MOREnet Cyber Security Recommendations – 2018

In order to assist our members in improving the security posture of their organizations, MOREnet’s Cyber Security Team put together the following recommendations based on common security best practices and the CIS 20 Critical Controls. While not a complete list, these recommendations focus on areas that are critical to the overall security of an organization and are ones we believe can be implemented with little or no cost and in a timely manner.

Passsword Security

Historically, the recommended best practice for passwords was that they should be at least eight characters long, include complexity (upper/lower case letters, numbers and special characters) and be changed every 90 days. Recently, the National Institute of Standards and Technology (NIST) updated their guidelines for password security to the following:

  1. Remove periodic password changes
    1. The argument is that frequent changes can actually lead to weak/bad passwords.
  2. Remove complexity requirements
    1. The same argument applies here; it can lead to weak/bad passwords.
  3. Require passwords to be screened by a password checker to ensure the password is not easily guessed
    1. This requirement is crucial when following the first two recommendations.
  4. Passwords should be at least eight characters in length
    1. The changes in the NIST guidelines are intended to make a users’ passwords easier to remember and, in theory, more secure. (Read the full guidelines.)

MOREnet’s Cyber Security Team Recommends the Following

  1. Passwords should be at least 15 characters in length
    1. Use a passphrase instead of a password. Passwords can be hard to remember and difficult to type, especially if they contain a jumble of letters, numbers and special characters. Passphrases can be created using random words and phrases with punctuation and special characters thrown in. The longer they are, the stronger they are. Since the user creates them, they are also much easier to remember and type.
  2. Require complexity
    1. Upper/lower case letters, numbers and special characters in a passphrase will increase the strength.
  3. Require periodic changes
    1. Users with access to sensitive data and those with administrative accounts should be required to change passwords more frequently. A minimum of 90 days is recommended for those with elevated privileges. Normal users could be allowed a longer period.

Password security should be considered a priority for end users. It is important to note that the passwords used within your organization might also be used for personal accounts and therefore should be considered a risk. It could negatively affect your organization if a password is compromised.

Security Awareness Training

Security awareness training plays a large part in a comprehensive security program. Since vulnerabilities and threats are constantly changing, it is imperative that end users be aware of the risks associated with their online behavior.

MOREnet’s Cyber Security Team Recommends the Following

  1. Implement an ongoing security awareness training program
    1. Security awareness training should be required for all end users. To be effective, the training should be ongoing and include basic topics such as password security, email security, mobile device security and review of acceptable use policies and any other security-related policies/procedures. Training should be required of all new users and, at a minimum, twice a year for existing users.
  2. Ensure that all IT staff have the opportunity to attend technical/security training to maintain and enhance their skillsets and gain knowledge of new and emerging technologies, vulnerabilities, threats and mitigation strategies.

Network Security

Research has shown that by implementing the first five of the CIS 20 Critical Controls, organizations can eliminate 85 percent of their security issues.

MOREnet’s Cyber Security Team Recommends the Following

Implement the first five CIS Controls.

  1. Inventory and control of hardware assets
    1. Maintain a device list that details all devices on your network.
  2. Inventory and control of software assets
    1. Maintain a software list that details all software and applications being used on your network.
  3. Continuous vulnerability management
    1. Patching, monitoring, logs and analysis of logs
  4. Controlled use of administrative privileges
    1. Administrative permissions should only be used for administrative duties and limited to those who require elevated access to perform their jobs.
  5. Secure configurations for hardware and software on mobile devices, laptops, workstations and servers
    1. Have a documented baseline configuration for each type of device.
    2. Change default accounts and default configurations.

Download the full list of all 20 CIS Controls.