Today the DHS Infrastructure Security Compliance Division (ISCD) update the CFATS Knowledge Center. They revised the link in the response to FAQ # 1392. The revised link takes one to the newest version of the CSAT Account Management User Guide. In addition to making a few minor grammatical changes, the new manual almost completely revises the requirement for system passwords.
In revising Section 3.1, Changing Passwords, ISCD briefly explains the new requirements for passwords. The current standard includes:
• Be at least 8 characters in length;
• Contain at least 1 lower case character (new);
• Contain at least 1 upper case character (new);
• Contain at least 1 numeric character;
• Contain at least 1 special character (new); and
• Not have been used in the previous 5 passwords (new).
This section also provides two new screen shot illustrations for password related error messages:
• Picture 3.4 – Inadequate Password Message; and
• Picture 3.5 – Password and Verified Password error message
Finally, the revised manual includes a brief description of the use of temporary passwords along with a screen shot of the new page requiring the changing of passwords before proceeding into the other CSAT applications.
One thing that hasn’t changed with the password requirements set forth in this manual is that ISCD continues to set up CFATS facility personnel for phishing attacks that would allow an attacker to gain access to facility CSAT information. The set-up is the policy of sending an email to CSAT users notifying them when their password has expired. Section 1.2 of this (and the older version) of this manual states:
“Two weeks before your CSAT password expires, you will receive an e-mail that instructs you to change your password by directing them to the CSAT Account Management application.”
This is the exact same wording that I pointed out in 2008 would make CSAT users vulnerable to phishing attacks. All an attacker would have to do is to send out a simulated ISCD email with a link to a simulated CSAT application page to collect log-in information. This would then allow an individual full access to information about a facility’s security systems.
I understand the DHS concern about maintaining up-to-date passwords (though I am not convinced that changing a password every 90-days provides any higher level of security than changing every 180 days or even once a year). To avoid this potential for easy phishing attacks (Why should anyone question one of these emails if they receive them so frequently and legitimately?) ICSD should simply notify the user when they log in that their current password has expired and require them to update the password before they can proceed to work in the CSAT application.
No Notice Change
It is extremely odd for DHS to update a manual as important as this and not call everyone’s attention to the new manual. While there is an updated FAQ pointing at the manual, only people like me who actively search the FAQ list every day are going to find this new manual.
Furthermore, the information that the policy on passwords has changed should also be openly communicated to the CFATS audience. Actually, upon further research there seems to have been multiple, unannounced changes to the password standard over the years. For instance, Article #1668 from July 13, 2010 explains a similar password standard as the one mentioned in this update with the exception that there was no mention of not allowing the re-use of a password used in the last 5 password changes. Then it apparently changed back to a looser standard when the old version of the CSAT Account Management User Guide was published back in March 2011.
In any case, when changes are made to something as important to the password standard for a security program that change needs to be clearly and openly communicated to the audience involved.