There can almost never be enough said about how to keep IT networks secure from those who seem bent on creating problems by hacking or stealing information. The first line of defense for every operation is the password protection used by computer users to login to their workstations and applications.
No matter what other steps a network administration puts in place password security seems to be the toughest and most critical in many situations. A recent Verizon study in the US seems to indicate that passwords are still one of the major issues with breaches, either stolen ones obtained by various means or weak ones which are guessed and used for access. An IT World Canada article reports that the most likely way that your systems might be hacked is through the capture of passwords for users and then using them for access. The means that these captures are taken are wide ranging and can be avoided to some extent by diligence, multi layered network security tools that track interactions and changes within the network and by teaching users the importance of their participation in good practices to support security.
Unfortunately, other data indicates that as many as 50 percent of Canadian executives report that they either know or expect that their organization has been the subject of hacking within the past year through some form of external cyber attack. This reinforces the importance of taking this kind of activity seriously and putting reasonable defenses in place. The interesting component of this data is that the attack concerns come from small as well as large organizations with the polling including companies with as few as five users. Constant vigilance, including regular review and updating of systems and defenses is important.
On the password front recent information coming out of some new proposed draft recommendations of the National Institute of Standards and Technology offer some thoughtful suggestions which might change your practices in the future. Some are not what would be normally expected but they are based upon new thinking on what needs to happen to make passwords more successful as a hacking deterrent.
Three key factors:
No more periodic password changes. It appears from the research conducted by NIST that the practice of forced password changes on regular intervals does not improve the situation. The data indicates it actually makes it worse.
No more imposed password complexity. The common requirements that users must adhere to a complex password format requiring combinations of letters, numbers, caps or symbols has actually led to issues which can be better handled by letting users be creative with passwords which mean something to them.
Mandatory validation of newly created passwords. With this step a data base of unacceptable passwords, like 'password', '12345' and other easily guessed types would be compared to any password entered and the password would be rejected if it appears in the list. This forces users to enter a more creative choice and reduces the potential for poor common uses.
The idea of these new suggested practices is that they be applied not only in the corporate structure but for consumers as well in their uses. The potential is therefore presented that less password based hacking can be found.
Of course this does not solve the problem of stolen passwords and IDs which are the focus of many of the large data hacks and the other components of IT network security are still critical to helping to stop the large data thefts which then open large numbers of users to risk.
The unfortunate result of having a world covering, relatively easily accessed communication system like the internet is that our local systems can become impacted by trends and actions from external sources. This is a negative which weighs upon the benefits we obtain from this major innovation.
The effort to protect your operations and your users, customers and suppliers is simply part of the cost of doing business in this environment. Do the work. Take the precautions. Get the help to do it well. Hopefully with the effort you will find that your organization will experience less negative impact. It is not something to go to sleep about.