Solutions to the password problem - Part 2

Implement strong authentication for all remote users and for all privileged users and accounts. There are many two-factor alternatives to the traditional password, including SecurID, Smart Cards, smart USB keys and even mobile phone SMS texts.

Institute thorough end-user training on secure communications, including what can be discussed over the telephone, what can be discussed outside the building and what can be written in an e-mail. Try not to use e-mail notification or voicemails when away from the office - it sets up the replacement as a target. And most importantly, ensure everyone knows how to report an incident and to whom – most people do not.

Strengthen your helpdesk password reset process. Permit password resets only with call-back and PIN authentication or some other form of cross-verification. Implement incident reporting and response procedures for all help desk staff, together with clear escalation procedures for everyone in the incident chain. Help desk staff should be encouraged to withhold support when a call does not feel right. In other words “just say no …..”

As a politician might say: “Training, training, training.” Train all employees - everyone has a role in protecting the organisation and their own jobs. If someone tries to threaten them or confuse them, it should raise a red flag. Train new employees as they start. Give extra security training to security guards, help desk staff, receptionists and telephone operators, all of whom have a vital role to play in blocking identity theft. Make sure you keep the training up to date and relevant.

Address the issue of easy-to-guess passwords. This is the single biggest hole in most organisations’ IT security defence. If your organisation is using a Windows network (and most are) and if you have upgraded to Windows 2000, XP or Server 2003, then you can use passphrases rather than passwords. A passphrase of 15 characters or more is easier to remember than a complex 8-character password, yet infinitely more secure. Compare “I would love to own a big red Ferrari” (29 characters and almost unbreakable) with “nUaY6zOs” (8 characters and impossible to memorise, yet easily broken with today’s password crackers!).

Finally, have a security assessment test performed and heed the recommendations. Test the company's ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack. Have the first test performed when the company is expecting it, then do a blind test the second time around.

This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk