Question

 

Assume that you are tasked with writing a new password security policy for a hospital.

1. Explain the critical elements of the new policy if it is to be successful.
2. Explain how you would verify its effectiveness.

Answer 1

A new password security policy for a hospital:
a) The critical elements of the new policy if it is to be successful:
* Users, patients, staff, doctors, etc., should change their passwords regularly.
* Users can leverage biometric verification.
* Using strong, complex, and lengthy passwords.
* Using passphrases.
* Using unique passwords.
* Using system generated or using software or applications such as password managers, password generators, etc., to generate passwords.
* Never to share one's password to someone, no matter how close, near, dear, or trusted ones they are.
* Using Multi-Factor Authentication (MFA) mechanisms, at least, a Two-Factor Authentication (2FA).
* No one should guess one's password or passphrase.
* No one should either manually or through an automated process using software, applications, or supercomputers should be able to brute force or should be able to crack the password trying multiple times.
* Passwords should be a combination of numbers, uppercase characters, lowercase characters, and symbols, all four.
* A strong password must be at least eight characters or letters long.
* There should be a proper password rotation or change policy.
* Users should change their passwords once in 90 days.
* Words from a dictionary should be used for passwords.
* No obvious passwords should be used by users.
* No common passwords used by most people should be set and used as passwords by users.
* Passcode key fobs, complex passwords, passphrases, and challenge security questions provide security.
* An ideal and the strongest password would be to use a passphrase or a combination of words. Example: Johnhadfruits&wine.
* It is ideal the users, clients, administrators, home users, customers, staff, doctors, patients, or employees of any company or hospital do not use the same or previous password when they are prompted to change their password. There are tens and thousands of passwords or passphrases one can imagine and used in this world. This makes the passwords unguessable by the hackers or the systems, software, or tools they use to hack it. Nor would there be any log, history, or record of any previous password been used to be hacked in the future as well. However, if unavoidable, then the reuse of a prior password should be used after at least 10 usages of different passwords.

* In general, passwords must meet complexity requirements policy.
* Flexibility of using long passwords, passphrases, complex combination of alphanumeric characters, characters from other languages denoted in different symbols, password generators, password strength checker, password managers, force password deletion, removal, or change, etc
* Using online passphrase generators.
* Managing passwords or passphrases for security purposes.
* Use options to remove spaces, replace spaces with "-" or a hyphen symbol, add a number or numeral, add a special character or symbol, and uppercase characters to be used in the automatic generation of a random passphrase.
* Use the option to create passphrase of four, five, or 12 random words passphrases with spaces between them, thus making the passphrase lengthier, stronger, and more secure.
* Passwords, PIN or passphrase should have their own requirements, such as password strength, complexity, length, etc
* To use the file password protected using an alphanumeric password, passphrase, or pin code as an authentication mechanism so it requires anyone to key in the password to even open the file.

* A strong and good password should meet confidentiality, integrity, and availability of the data or the system.
* It, in fact, is a very good idea if someone uses the strongest password.
* The stronger the password the less the vulnerability of being hacked.
* Passwords should be as long as possible.
* Passwords should be at least 16 characters long and maximum length could be 20 characters. But it can even have a large number of characters. 8 characters passwords can also be used, however, it should be strong enough to be not guessable or cracked using hacking software.
* An ideal password is the one that exactly meets the maximum number of characters set for a password for that particular system, file, or account.
* Passwords must be regularly changed at least once in 90 days. However, the more frequent the passwords are changed the better and secured the systems, accounts, and files would be.
* Encryption MUST be implemented to hide, scramble or simply safeguard the passwords. Otherwise, no matter how long and strong the password is, it WILL be cracked and the system WILL be hacked and the data WILL be breached.
* The information security analysts must ensure the website URLs or web applications are secured with SSL certificates i.e., with https in the website address (a padded lock).
* All software, mobile devices, applications, desktops, laptops, storage devices, servers, and others must ensure encryption feature is enabled, is being used, and is functioning properly.
* Even the operating system should be encrypted including the secure boot feature.
* The strong password is one which has at least one uppercase, one lowercase, numbers, special characters or symbols, no same successive characters or repetition of the same characters one after the other (no similar characters like i, l, 1, L,), no duplicate characters (same character more than once), no sequential characters (123, xyz). Example: Usage of the passwords like, "Bottle@895", where there are 2 't's in it which should be avoided.

