Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  693

                 will make it more difficult for users to remember their passwords.As with any
                 security measure, you want authorized users to easily access the system and unau-
                 thorized users to find it difficult. For this reason, the time limit set should allow
                 users to memorize their new passwords before forcing them to change.
                    In addition to changing passwords, it is important that a policy states that pass-
                 words cannot be reused until a certain number of password changes have occurred.
                 It does no good to force users to change their passwords and then allow them to
                 change it back to the previous password again. If an old password has been compro-
                 mised, a hacker could keep trying it until the user changes back to the old password.
                    Password changes and not reusing old passwords is particularly important when
                 strong passwords cannot be used. For example, a bankcard with a personal identifi-
                 cation number (PIN) for accessing accounts through an automated teller machine
                 (ATM).A PIN is a series of numbers, so combinations of alphanumeric and special
                 characters are not possible.Another example might be a door lock to a server
                 room, in which people type in a several-digit code on a keypad to unlock the
                 door.When an authorized user enters the code, it is possible that unauthorized
                 users could see it. Changing the numeric code on a regular basis prevents unautho-
                 rized users from utilizing a code they have seen others successfully use.

                 Using Passwords as Part

                 of a Multifaceted Security System
                 Because passwords are not always the most secure method of protecting a system,
                 there are other methods that can be used to enhance security.As we discussed ear-
                 lier in this chapter, SecurID tokens are small components that can fit on a key ring
                 and be carried by the user in their pocket.The token has a digital display that
                 shows a number that changes at regular intervals.When a person logs into a
                 SecurID server, they must enter the number on the token in addition to the appro-
                 priate username and PIN number.
                    Another method that may be suitable for a network’s security is biometric
                 authentication. Biometric authentication uses a measurable characteristic of a person to
                 control access.This can be a retinal scan, voiceprint, fingerprint, or any number of
                 other personal features that are unique to a person. Once the feature is scanned, it
                 is compared to a previous reading on file to determine whether access should be
                 given.As with tokens, this method can be combined with passwords or other secu-
                 rity methods to control access. Due to the expense of purchasing additional equip-
                 ment and software, biometrics is generally used on high-security systems or
                 locations.



                                                                              www.syngress.com