Identify AND Authenticate users in order to protect your organizations networks.
Actions performed on an organization’s networks, systems, and applications need to be associated with a unique, individual user. This helps ensure that nefarious or unintentional actions that negatively impact the organization, along with the user that performed them, can be identified and corrective actions can be performed. Additionally, organizations run the risk of stale or potentially compromised passwords without the proper implementation of configuration setting requirements and limitations for authentication. User identification and authentication are the focus of pitfall #29 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
All users should be assigned a unique identifier (user ID) for their personal use only. This is necessary to support non-repudiation throughout your organization. Appropriate user authentication techniques should also be implemented to substantiate the claimed identity of any authorized user requesting access each time they log in to your organization’s networks, systems, or applications. Authentication information should be obfuscated (e.g., by displaying asterisks as a password or passphrase is entered) during the authentication process to protect the user credentials from possible exploitation and use by unauthorized individuals.
Baseline controls should include settings for password or passphrase composition and complexity requirements. This includes limits on failed password attempts and the re-use of passwords. At a minimum, users should be prevented from using their previous twelve passwords or passphrases. Preventing the use of the previous twenty-four passwords or passphrases is strongly recommended.
Passwords or passphrases should be required to be at least ten (or more) characters in length. Using passwords that contain a minimum of fourteen to sixteen characters is highly encouraged. Passwords should contain a combination of capitalized alphabetic (A-Z), lower-case alphabetic (a-z), numeric (0-9), and special characters (e.g., @#$%&!). Keep in mind that the more complex a password is, the more difficult it is to guess or crack. Passwords or passphrases assigned for first-time use, and upon being reset by administrators, should be set to a unique value for each user. This means that the same “default” password should not be used when creating new accounts or resetting passwords for existing accounts. In all cases, the user should be required to change their password or passphrase immediately after initial use.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.