Module 7 Team Module Summary Discussion Case: What are you going to do about the company’s security problems?

You are the new IT manager at InvestCo, a small securities firm, and three days after you started your new job the secretary to the CEO was tricked into giving the CEO’s password over the phone to someone she thought was in the IT department. Luckily she quickly discovered that she had been tricked and had the CEO immediately change his password. When asked, the secretary said she knew the CEO’s password because it was the same one that he used for his Facebook account. You’ve been told that as far the IT staff can determine, the hacker probably did not use the stolen password before the CEO’s password was changed. However, if the thief had gotten in, he would potentially have had access to the extensive data that the company keeps on its clients. The CEO is very concerned about the potential liability and loss of customers if the client data had been stolen. Now it is your task to reexamine the firm’s policy on employee and customer account passwords, craft a new security and data retention policy, and to make a recommendation to the CEO.

InvestCo holds, trades and manages stock and bond portfolios for clients. There is an existing security and password policy that has been in place for 3 years. Some longer-term employees remember the security training that occurred back then, but there has been no training since the old policy was put in place. The password policy was strengthened two years ago so that passwords had to be longer, couldn’t be reused and had to be changed monthly. Following that change, an intern was hired to help reset passwords when employees and clients couldn’t remember their password.

Due to the financial nature of the company’s business, your recommendation must make the security of financial data paramount. But your recommendations must take usability and accessibility by employees and customers into account. A very secure but inaccessible system would be bad for business, but so would a very accessible but insecure system. So your task is to identify the problems with the existing security at InvestCo. Then craft a security policy and implementation and maintenance plan that addresses those problems while striking a balance between security and accessibility.

Begin by reading an article named Kill the Password, by Mat Honan

Learn about the technology of passwords by reading the following websites:

Hashing Wikipedia page(Links to an external site.) (Links to an external site.)

Salting Wikipedia page(Links to an external site.) (Links to an external site.)

Multi-factor Authentication Wikipedia page(Links to an external site.) (Links to an external site.)

Password Managers Wikipedia page(Links to an external site.) (Links to an external site.)

Learn about many of the ways passwords are compromised on the following websites or online articles:

Phishing Wikipedia page(Links to an external site.) (Links to an external site.)

Key Loggers Wikipedia page(Links to an external site.) (Links to an external site.)

Dictionary Attach Wikipedia page(Links to an external site.) (Links to an external site.)

Brute Force Attack Wikipedia page(Links to an external site.) (Links to an external site.)

Social Engineering Wikipedia page(Links to an external site.) (Links to an external site.)

How Passwords are Cracked(Links to an external site.) (Links to an external site.)

Aggressive Password Policies(Links to an external site.) (Links to an external site.)

People Using Common Passwords(Links to an external site.) (Links to an external site.)

Million Recently Compromised Passwords For Sale Online(Links to an external site.) (Links to an external site.)

Passwords From Hacked Game Site Dumped Online(Links to an external site.) (Links to an external site.)

Learn about alternative policies to consider by reading the following online articles:

Google Looks to Kill the Password Using the Ring on Your Finger(Links to an external site.) (Links to an external site.)

Stanfords Password Policy Shuns One Size Fits All Security

(Links to an external site.) (Links to an external site.)

Question 1: Chose a password policy to present to your boss the CEO. In your recommendation be sure to address how it improves security and or accessibility. How would your recommended policy have helped the recent security breach? Identify at least one negative factor related to your recommended

Stay with the current policy but have everyone change his or her password. Send the CEO’s secretary to training on recognizing social engineering. Teach everyone how to craft better passwords

Move to an aggressive password policy where strong passwords are required, weak passwords are prohibited, and users are required to change their password frequently. Provide everyone with a password manager so that people stop hoarding passwords, passwords are compliant with the new aggressive rules, and strong passwords become disposable.

Keep the current password policy but add in multi-factor authentication for every login. The additional factors may include an RSA token or a smartphone app, as well as the potential for biometrics, and location based limitations (logins only at known locations)

Craft your own password policy. Provide details.

Question 2: In the security breach described in the first paragraph there are several types of security problems. Using the list below, identify how each item in the list shows up in the case.

Employee training problems

Employee/company operating process and procedure problems

Need for client security procedures

Need for a password policy for clients

Need for a better password policy for employees

Need for a data retention policy

Need for a data access policy

Need for Intrusion detection/prevention measures