Emergency Services:  Password Administration Review



                                                  BACKGROUND



               In general, passwords are an important aspect of information security.  A poorly selected
               password can essentially make a system vulnerable and may result in unauthorized access to the
               systems.  A single weak password exposes the entire network to threats.  In December 2018, in
               its annual Verizon’s Data Breach Investigations Report, 81 percent of hacking-related data
               breaches involved either stolen or weak passwords.  Password best practices generally include:
               ensuring complex passwords composed of numeric, alphabetic (uppercase and lowercase)
               characters in addition to special symbols and similar characters, forcing users to change
               passwords regularly, and requiring new passwords not previously used by the user.

               On Tuesday, July 16, 2019, 10:00 am, I5O interviewed Jeff Boyers, ES Technical Support
               Supervisor and Bryan Buckner, ES Technical Support Administrator regarding the scope
               requirements for reviewing ES’s password administration functions. Numerous questions were
               asked to gain an accurate picture of the process surrounding initiating new passwords, resetting
               passwords, ongoing monitoring, and deactivating accounts.  This was deemed to be the scope of
               the review.

                   •  New employees:  Before new employee orientation, Information Services (IS) receives an
                       electronic work order request from Human Resources stating the new employees
                       attending the session (orientation sessions are held every other week).  Upon receipt, IS
                       generates a user ID (first initial and last name) for the new employee. Emergency
                       Services (ES) receives data from HR and IS and then completes onboarding tasks
                       including setting up the user in the guilford-es.com AD forest.  This information is placed
                       in the orientation documentation along with a generic temporary password and presented
                       during the training session.  This includes:  password complexity (must be at least 8
                       characters, must have characters from any 3 of the following: upper case characters (A-
                       Z), lower case characters (a-z), numbers (0-9), special characters (!, $, %, etc.), must be
                       changed every 180 days, the last 12 passwords can’t be reused, do not give your
                       passwords out and do not write passwords down or leave passwords on keyboards or
                       monitors.


               Once new users log in, they are prompted to change their password.  If the temporary password
               is not changed, the user cannot access the system.  We examined over 400 access points
               requiring password authentication.  The information that follows depicts our findings and
               recommendations.









                                                                                                            5