Since October 2004, October is observed as National Cyber Security Awareness Month. Sponsored by the National Cyber Security Alliance and the Department of Homeland Security, National Cyber Security Awareness Month (NCSAM) aims broadly to raise cybersecurity awareness among the public and private sector.
Every year National Cyber Security Awareness Month is broken into themes for each week. This year there are five themes. They are, from October 2-6 – Simple Steps to Online Safety; October 9-13: Cybersecurity in the Workplace is Everyone’s Business; October 16-20: Today’s Predictions for Tomorrow’s Internet; October 23-27: The Internet Wants YOU: Consider a Career in Cybersecurity; October 30-31: Protecting Critical Infrastructure from Cyber Threats.
That looks to be a very interesting set of subjects. I look forward to the cybersecurity discussions throughout October. And while cybersecurity is a huge topic covering dozens of disciplines, identity plays a foundational role. Knowing who has access to what resources and data is crucial, so is enforcing access rules and making sure that those who don’t have access don’t gain unauthorized access. This is most certainly among the reasons why identity stands prominently in National Cyber Security Awareness Month.
The main awareness campaign NCSAM is the Stop | Think | Connect, which includes the Lock Down Your Logon sub-campaign. The first of six steps to locking down your login highlighted by the NCSAM is to Protect Accounts with Strong Authentication. This guidance for strong authentication includes using devices such as USB devices that can be plugged into a computer (something you have), biometrics (something you are) such as a fingerprint or facial recognition, and one-time passcodes, which are unique codes, often provided by a specialized device or sent to a phone. Each of these additional authentication methods is used along with a username and password (something you know).
The fourth of the six steps advises users to make strong passwords. As the guidance states, it’s important passwords are unique and strong, as password and username reuse across accounts is a common vulnerability exploited by attackers. A strong password is at least 12 characters long, containing a mix of letters, numbers, and symbols. “Maintaining strong and unique passwords will decrease the risk of password guessing based on commonly used passwords, information about you that might be publicly available, or password cracking tools that hackers use,” the guidance states.
While the Stop | Think | Connect advice to consumers is to use a password manager (very good advice) or write down passwords and keep them away from the computer is good advice, it’s not adequate for corporate environments. Corporate users can’t have passwords written down where co-workers could find them. Enterprises should emphasize the need for strong, unique passwords for each application and enforce strong password policies in conjunction with a second form of authentication, so consumer breaches don’t threaten the enterprise’s security.
It’s not “wrong” – but it could be confusing for us to be talking about it. I’d rather the strong password piece have a “this is also something enterprises need to push for …” and maybe emphasize the need to strong, unique passwords so that consumer breaches don’t threaten the company.
The second week of National Cyber Security Awareness Month will highlight the National Institute of Standards and Technology’s Cybersecurity Framework. The most recent version was published in January of this year and is available here.
The NIST Cybersecurity Framework is composed of five functions: Identify, Protect, Detect, Respond, and Recover. Identity is in the Protect function under access control (PR.AC), which calls for identities and access credentials to be issued, managed, verified, revoked, and audited for authorized devices, users, and processes; physical access to assets is managed and protected; Remote access is managed; Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties; that network integrity is protected, incorporating network segregation where appropriate; and that identities are proofed and bound to credentials, and asserted in interactions when appropriate.
Getting all of that right is a tall order, indeed, and it’s something readers of this blog are already well-aware and working toward having in place or maintaining if they are already there.
There’s a lot more to security and awareness than identity and access management, to be sure: but identity – allowing only those authorized to have access to have access– is a central part of NCSAM and a foundational aspect of any effective cybersecurity program.