in. A sudden request would certainly raise a flag and I would likely phone them or request more details.

    While that may acceptable for a small shop, a formal system (computer or paper based) is the only way to go. No access changes without a signed form. Password resets require an ID number and last 4 ssn to the automated reset system and are logged in the help desk call system. Failed attempts disable account. Auto password resets are disabled for high security accounts, including IT staff, who must call the help desk from their assigned extension that displays the user's name to the help desk, or go personally to the help desk.

    Ideally, password reset and access request logs are reviewed regularly to look for odd patterns. E.g. An IT support person who had multiple password resets within one or two days might represent a problem.

    --

    JimFive

  • In most large corporations, everyone has an employee number which they know from memory becuase it's on their payroll stub or they enter it when dialing into a tele-conference call. It's also not something that a hacker would easily locate in a phone or email. When help desk receives an email for a password change, they can call the employee back on their cell phone and request as confirmation their employee number or last 4 digits of SSN.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • cengland0 (3/24/2011)


    OCTom (3/24/2011)


    All security systems are flawed. There is no perfect system. It depends on your level of risk acceptance versus the cost to the user if not able to log in.

    One place I worked at got hacked because an employee trusted a friend of a friend's nephew to borrow her personal laptop on which she stored, unprotected, all of her work and personal passwords. After all, they were all good friends. How does an organization deal with that?

    The laptop should encrypt all the data on the system so if it gets lost or stolen, none of the data is easily compromised.

    The laptop is part of a domain so it prevents anyone from logging into it unless they have a corporate account. A guest is not able to sign in. If another employee uses the computer, they cannot decrypt the data from any other users of that same computer.

    To prevent someone from lending out the computer along with your userid and password, you could force the employees to connect to the corporate network with VPN hardware to sign in. That makes it more difficult to lend out because you would also have to give up part of your network for the borrower to use the laptop.

    Additionally, only grant access to data that is absolutely necessary for the employee to do their job. Anything extra is exposing the data to more risk.

    That's all well and good. But, the laptop was a personal laptop that was never connected to the network. I don't know why she stored her work info on it but she did.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply