Secure your password

Authentication is nothing but the process of validating the user, ensuring that you are who you say you are. There are different approaches towards authentication.

These are broadly classifed into three catagories, something

• What you know (Passwords, and passphrases)
• what you have (Smartcards, proximity cards)
• what you are (Biometric)

A strong authentication mechanism shall make use of more than one solutions from above like a finger print and a password.

In this session I am putting my effort to share my views on selecting the passwords and securing them. Certain Don’ts and Do’s in password usage

What Not to Use

• Don’t use your login name in any form (as-is, reversed, capitalized, doubled, etc.).
• Don’t use your first or last name in any form.
• Don’t use use your spouse’s or child’s name.
• Don’t use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
• Don’t use a password of all digits, or all the same letter. This significantly decreases the search time for a cracker.
• Don’t use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.
• Don’t use a password shorter than six characters.
• Don’t share your password with anyone

What to Use

• Do use a password with mixed-case alphabetic characters.
• Do use a password with nonalphabetic characters, e.g., digits or punctuation.
• Do use a password that is easy to remember, so you don’t have to write it down.
• Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
• Method to Choose Secure and Easy to Remember Passwords ( Yes you have to remember the password and should not write down the same anywhere)

Replace the alphabets of letters with similar special charectors or numerics Eg: “Information” shall be reconsidered as “1nf0rMat10N”

Choose a line or two from a song or poem, and use the first letter of each word. Eg: “I am sitting in the boaring room !” can be written like this “1aSItbR!”

Ok these are just examples.. keep on making yourself and dont use any of these

BS7799 - IT Security Controls

Technical Security Controls, commonly known as IT Security controls, is an important component for protecting your IT infrastructure of your organization. The IT Infrastructure protection has to ensure the data security. This can be achieved at various layers.

Let us take the following approach. An external party looking at your IT Infrastructure, the first thing they could see is the network infrastructure.

So the first step is to protect you Network Perimeter. This can be achieved via implementing Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems etc. The next step is to protect the computers exposed to the internet, for that you have to identify which all systems requires access from out side network, that is Internet. Pull them into a separate network, called de-militarized zone, set access privileges so that the access is restricted. This sets your network perimeter comparatively protected.

Internal Network is another component which requires attention. Logically divide your network and restrict access using VLANs. Establish VPN so that secure encrypted communications takes place from external users and third parties. Deploy Internet Proxy to route your internal internet requests. If you have wireless networks, mandate VPN for your wireless security.

Servers, they are the next component in focus. Server’s store, process or transmit your data. It is important to secure the servers and the best method is to harden the servers. Stop all unwanted services and disable ports. Enable logging, and monitor all logs. In addition, install Host Intrusion Detection System and monitor. Patch management is another important protection mechanism. This will protect you from getting exploited from known OS vulnerabilities.

Other computers, desktops, as well deserve similar respect like Servers. Protect them by deploying effective patch management and vulnerability management.

To protect the both servers and desktops from virus and other malicious code, deploy antivirus in your computers. Update the virus definitions regularly; it is a good idea to subscribe to the antivirus service provider. Virus exploits vulnerabilities, so Vulnerability Management is a important practice to follow.

Authentication is another key factor for protecting the computers from unauthorized access. An effective Identity Management and Access Management system will help your organization to establish Single Sign-on. Single Sign-on will help you establish an effective User Management. Another good point about Single Sign-on is the fact that users will need to remember only one user name and password for accessing information across the applications. So, Single Sign-on will help your users from writing down the various user accounts and passwords.

Next focus is on your Application. An application can be separated into 3 parts namely the Application program, the Application Server and the Database. We have to protect all of them. Perform an application code review and application security assessment. Plug the vulnerabilities and harden your application. Establish access control list and define who can access what application module. Application Servers are mostly vendor provided softwares. Establish vulnerability management for your Application Server ensuring the vulnerabilities are plugged. This will protect your applications from getting hacked, to a certain extent.

Protect your Database or data from unauthorized access, modification or destruction. There are several mechanisms you can follow. Here is a list of some of them.

• Establish access control mechanism and define who can access what data.
• Encryption of data. Encrypt the information wherever possible.
• Backup you data regularly

This article briefs you about the IT Security requirements for an effective Information Security Management System. This does not mean that the information above is comprehensive and it might require you to have additional technical controls in place to protect your IT Infrastructure.

Payment card industry data security standard

The Payment Card Industry Data Security Standard (PCI – DSS) is, now, a group effort by worlds leading financial companies like American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International.

The primary focus is to safeguard the customer card information so as to protect them from fraud and misuse of the cards. This effort led them to derive a standard which is mandatory for many organizations to comply with. To achieve compliance, these organizations need to implement the PCI-DSS standard. The standard has defined 12 requirements / safeguards to comply with.

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Compliance to all 12 requirements as laid out by the PCI security standards councill, is required by all applicable organizations. The requirements apply to all members, merchants, and service providers that store, process, or transmit cardholder data.

One can download the complete standard from the following URL.

https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm