Policy: All operating system software and hardware devices that initially

have a password set to a default value must have their passwords reset in accordance with the company password policy.

 

Explanation/Notes: Several operating systems and computer-related devices are shipped with default passwords--that is, with the same password enabled on every unit sold. Failure to change default passwords is a grave mistake that places the company at risk.

Default passwords are widely known and are available on Internet Web

sites. In an attack, the first password an intruder tries is the manufacturer s default password.

 

7-21 Invalid access attempts lockout (low to medium security)

Policy: Especially in an organization with low to medium security requirements, whenever a specified number of successive invalid login attempts to a particular account have been made, the account should be locked out for a period of time.

 

Explanation/Notes: All company workstations and servers must be set

to limit the number of successive invalid attempts to sign in. This policy is necessary to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.

 

The system administrator must configure the security settings to lock out an account whenever the desired threshold of successive invalid attempts has been reached. It is recommended that an account be locked out for at least thirty minutes after seven successive login attempts.

 

7-22 Invalid access attempts account disabled (high security)

Policy: In an organization with high security requirements, whenever a specified number of successive invalid login attempts to a particular account has been made, the account should be disabled until reset by the group responsible for providing account support.

 

Explanation/Notes:All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is a necessary control to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.

 

The system administrator must configure the security settings to disable the account after five invalid login attempts. Following such an attack, the account holder will need to call technical support or the group responsible for account support to enable the account. Prior to resetting the account, the department responsible must positively identify the account holder, following the Verification and Authorization Procedures.

 

7-23 Periodic change of privileged

Policy: All privileged account holders shall be required to change their passwords at least every thirty days.

 

Explanation/Notes: Depending on operating system limitations, the systems administrator must enforce this policy by configuration of security parameters in system software.

 

7-24 Periodic change of user passwords

Policy: All account holders must change their passwords at least every sixty days.

 

Explanation/Notes: With operating systems that provide this feature, the systems administrator must enforce this policy by configuration of security parameters in the software.

 

7-25 New account password set up

Policy: New computer accounts must be established with an initial password that is pre-expired, requiring the account holder to select a new password upon initial use.

 

Explanation/Notes: This requirement ensures that only the account holder will have knowledge of his or her password.

 

7-26 Boot-up passwords

Policy: All computer systems must be configured to require a bootup password.

 

Explanation/Notes: Computers must be configured so that when the computer is turned on, a password is required before the operating system will boot. This prevents any unauthorized person from turning on and using another person's computer. This policy applies to all computers on company premises.

 

7-27 Password requirements for privileged accounts

Policy: M1 privileged accounts must have a strong password: The password must:

 

Not be a word found in a dictionary in any language

 

Be mixed upper and lower case with at least one letter, one symbol, and one numeral

 

Be at least 12 characters in length

 

Not be related to the company or individual in any way.

 

Explanation/Notes: In most cases computer intruders will target specific

 accounts that have system privileges. Occasionally the attacker will exploit other vulnerabilities to gain full control over the system.

 

The first passwords an intruder will try are the simple, commonly used words found in a dictionary. Selecting strong passwords enhances the security by reducing the chance an attacker will find the password by trial and error, dictionary attack, or brute force attack.

 

7-28 Wireless access points

Policy: All users who access a wireless network must use VPN (Virtual Private Network) technology to protect the corporate network.

 

Explanation/Notes: Wireless networks are being attacked by a new technique called war driving. This technique involves simply driving or walking around with a laptop equipped with an 802.11B NIC card until a wireless network is detected.

 

Many companies have deployed wireless networks without even enabling WEP (wireless equivalency protocol), which is used to secure the wireless connection through use of encryption. But even when activated, the current version of WEP (mid-2002) is ineffective: It has been cracked wide open, and several Web sites are devoted to providing the means for locating open wireless systems and cracking WEP-enabled wireless access points.

 

Accordingly, it is essential to add a layer of protection around the 802.11B protocol by deploying VPN technology.

 

7-29 Updating antivirus pattern files

Policy: Every computer system must be programmed to automatically update antivirus/anti-Trojan pattern files.

 

Explanation/Notes: At a minimum, such updates shall occur at least weekly. In businesses where employees leave their computers turned on, it 302 is highly recommended that pattern files be updated on a nightly basis.

 

Antivirus software is ineffective if it is not updated to detect all new forms of malicious code. Since the threat of virus, worm, and Trojan Horse infections is substantially increased if pattern files are not updated, it is essential that antivirus or malicious code products be kept up to date.

 

Computer Operations

8-1 Entering commands or running programs

Policy.: Computer operations personnel must not enter commands or run programs at the request of any person not known to them. If a situation arises where an Unverified Person seems to have reason to make such a request, it should not be complied with without first getting manager approval.

Explanation/Notes.:Computer operations employees are popular targets of social engineers, since their positions usually require privileged account access, and the attacker expects that they will be less experienced and less knowledgeable about company procedures than other IT workers. The intention of this policy is to add an appropriate check and balance to prevent social engineers from duping computer operations personnel.

 

8-2 Workers with privileged accounts

Policy: Employees with privileged accounts must not provide assistance or information to any Unverified Person. In particular this refers to not providing computer help (such as training on application use), accessing any company database, downloading software, or revealing names of personnel who have remote access capabilities,

 

Explanation/Notes: Social engineers often target employees with privileged accounts. The intent of this policy is to direct IT staff with privileged accounts to successfully handle calls that might represent social engineering attacks.

 

8-3 Internal systems information

Policy: Computer Operations staff must never disclose any information related to enterprise computer systems or related devices without positively verifying the identity of the requester.

 

Explanation/Notes: Computer intruders often contact computer operations employees to obtain valuable information such as system access procedures, external points for remote access, and dial-in telephone numbers that are of substantial value to the attacker.

 

In companies that have technical support staff or a help desk, requests

to the computer operations staff for information about computer systems or related devices should be considered unusual. Any information request should be scrutinized under the corporate data classification policy to determine whether the requester is authorized to have such information. When the class of information cannot be determined, the information should be considered to be Internal.

 

In some cases, outside vendor technical support will need to communicate with persons who have access to enterprise computer systems. Vendors must have specific contacts in the IT department so that those individuals can recognize each other for verification purposes.

 

8-4 Disclosure of passwords