Welcome to April! I bet you didn’t know April is “National Car Care Awareness Month.” Yep, it sure is. Why do I bring up car care when this is an information security blog? I do this because it’s all relative. Why do you perform maintenance on your car?
We do this so our cars will perform optimally, continue to be reliable, and last as long as we need them to. The same holds true for our infrastructures, which means we should have a National Infrastructure Care Awareness Month, and it should be EVERY month! How can we provide care to our infrastructure you ask? We can keep software and firmware up to date, remove old equipment or software, and monitor it so we can address problems before they snowball into disasters.
More secure passwords
So, what are we going to cover next? April will be all about passwords. We haven’t spent an entire month on a single subject before, so this is a first. Believe it or not, there’s a lot to talk about when it comes to passwords: from password requirements (such as complexity and length) to password managers and policies, as well as some ideas for making your infrastructure more secure — and your life a little easier!
The individual topics for this month are:
- More Secure Passwords
- Passwords and Policies
- Proactively Identifying Compromised Passwords
- Local Administrator Account Password Management
Over the years, I’ve dealt with clients who demanded they have one password for everything — and that password could never change. I’ve also worked with others who required everyone to share an account and password for accessing certain systems and applications. On the flip side of that, I’ve run into those who are so paranoid, they use multi-factor authentication for everything, and each password is ridiculously long and complex. In our roles within security, most often we are in a position to merely provide recommendations to clients or those we report to. We are not always the one making the decisions.
As we discuss the topics this month, I urge you to think about how you can help those you support to make better password-based decisions, if they’re not already. One way we can do this is to remind them of the risks they take on by using poor password practices. Our end goal in this is to get C-level buy-in on secure password practices. Then, we can create policies and go from there to reduce the risks involved in using insecure passwords.
As we work our way through April, don’t forget to be a cheerleader for security and a strong proponent for secure password practices!
If you missed the last few blogs in this series on how to secure your infrastructure, check them out below:
- Security Awareness Training
- Vulnerability Scanning
- Patch Management
- User Account Review
- Network Awareness Using ARPwatch