Well, I decided to do a weekly review of the DHS FAQ web page changes due to the increase in changes. The first week there were only two; go figure. The two questions were:
- 1549: “May a covered facility disclose its preliminary tier level to another entity or individual (e.g. a trade association or another facility)?”
- 1451: “When I log in to the Top-Screen, I get a message that my passwords has expired and that I need to create a new one. However, when I enter a new password, I get an "invalid" error. What do I do next?”
Neither of these are new questions are new; they have both been listed before. The answer has changed a little on the first question and not at all on the second. Both answers are worth reviewing.
A paranoid individual (there is no paranoia in the security business) might think that the question about sharing tier level information may have been driven by my blog on tier level rankings of oil refineries (see: “CSAT Tier Rankings”) from July 18th. In any case the answer is interesting:
- “Yes, provided that each individual within the other entity, or any other individualto whom that information is disclosed, is a CVI Authorized User and has a "need to know" for that information” (emphasis added).
This is the first time I have seen mention of a requirement that all employees of any company must be cleared for CVI. There is certainly nothing that I have seen in the CVI Procedures Manual. Paragraph 6.2 of that manual covers this situation:
· “With the consent of CSCD Director, regulated chemical facilities may also share CVI with private third parties, i.e. bank, insurance company, utility commission, etc. that have vested interest in the chemical facility and a need to know. These individuals are not considered authorized users since they will (not) have the right to further disseminate CVI. These individuals must sign a chemical facility approved NDA and complete the training provided to authorized users.”
Having said that, there is a class of ‘entities’ that should take heed of this ‘requirement’; security consultants. A chemical facility should be able to assume that the consultant firm that is dealing with their security information is completely covered. There is an expectation that the consultant is completely prepared to protect the security information of the facility.
DHS apparently continues to have problems with users understanding the procedures for changing their CSAT password. First, the CSAT password is only good for 90 days. Given the time between the January completion of Top Screens and the June start for SVA’s, most facilities starting work on their SVA may have expired. This assumes that DHS has eliminated their misguided email notifications for password expiration (see: “Potential DHS PHISHING Alert”).
The biggest problem with changing passwords appears to be a non-standard requirement to enter the new password three times instead of the more normal two times. This coupled with the “invalid” screen message instead of a message to re-enter the password is apparently confusing people. Here is the DHS explanation for the password change process:
- “First enter the old password, then enter a new password and then select enter. The user will see what appears to be an "invalid" error message prompting you to reenter the new password to confirm it (these are not truly "errors"; the wording is generated by a sign-on system that is trying to validate your new password). Enter your new password again. The user may see the "invalid" message again. After entering the new password three times, login should be successful. Be sure to write down the new password for future reference.”
I am concerned about the last sentence in the answer. Most security professionals will tell you to never write down you password. That is one of the fastest ways to compromise passwords. Of course there is a problem with everyone having multiple passwords for the wide variety of “secure” computing environments that the average person works in. I wish that I had a good answer for this problem.