Today the DHS Infrastructure Security Compliance Division
(ISCD) update the CFATS Knowledge Center. They revised the link in the response
to FAQ # 1392. The revised link takes
one to the newest version of the CSAT
Account Management User Guide. In addition to making a few minor grammatical
changes, the new manual almost completely revises the requirement for system
passwords.
Password Changes
In revising Section 3.1, Changing Passwords, ISCD briefly
explains the new requirements for passwords. The current standard includes:
• Be at least 8 characters in
length;
• Contain at least 1 lower case
character (new);
• Contain at least 1 upper case
character (new);
• Contain at least 1 numeric
character;
• Contain at least 1 special
character (new); and
• Not have been used in the previous
5 passwords (new).
This section also provides two new screen shot illustrations
for password related error messages:
• Picture 3.4 – Inadequate Password
Message; and
• Picture 3.5 – Password and
Verified Password error message
Finally, the revised manual includes a brief description of the
use of temporary passwords along with a screen shot of the new page requiring
the changing of passwords before proceeding into the other CSAT applications.
Password Phishing
One thing that hasn’t changed with the password requirements
set forth in this manual is that ISCD continues to set up CFATS facility
personnel for phishing attacks that would allow an attacker to gain access to facility
CSAT information. The set-up is the policy of sending an email to CSAT users
notifying them when their password has expired. Section 1.2 of this (and the
older version) of this manual states:
“Two weeks before your CSAT
password expires, you will receive an e-mail that instructs you to change your
password by directing them to the CSAT Account Management application.”
This is the exact same wording that I
pointed out in 2008 would make CSAT users vulnerable to phishing attacks. All
an attacker would have to do is to send out a simulated ISCD email with a link
to a simulated CSAT application page to collect log-in information. This would
then allow an individual full access to information about a facility’s security
systems.
I understand the DHS concern about maintaining up-to-date
passwords (though I am not convinced that changing a password every 90-days
provides any higher level of security than changing every 180 days or even once
a year). To avoid this potential for easy phishing attacks (Why should anyone
question one of these emails if they receive them so frequently and
legitimately?) ICSD should simply notify the user when they log in that their
current password has expired and require them to update the password before
they can proceed to work in the CSAT application.
No Notice Change
It is extremely odd for DHS to update a manual as important
as this and not call everyone’s attention to the new manual. While there is an
updated FAQ pointing at the manual, only people like me who actively search the
FAQ list every day are going to find this new manual.
Furthermore, the information that the policy on passwords
has changed should also be openly communicated to the CFATS audience. Actually,
upon further research there seems to have been multiple, unannounced changes to
the password standard over the years. For instance, Article #1668 from July 13,
2010 explains a similar password standard as the one mentioned in this update
with the exception that there was no mention of not allowing the re-use of a
password used in the last 5 password changes. Then it apparently changed back
to a looser standard when the old version of the CSAT Account Management User
Guide was published back in March 2011.
In any case, when changes are made to something as important
to the password standard for a security program that change needs to be clearly
and openly communicated to the audience involved.
Posts
No comments:
Post a Comment