Don’t Cut Corners When It Comes To Credentials

On today’s episode, Martin Littmann, CISO at Kelsey-Seybold clinic in Houston, joins us once again to discuss credentials. The systems in place to create them and protect them are essential. Hear his opinions on these systems.

Credentials

Martin outlines exactly what defines credentials. Credentials are the username and password created to log into an account. One question Martin attempts to determine is how do you know if the person using an account is someone who is authorized?

He shares his method for identifying this. Previously, it was largely based on trust before technology was advanced enough. Nowadays, it is very important to use technology to identify if account activity is normal or abnormal. Using the location of logins is very important. Correlating people’s activity and determining if it is abnormal is a good way to identify and flag abnormal activity.

Risk Management

How does this translate to risk management? If you notice suspicious trends, introduce a new challenge the user must answer to authenticate their identity. Learn how to discern between threats and simple bad IT.

Normal behavior is time of access, duration of access, and location of access. Use this to identify normal and assess the risk.

Frequent Questioning

Security personnel have access to analytical tools and therefore have a wealth of information. They can help to determine compromise. Thus, they often receive an influx of questions. While they can’t access everything, there is a lot of information that security personnel access. Other members in the company can use the information to determine productivity.

A piece of advice: present the facts without making assumptions.

Martin’s Steps to Account Protection

Do we have a standard by which we create accounts? If the process is automated- is it bulletproof and unable to be overridden? How is the length and strength process? What is the process of creating the password?

Martin’s Advice

At a policy level, there will be certain requirements that a password must meet. However, there also needs to be technology behind it to enforce these requirements.

Marin suggests that organizations need to invest in protecting credentials. The password policy needs to be reasonable and specific.

Password Rotation and Lockout

What does Martin think about these topics? He believes that longer passwords are stronger but changing the password frequently does not help because people will simplify the password. He is not a fan of the 90 day password but believes passwords should be changed in certain incidents.

Martin also recommends utilizing a password vault.

Be Discrete

On a personal level, remember that your own data can be searched out. Using somebody else’s data to answer your personal questions can help to protect you, as well.

Final Advice

When doing two factor authentication, if you can use an app rather than receive an SMS, do it.  When talking about password vaults, don’t use the browser function to store passwords, use a dedicated app.

Martin Littmann

Martin Littmann is the CTO & CISO for Kelsey-Seybold Clinic, responsible for IT Architecture & Strategy, Infrastructure, Network and Information Security. Martin holds a Bachelor of Science in Geology and began his career as a geothermal exploration geologist, later transitioning into IT development and architecture, accumulating 30 years of experience spanning across the IT spectrum, including application development and delivery, infrastructure, information security, and customer service. Over the last 19 years he’s been heavily focused on Critical Infrastructure and Information and Cybersecurity and he currently serves as the Healthcare Cross Sector Chief for the Houston InfraGard chapter.

Learn more on LinkedIn