Integrity Blog

The following is an excerpt from "Enhancing Information Security in an Unsecure World WHITE PAPER".
Password Protection & More

Here are some guides to improve security practices through password requirements. Each level progressively guides how to improve security practices. All organizations should be able to handle "A Strong Password Policy" suggestions without assistance. While some organizations will be able to perform "Implementing Change Policies", many organizations will need outside assistance to perform "Two-Factor Authentication".

A Strong Password Policy

A strong password policy requires passwords to be eight (8) or more characters in length, include both alpha and numeric characters with at least one special character (~!@#$%^&*_-+=`|\(){}[]:;”’<>,.?/), be case sensitive and not contain common names, dictionary words, foreign words, date of birth or any information closely associated with the user. The organization’s network should protect passwords and automatically perform password administration so only users have knowledge of their own password.

The old adage of simply taking a word and replacing regular characters with special characters – eg password to P@ssw0|2D – is no longer recommended as computers can now do those replacements on the fly. These recent advances in password hacking techniques have led many security researchers to recommend using a combination of random words with replacements, changes or additions such as Neptune@Error101BarbequeQ. These are both easier to remember and much more difficult to for a hacker to crack.

Implementing Change Policies

Implementing change policies, specifically a password aging policy, helps mitigate the risks that come with keeping a password for an extended period of time. Users should be required to change their password at least every 90 days. System administrators should change their password at least every 90 days and should not reuse that password within a 365-day period.

The system administrator should have the capability to expire passwords. Once expired, the system should require the user to enter a new password if the user ID is still active. In all cases, for each password change, an audit record should be created indicating the user ID, action (e.g., change password), time and workstation or terminal identification. Password strings should not be written to the audit log. Where possible, the system should limit the number of consecutive incorrect access attempts by a user ID to no more than three (3) and automatically deactivate the user ID after the third unsuccessful log on attempt. The system’s action to deactivate a user ID should affect only that user ID and not disable or otherwise affect the workstation or a different user who attempts to use the workstation. In recording the number of consecutive unsuccessful attempts for a specific user ID prior to reaching the lockout threshold, the system should reset the number to zero (0) only after a successful log on.

Two-Factor Authentication

Two-Factor Authentication (2FA) is a process designed to ensure the security of sensitive information by means of requiring users to provide two forms of identification when attempting to access an account. Each form of identification must be separate from the other; one may be something the user knows like a password, the other may be something the user has like a one-time token, or even something inseparable from the user like a fingerprint. 2FA adds to the assurance that the person accessing the account is actually the authorized individual.

Deciding when and where to implement 2FA should be based solely on organizational risk. It is important to understand which systems and applications are at the highest risk for unauthorized access attempts, and know the impact of an unauthorized user gaining access to the system. Utilizing a risk-based approach will guide the cost and implementation discussion.

The reality is that remote access systems, including web-based systems, are under unprecedented attack. The attacks are getting more persistent and more complicated. 2FA, for remote system administration by IT staff or vendors, must be enforced. After that, it’s really a business decision. One that requires more than just the IT team’s input. Have the discussion with your business unit, risk management, IT and customer service teams to determine if 2FA is the right approach. And remember, there are multiple approaches to 2FA; make sure you’re using the right one to get the outcomes you desire.


White Paper - Top Security Tips
Enhancing Information Security in an Unsecure World

This paper reviews four areas of concern: Passwords, Network Considerations, Data Security and Social Engineering.

Download White Paper

The following is an excerpt from the white paper "Giving Security the Attention It Deserves: An IT Director's Guide to Communicating Security Needs with the Executive Team".
Information security requirements of vendors and clients.

As security awareness rises, so do expectations of vendors and clients. Organizations have begun including information security as a major emphasis in their due diligence process. Vendors and clients are actively searching for partners that value security and make it a top priority.

It is not uncommon for companies to lose out on business due to their lack of security controls. Many organizations won’t do business with a company that hasn’t received SOC 2 Compliance Reporting (service organizations) or gained compliance with HIPAA (healthcare), PCI (payment card), or FISMA (Federal contracts) requirements. Has your company suffered due to a lack of security controls? Security is too important to ignore. Take-charge, and your business will benefit.

