Pub. 7 2012-2013 Issue 2

July/August 2012 15 Extraordinary Service for Extraordinary Members. Security Awareness Training: Passwords Stephanie Chaumont , CISA, CISSP, Security+ and Carl Cope , CISA, CISSP, CoNetrix O NE TOPIC YOU MIGHT HAVE overlooked for training this year is password security. Operating systems, web por- tals, and software applications have evolved in the realm of technical secu- rity measures, so that now it’s rare to not see some form of easy-to-use pass- word policy attached. You can easily enforce password length, complexity, and age restrictions for your bank’s network; however, these restrictions are insufficient without password se- curity training. Unfortunately, technical controls can only do so much—your employees are either the strongest or weakest link in information security. Win- dows password complexity policies, for example, will not prevent anyone from setting their network password to “Password1.” It’s at least eight char- acters long and includes both a capital letter and a number, but it is one of the most common and simple password choices. Training can teach your users to try passphrases. These can be song lyrics or quotes that are longer than a password, but are typically easier to remember. Capitalizing the first letter, using spaces between the words (if al- lowed on the system), and punctuating the end will create an extremely strong password. Length, rather than using symbols and numbers, is actually a greater indicator of password strength. I think by this point in time, most banks have trained their users not to write down passwords, but as an audi- tor, I still find password lists from time to time. I’ve also found sticky notes with old network passwords crossed out and replaced by current passwords. Unfortunately, in some cases the pat- tern is simple (Summer2010, Win- ter2010, etc.), so it won’t be too hard to guess what the next password will be—even if the Post-It is taken down. As users rely more and more on tech- nology, their list of account names and passwords continues to grow. If your users need help remembering all those passwords, they should be instructed that, if written down, passwords should be kept in locked drawers. Another option is to utilize a password-storing application. One final area of password secu- rity where you must rely on training, rather than technical controls, is in the practice of reusing passwords. If your employee uses the same password for your network as he or she does for personal email, Facebook accounts, or other websites, you are now relying on the security of all these unknown com- panies. While you cannot control how securely these other websites handle authentication information, you can use security awareness training to remind your users that their bank pass- words should never be shared among other types of accounts. These are pretty basic concepts, but as with most training, they must be continually revisited for them to stick. When your training focuses on creating a culture of security among users, rather than the need to cross off an annual checklist item, you will hopefully see more users understand the importance of creating strong pass- words and securing them. Z Stephanie Chaumont and Carl Cope are security and compliance consultants for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit the CoNetrix website at www.conetrix.com . TECH TALK