* Online or offline password manager can be used to manage different passwords for different accounts, reset, change, create random passwords and delete them whenever required.
* Online and any standalone password generator software or application can also be used for this purpose.
* An ideal and the strongest password would be to use a passphrase or a combination of words. Example: Johnhadfruits&wine.

* Administrators must definitely use the strongest passwords of all as compromising their passwords would make way to hack all other users' passwords and their accounts. Stricter requirements should be implemented for accounts with higher and the highest privileges, such as root or system administrator or master accounts.
* The information security analysts must implement RBAC policies i.e., Role-Based Access Control policies for all types of users and administrators.
* They must ensure, the least privileged access (best practice) is followed i.e., denial of access to services and systems by default and access given to users and is authorized appropriately which should be done only explicitly.
* Also, the password alone is not safe, one must also use virtual and hardware MFA (Multi-Factor Authentication) with a PIN, password, code, or OTP (a One Time Password) sent to the registered mobile or email address to type in to further authenticate.
* Another secure type of authentication would also be to use hardware devices such as physical smart cards and reader, virtual smart cards, software, and hardware token or virtual authenticator.
* One can use a password strength checker or tester either online or using any offline standalone application or software.
* Do not use words from the English dictionary which are so obvious and easily guessable.
* Passwords, like the word 'Password', 'Admin', '12345678', 'qwerty', etc must not be used which can be easily guessed and cracked.
* One should use different passwords for different accounts he/she has so even if one account is hacked their other accounts are still safe.
* Passwords should not be disclosed to anyone.
* Passwords should be ideally memorized.
* Passwords should not be written (best practice) in a piece of paper and stuck on the computer's monitor or under the keyboard. Even if it is written on a piece of paper it should be hidden in a safe place.
* Passwords should not be sent across in any chat session or emails.
* Passwords should not be saved on a hard disk as, if the disk is stolen, one can retrieve the same easily even if the password has been deleted before the computer or hard disk was stolen as deleted files and data can be recovered using third-party data recovery tools and software.
* The number of chances a user is given to type in incorrect password should be minimized to a maximum of three attempts so nobody else uses brute force attack trying multiple times to crack the password.
* Users should be provided with options to change the passwords, reset them and even recover their accounts in case of forgotten passwords by answering security questions already been set-up or any other authentication mechanism or verification process.
* Not only this, but appropriate alerts and notifications should also be sent to the user to his email addresses, SMSes to his mobile phone number or calls to be made to him letting him know there has been an attempt to login to his account if the attempt was not made by the actual user. This would help the user to either change the password or investigate further to safeguard his account working with the vendor.
* Users should not save passwords in any pre-filled online forms or save it on the login screen for future use (best practice), especially definitely not on the shared or public computers.
* Ensure no one is watching you type the passwords on the keyboard or keypad.
* Ensure there are no key-loggers hardware or software on the computer or keyboard being used.
* Passwords should not contain the username or parts of the user's full name.
* Accounts with higher privileges, such as root or system administrator accounts, should have the most complex password setup with MFA.
* Mandating password history policy.
* Implementing minimum password age policy.
* Enforcing maximum password age policy.
* Enforcing password audit policy.
* Setting e-mail notifications for both accounts and their password.
* Enforcing to store passwords using reversible encryption for all users and their accounts policy.
* The default password of a router, mobile device, or any other device or networking component should be changed as soon as the user gets it.
* Frequent reminders should be sent to users in emails to advising them to change their passwords.

* Choosing computer names and user account names easy for users to remember.
* Should be able to identify the owner of the computer or account in the account name.
* Choosing a name describing the purpose of the account.
* An account name must be unique.

b) How I would verify its effectiveness:
* I verify the effectiveness of the password using and stand-alone or online web applications available to check the strength of passwords. Verifying the effectiveness of passwords' strength would in turn, to some extent, verify the password security policy.
* By not reusing an old password, the effectiveness of a good password policy can be maintained.
* Conducting an IT security audit program, should test and verify the effectiveness of the new password security policy.