Security Professionals Talking Business with Executives

When talking with executives about your company’s security position, be organized. This doesn’t mean that you have to deliver a PowerPoint presentation every time you conduct a meeting, but you should have your security plan in order. You will be expected to answer some pointed questions, and you may only get one shot.

Start with a Conversation

Start by asking some of your own questions. Establish a two-way conversation, and clearly explain the situation. This approach will give insight into the perspectives of the executives. Use this as an opportunity to learn from them and to build your case.

Questions you can ask to get a conversation started:

  • How would you describe our brand and what it means to our customers/clients?
  • What have we done, and continue to do, to build our reputation?
  • What are our plans for our brand in the future?
  • Do you have any concerns with our business’ security risks? If so, what are they?
  • Has our executive team discussed a strategic security plan?
  • Have we lost any prospective business due to a lack of security controls?

The above questions get executives thinking about everything they have done to help build and grow the company. There is much pride in that effort, which you can leverage when communicating the ways that security, or lack thereof, will directly impact their efforts.

Take advantage of the opportunity to meet with executives, and be prepared to support your analysis and recommendations. If you do not already understand the executives’ approach to business, then take some time to learn their perspectives. After all, they will make the decision on whether or not you get the funding you need.

For the complete IT Director's Guide to Communicating Security Needs with Executives, download the following white paper.

An IT Director's Guide to Communicating Security Needs with the Executive Team
Giving Security the Attention It Deserves

An IT Director's Guide to Communicating Security Needs with the Executive Team

This paper discusses effective ways to communicate security concerns and solutions to the executive team – providing talking points and suggestions.

Get the Guide Now

Depending on the study you read, there will be somewhere around 1 million cybersecurity jobs that are unfilled. This number is expected to climb by upwards of 50% in just the next 3 years. How many of you remember the mid to late 90’s and the shortage of IT workers during that period? We’re right back there again, only worse.

There are woefully few education programs that adequately train people for cybersecurity roles. And many of these open roles require blending business and technology to understand, evaluate and communicate risk. It is really hard to take someone right out of college and put them in role like this and expect immediate success. There are some things that only experience can teach.

In large enterprises, this can work because there are others with experience who can provide mentoring, guidance and oversight to new graduates. But many companies with open positions are small enough that they don’t have this luxury.

A few things are going to need to happen to solve this labor shortage. Here is how you can help.

  • Contact teachers and members of your local school board and encourage them to emphasize cybersecurity as a unique career field to their STEM (Science, Technology, Engineering and Math) students. It will appeal to the students who wouldn’t necessarily love a traditional IT career path. It is also important to provide entry level courses to these students in order to give them exposure to the career field.
  • Join your alma mater’s advisory board and begin influencing the school’s program decisions. Additional higher education programs are needed and those programs need to have a varied course of study. Not everyone is going to be a secure software developer. Business schools need to get involved in working with computer science to offer a modified MIS type of degree that focuses on the IT risk management side of information security.
  • Help educate current IT workers on the opportunities in security. Encourage them to consider moving to a security role. They have the perfect blend of experience with business needs and technology to make them successful in a cybersecurity role.
  • College students need to take internships in their field of study. If you know a college student, help explain to them the importance of these early opportunities. You cannot overstate the value of experience.
  • Business must be willing to open up their pay scales and understand that in a labor shortage, you have to pay what the market is asking. If you are a manager or executive, make sure to understand the difference between IT and security. This may create an imbalance in your structure, but you must stop categorizing cybersecurity workers as IT workers and trying to make their pay match. They are different career fields.

I know this is easier said than done and there are a lot of groups working to solve the problem. The labor shortage will probably get worse before it gets better. If you are interested in learning how to help or if you are a student and want the inside scoop on how to land a job, contact us. We’re more than happy to help.

Get our blog posts delivered to your inbox: