Common Passwords to Avoid, and Best Practices to Ensuring Password Security

by Kristyan Mjolsnes @ http://www.secureconnect.com . February 3, 2010 . 9:50PM

Unique user IDs and passwords are an important aspect of information security. They are the front line of protection for user accounts. A list recently released after a hacking incident on photo-sharing and slideshow site, RockYou.com provides insight into some of the most commonly used passwords including:

These twenty are good examples of poor password choices. Notice, many people simply chose their first name, or common number groupings. Good password policy, however, includes much more than simply avoiding the passwords listed above. A poorly chosen password can result in the compromise of a company’s entire network. Requirement 2 of the PCI DSS states, “Do not use vendor supplied defaults for system passwords and other security parameters.” Our PCI experts at BHI SecureConnect^® recommend that companies enforce strong password policies throughout their organization.

By following some simple guidelines, you can help to minimize the chance of a password breach:

• Change user passwords at least every 90 days
• Have a minimum password length of at least seven characters
• Contain both upper and lower case characters (e.g., a-z, A-Z)
• Contain at least one number
• Contain at least one punctuation character (i.e.,!,@,#,$,%,^,&,*)

Although creating a strong password is essential, maintaining its security is just as important. Never reveal passwords in messages, phone conversations, written documents, or on computer systems. Your organization should have an Information Security Policy that outlines a standard for protection of passwords.

Remote Access Vulnerabilities

by Joel Fusco @ http://www.secureconnect.com . December 21, 2009 . 2:05PM

Recently, a popular topic of conversation during my meetings with national brands has been around the recent lawsuit against Radiant/Aloha and Computer World for the recent breach of over 19 restaurants in the Louisiana and Mississippi area. See http://www.gokiosk.net/kiosk/2009/12/radiant-being-sued-by-restaurants-for-violating-pci-compliance-1.html.

In the Food Industry almost all Point of Sale (POS) systems have the need to access systems remotely for service/update purposes. Unfortunately, these same POS vendors and resellers have not paid much attention to the PCI Data Security Standard (DSS). Rather, the focus has traditionally been around the Payment Application Certification or PA-DSS, which primarily deals with means of encryption to send cardholder data over the internet.  Going into 2010, this certification is mandatory.

This specific breach of Radiant’s system could have been prevented in so many ways. It is not for me to say who’s responsible, but rather point out what went wrong and provide actions steps on how to prevent this from ever occurring again.

The DSS is very specific about remote access and access control. Many of the requirements are dedicated to these specific areas and identify exactly what is REQUIRED.

Multi-factor Remote Access- This is a system that uses multiple factors is conjunction with each other in order to authenticate. Using more than one factor generally delivers a higher level of authentication assurance. Multi-factor authentication is typically a sign-on process where a person proves his or her identity with two of the three methods: “something you know”, “something you have” or “something you are”. You cannot use the same method twice.

Most remote access tools are not equipped to provide such means of authentication and rely on traditional user ID’s and passwords as mentioned in the article. Unfortunately, when common ID’s and passwords are shared it leads to mass vulnerabilities. It’s important for merchants and especially brands to monitor this access and be sure they are using a method of multi-factor access. An example of this would be when authentication is conducted on a user-basis, in which a person must enter an ID and password to receive a 5 digit random code which is then sent via email or SMS text to the user for final authentication. In addition, there is an option to have a phone call upon authentication which provides the code as well. Lastly, there are smartcards, tokens or keys that are needed for final authentication as well.

Using any of these methods certainly would have mitigated the risk of this breach from occurring.

Strong Access Control- Having the ability to assign each user their own account is key to assuring security while using remote access. Anyone having the access to a remote system is required to have their own account and multi-factor authentication. Equally important is the ability to properly administrate this access and have a complete reporting tool of when and which user is authenticated. The SecureConnect® tool for example, provides a visual dashboard of all users and their history. This is particularly important for forensic purposes as well in case a breach were to occur.

Beyond this, there were other issues internally regarding the storage of data within these POS systems, however none of it could have been accessed if the proper remote access technologies were implemented.

Again, it is not my position to say who is responsible in this particular case, however as a business owner and/or franchisor it’s important to work with all parties including the vendors to be sure the proper technologies are in place to prevent such a breach.

Internal Threats should not be Ignored

by Kristyan Mjolsnes @ http://www.secureconnect.com . October 27, 2009 . 3:36PM

The majority of media attention and security efforts commonly focus on activity of outside attackers.  Internal breaches have not been widely acknowledged as dangerous threats, although they do pose danger to business owners.  Inadequate procedures, accidental errors by employees and malicious activities of people inside an organization account for a more significant number of threats than assumed.  Implementing an Information Security Policy (ISP) and achieving PCI compliance will greatly support your efforts to becoming secure.

Challenges we often see in protecting an organization from internal attack include security awareness, employee training and improper approaches.  Budget is a major barrier in training for security awareness because organizations find it difficult to demonstrate a return on investment for such training.  Although the return may not be immediately evident, preventing potential breaches from occurring is worth the money spent on educating employees.  People continue to be an organization’s greatest asset and its greatest weakness; therefore it is imperative that you take all necessary steps to training those that keep your business running smoothly.  Employee training aids in development and increases productivity.  Cutting training programs because of budget constraints will likely increase the amount of errors and mistakes made by employees.  An ISP should be made available to employees to maintain strong internal procedures.

Approaching your organization’s security in the correct way is important.  A worldwide survey of over 400 organizations shows that although organizations believe they will experience a data leakage at some point, it will be accidental rather than malicious.  The survey by Dimension Data indicates that there is a need to complement the traditional network-centric security approach with data-centric security. 

Securing data in addition to the network will strengthen operations and help mitigate the risk of a security breach.  Traditional defenses are designed to protect an organization from external attacks, while the internal network remains relatively open to security threats.  Protecting data internally needs to be a priority as well.  Addressed in the PCI DSS, an organization must utilize an ISP in order to adopt security best practices throughout the organization.  This includes security awareness, employee training and proper approaches to achieve PCI compliance and ensure your business is safe from internal and external threats.