On today’s episode, Martin Littmann, CISO at Kelsey-Seybold clinic in Houston, joins us once again to discuss credentials. The systems in place to create them and protect them are essential. Hear his opinions on these systems.
Martin outlines exactly what defines credentials. Credentials are the username and password created to log into an account. One question Martin attempts to determine is how do you know if the person using an account is someone who is authorized?
He shares his method for identifying this. Previously, it was largely based on trust before technology was advanced enough. Nowadays, it is very important to use technology to identify if account activity is normal or abnormal. Using the location of logins is very important. Correlating people’s activity and determining if it is abnormal is a good way to identify and flag abnormal activity.
How does this translate to risk management? If you notice suspicious trends, introduce a new challenge the user must answer to authenticate their identity. Learn how to discern between threats and simple bad IT.
Normal behavior is time of access, duration of access, and location of access. Use this to identify normal and assess the risk.
Security personnel have access to analytical tools and therefore have a wealth of information. They can help to determine compromise. Thus, they often receive an influx of questions. While they can’t access everything, there is a lot of information that security personnel access. Other members in the company can use the information to determine productivity.
A piece of advice: present the facts without making assumptions.
Martin’s Steps to Account Protection
Do we have a standard by which we create accounts? If the process is automated- is it bulletproof and unable to be overridden? How is the length and strength process? What is the process of creating the password?
At a policy level, there will be certain requirements that a password must meet. However, there also needs to be technology behind it to enforce these requirements.
Marin suggests that organizations need to invest in protecting credentials. The password policy needs to be reasonable and specific.
Password Rotation and Lockout
What does Martin think about these topics? He believes that longer passwords are stronger but changing the password frequently does not help because people will simplify the password. He is not a fan of the 90 day password but believes passwords should be changed in certain incidents.
Martin also recommends utilizing a password vault.
On a personal level, remember that your own data can be searched out. Using somebody else’s data to answer your personal questions can help to protect you, as well.
When doing two factor authentication, if you can use an app rather than receive an SMS, do it. When talking about password vaults, don’t use the browser function to store passwords, use a dedicated app.