DB3

DB3

DB3 DB3 Passwords are everywhere these days. Personal identification numbers (PINs) are necessary to identify a person as the authorized cardholder and gain access to the financial data. The combination of digits and letters allow us to log into numerous websites where our personal or corporate emails, messages, and other communication is stored. In other words, everything valuable in the world is protected with passwords that can have very different forms and shapes. Further development and sophistication of technologies in different areas provoked substantial sophistication of security systems. Multilevel electronic protection, fingerprints

and retina scanners, voice authorization, and password encryption improved security systems. However, it did not change people. Therefore, the weakest link in any security chain remained the same. Human error is the most frequent reason of security breaches. We forget passwords all the time, write them down on the back of keyboards or on stickers around monitor and then wonder how someone else has visited a super secured and protected computer. The Internet became an integral part of our life. Many people store information, exchange emails, perform financial operations, and do many other things over the Internet. The global network became a global storage of personal information. Access to this information is protected by passwords. However, most of people do not even remember numerous passwords they create to protect their privacy (Schneier, 2005a). Therefore, there are special secret questions that users should answer during the registration process so they could restore the password. Here is the problem. When a user creates sophisticated passwords, the level of data protection is rather high. At the same time, the user compromises his/her efforts by giving the way to find out the password by answering this secret question (Schneier, 2005b).

DB3 However, internet security has problems, not connected with technical solutions. Sometimes, the inadequate IT management could create more problems with security that a group of well-trained hackers. Poor password management solutions could provide access to the highly secured system without even breaking into it. As it was stated before, users are the weakest spot in the security system (Arief & Besnard, 2005; McNulty et al., 2007). They forget passwords, tell them to the third parties, write them down in order to remember, create too simple passwords, and make many other mistakes that an IT manager could miss. Therefore, password management that is not user friendly, complicated, and unsecure can be a substantial threat to the security system as well. Patch management can be a threat too. Updates of the software solutions are aimed to fix the existing bugs, problems, as well as improve/extend functionality and add new useful features. However, each change in the software code is the possibility to add new bugs and flaws into a system. Some IT managers might think that patch management is nothing more than running automatic updates of the software and that is it. Software will do the rest. It is not true. Patch management is about appropriate maintenance of all software solutions that are present in the IT infrastructure of an enterprise. Appropriate password management requires the following steps (Chan, 2004; Password-Manager.Hitachi-id.com, n.d.): timely password change; following that passwords are complicated and hardly guessable; providing users with secured storage for different passwords so they could remember only one password and have access to all others; monitoring of passwords in order to detect if a user utilizes one password for more than three

authorization processes and change them to avoid compromising; testing passwords for being strong or weak to make sure that passwords cannot be simply picked up by exhaustive search; requiring reporting from personnel in case of issues with access to a system; etc. (Arief & Besnard, 2005; McNulty et al., 2007).

DB3 References Arief, B., & Besnard, D. (2005). Technical and Human Issues in Computer-Based Systems Security. Centre for Software Reliability, School of Computing Science, University of Newcastle upon Tyne. Retrieved from:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.65.1677&rep=rep1&type=p df Chan, J. (2004). Essentials of Patch Management Policy and Practice. Retrieved from: http://www.patchmanagement.org/pmessentials.asp McNulty, E., Lee, J. E., Boni, B., Coghlan, J. P., & Foley, J. (2007). Boss, I Think Someone Stole Our Customer Data. Harvard Business Review, 85(9), 37-50. https://365.rsaconference.com/servlet/JiveServlet/previewBody/1872-102-12358/BUS_201_HBR_Case.pdf Password-Manager.Hitachi-id.com (n.d.). Password Management Best Practices. Retrieved from: http://password-manager.hitachi-id.com/docs/password-management-bestpractices.html Schneier, B. (2005a). The Curse of the Secret Question. Computerworld. Retrieved from: http://www.computerworld.com/securitytopics/security/story/0,,99628,00.html Schneier, B. (2005b). Two-Factor Authentication: Too Little, Too Late. Inside Risks, 178, Retrieved from: http://www.schneier.com/essay-083.html