Page 6 - Password administration review-Guilford ES
P. 6
Emergency Services: Password Administration Review
BACKGROUND
In general, passwords are an important aspect of information security. A poorly selected
password can essentially make a system vulnerable and may result in unauthorized access to the
systems. A single weak password exposes the entire network to threats. In December 2018, in
its annual Verizon’s Data Breach Investigations Report, 81 percent of hacking-related data
breaches involved either stolen or weak passwords. Password best practices generally include:
ensuring complex passwords composed of numeric, alphabetic (uppercase and lowercase)
characters in addition to special symbols and similar characters, forcing users to change
passwords regularly, and requiring new passwords not previously used by the user.
On Tuesday, July 16, 2019, 10:00 am, I5O interviewed Jeff Boyers, ES Technical Support
Supervisor and Bryan Buckner, ES Technical Support Administrator regarding the scope
requirements for reviewing ES’s password administration functions. Numerous questions were
asked to gain an accurate picture of the process surrounding initiating new passwords, resetting
passwords, ongoing monitoring, and deactivating accounts. This was deemed to be the scope of
the review.
• New employees: Before new employee orientation, Information Services (IS) receives an
electronic work order request from Human Resources stating the new employees
attending the session (orientation sessions are held every other week). Upon receipt, IS
generates a user ID (first initial and last name) for the new employee. Emergency
Services (ES) receives data from HR and IS and then completes onboarding tasks
including setting up the user in the guilford-es.com AD forest. This information is placed
in the orientation documentation along with a generic temporary password and presented
during the training session. This includes: password complexity (must be at least 8
characters, must have characters from any 3 of the following: upper case characters (A-
Z), lower case characters (a-z), numbers (0-9), special characters (!, $, %, etc.), must be
changed every 180 days, the last 12 passwords can’t be reused, do not give your
passwords out and do not write passwords down or leave passwords on keyboards or
monitors.
Once new users log in, they are prompted to change their password. If the temporary password
is not changed, the user cannot access the system. We examined over 400 access points
requiring password authentication. The information that follows depicts our findings and
recommendations.
5