Software Security: Part Two

When thinking about computer or data security it’s important to keep sight of the whole picture. Implementing both strong physical safeguards and well developed administrative policies is vital to protecting your company’s confidential information. We wrote last month about tips for protecting the physical integrity of your data and this month we’re focusing on software threats. While NO software is truly impenetrable, there are steps your company can take to minimize the risk of a software type security breach.

The Basics

There are lots of complex ways to help ensure that your data is not subject to unauthorized access, but sometimes it’s the simple measures that do the most practice good.

Antivirus

Start with the obvious. Install and maintain reliable anti-virus software. Unprotected machines are many times more likely to be compromised. In fact, like a simple lock, a decent antivirus program may be enough to turn away an attacker entirely who may simply seek out greener pastures. For more advanced virus protection, you can have your IT department or tech specialist follow hacking forums. The information posted can help to keep your company abreast of current hacking techniques. If you understand the latest hacking methods, you can better protect your information.

Passwords

You wouldn’t leave your car door unlocked in the store parking lot; don’t leave your computer open either. But simply setting a password is usually not enough; your password must be strong and you must follow some simple steps to maintain its integrity. Recently, a team of researchers working at MIT developed a simple device comprised of a daisy-chain of off-the-shelf computer graphics cards with which they were able to crack a randomly generated passphrase of up to 12 characters in just a few hours. While the math can get complex, adding a few more characters, at least 15, helps immensely.

Develop a company-wide password policy!

Even the strongest key won’t help if it’s posted on a sticky note on your workstation monitor, yet you might be surprised at how often this is done in practice. To prevent this and other easy slips, you should create, and enforce, a good password use policy across your entire company. While no list could ever cover all possible password breaches, which is why we highly recommend an individualized risk assessment, here are some common things to include in your policy.

History

Set a password history by providing how frequently old passwords can be used. This policy will discourage users from alternating between a few old passwords which may have already been compromised.  Some software can store up to 24 passwords for each user in a password history and prevent repeat use.

Age

You should also set a maximum password age. This determines how long users can keep a password before they have to change it. Doing this forces users to change their password periodically, which can effectively “expire” older passwords which may have been compromised.

On the flip side, a minimum password age determines how long users must keep a password before they can change it. Without this safeguard, users might be able to bypass a password system by allowing them to enter a new password as required but then then changing back to an old one immediately.

Length

Setting minimum password length and complexity requirements is key to maintaining strong passwords. For example, passwords should never contain part of a user name, and should use as many different character types as is feasible including: lowercase letters, uppercase letters, numbers, and special characters (!, #, *, etc.).

Password Alternatives

Sick of the passwords altogether? Find that your password policy is not regularly followed? There are alternatives. For example, implement and use passwordless authentication such as hardware key cards, RSA Private keys, or biometric scanners, to name a few. We’ll cover these in a future article.

Employee Education

All the technical security measures in the world won’t make up for employees who either don’t care about, or don’t understand, your security system. Make sure that all users, and all those that have access to confidential information, are aware of how to protect the information AND why doing so matters. If you have a large or medium sized company, make a short user-awareness campaign. If you manage a smaller company, consider conducting regular security meetings or mandate that all users regularly read your company confidentiality policy.

Penetration Testing and Risk Analysis

When everything is in place, consider having an outside specialist perform a security audit, which can include attack and penetration tests. You may be surprised what they find!

Editor

Kjeld Lindsted Kjeld Lindsted
Content Architecture, Copywriting, and Editing
Full Bio >


Recent Articles

Did the “PC” Really Die?

Who Needs Net Neutrality Anyway?

Rise of the Visual Web

Microsoft Is Retiring Windows XP This Year

Email Marketing Part V: Back to basics

Mobile Is King: But you knew that already

Website v. Web Presence

Password Strength and Quality: How to build, and use, a password that holds


Tools



Topics

Security
Marketing
Coding and Design
e-Commerce, Privacy, and Legal
Hosting and Technology
OC Updates and Announcements
New Projects