In April 2015, a middle-school student in Tampa, FL broke into his school’s computer network. The student was charged with a felony. But how did the student break into the network in the first place? With sophisticated software? Not at all. He simply watched a teacher type his password. The password was the teacher’s surname.
Why did this happen? How could the IT staff miss such a glaring vulnerability in their network’s security? Most importantly, how could this have been prevented?
Don’t Give Every User Absolute Power
To put it in Windows jargon, do not make everyone an Administrator. If everyone has a high level of access, a breach could be catastrophic. Operate on the principle of least privilege: users should have just enough access to do their jobs. Consider putting users into groups, where privileges are already defined.
Don’t Neglect Your Password Policy
There is much debate on the future of passwords, but for now, they still play a very important role in network security.
Do not let your users create passwords that are the same as their usernames, real names, or words that can be found in a dictionary. The ideal password combines letters (upper and lowercase), numbers, and special characters (such as # and!) The length should be no less than eight characters.
Set a lifespan for your passwords, such as ninety days. After the time is up, passwords will expire and the user must create a new one. Don’t let your users pick the same one again and again. Make it so that the previous passwords are banned from use for a set amount of time.
The average person is not familiar with IT security standards. Most people will follow the past of least resistance and make a password is that is easy for them to remember. The key is to make the password requirements strong enough to be safe, but not so complicated that your users find it difficult to remember their own passwords. An overly restrictive set of rules will frustrate your users, while too few rules leave them vulnerable to the many password cracking programs available on the Internet.
Don’t Neglect to Train (and Retrain) Your Users
Do your users know what social engineering is? What is the possibility of someone in your organization being tricked into giving sensitive information to an attacker? As an IT professional, it is your job to educate and train your users. Security is like a chain – only as strong as its weakest link. Your users are a link in that chain. All the software-based protections in the world won’t help if someone obtains information without using a computer.
Educate your users about cyber-related crime and why security policies and procedures must be followed. Information is one of the most valuable things in the world today, a commodity that can be bought and sold like precious metals. Your network may contain all kinds of personally identifiable information (PII): Social Security numbers, school records, copyrighted material, or health records. This type of information is extremely valuable to identity thieves and other criminals. In order to avoid disrupting the stability of your organization and to avoid possible prosecution in a highly regulated industry such as health care, all precautions must be followed. All users should be retrained on a regular basis, especially if there is a change in policies or procedures.
Don’t Lose Your Powers of Observation
Do you monitor your event logs? Examining them may reveal suspicious activity. Event logs may be configured to report which not only user accounts have accessed your network, but when they logged on, their IP addresses, and what they did while on your network.
Remote logons outside of normal business hours may indicate fraudulent activity or an attempted attack. Consider putting a time restriction on logons. Manage your network so that certain groups and accounts only have access at certain times of the day or certain days of the week.
To quote the official CompTIA Security+ guide, “It has been said that the weakest links in the security chain are the humans.” But humans are not a liability to your network, nor your enemy; they are every bit as valuable as the equipment. They should not be neglected. Not properly training your users is just as risky as not patching your operating system. Forewarned is forearmed.