One of the more common compliance requirements is to ensure that passwords are strong and protected. This usually includes things like age, length and complexity, which is often managed through Group Policy in a Microsoft Windows environment. Whatís not so obvious is a history of your organizationís password policy, as well as notation of any exceptions that you make.
Complex, difficult-to-guess passwords are really only a start, especially when there are self-service systems that allow you to reset the password by asking for answers to some common questions, many of which are often discoverable via Facebook, LinkedIn or other social media sources.
If your organization has a system to reset passwords via a self-service system, make sure you advise your users of the dangers of providing simple answers to these questions. One suggestion is respond to questions with answers that donít fit the question. Itís much harder for someone to socially engineer or guess an answer to a secret question if the answers donít make sense.
Watch the watcher
Keep an eye on your administrators. The people with the most opportunity to misuse or incorrectly share private data are the people with the most access. Compliance regulations usually require organizations to keep track of administrator activity Ė especially WHO is an administrator. While itís likely apparent to most people, keeping a log of administrator activity is key to maintaining a secure environment that complies with external regulations.
One item that tends to get overlooked is service accounts or highly privileged accounts that run applications or services. These accounts have the basic administrative access, plus the added benefit of appearing invisible to most inexperienced or naïve organizations. There are methods that can ensure service accounts are not being used for unintended purposes, alerting you when someone uses one of these highly privileged accounts for a purpose other than the one they are intended.
Assess, access and alert
In todayís world, data sets are so large and complex that it is hard to regulate who has access. When it comes to regulations and avoiding unintentional sharing of private data, you have to set the baseline and record the current access and permissions. To get a handle on your organizationís controlled resources, record where your organization is TODAY! If you donít understand who has access to resources you are missing a key piece of information; consider asking people to help you justify who has access and eliminate those who do not belong. Once you get control of access to these critical resources, you should set up alerts when that access changes, so you know whatís going on, and can address any mistakes or maleficence at a momentís notice.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.