Modernizing IRS Cybersecurity: Implementing NIST Standards in Password Policies
The IRS is updating its password policies for public-facing portals, aligning them with National Institute of Standards and Technology (NIST) guidelines to improve efficiency. Password changes every 60 days will no longer be required, and a minimum length of 14 characters will be enforced. These changes, detailed in NIST SP 800-63B, emphasize authentication and lifecycle management best practices. The move follows pressure from Sen. Ron Wyden's office after Oregon's Department of Human Services faced challenges in updating its website due to outdated IRS cybersecurity rules. Wyden commended the IRS for modernizing its practices and emphasized the importance of cybersecurity standards for government services. Despite these updates, the IRS hints at further changes, advocating for a Zero Trust Architecture and the implementation of multifactor authentication.
The NIST SP 800-63B is a an exaustive 79 page guide on passwords and would be a great read for the insomniacs in our midst. Read it here!
What is a good password policy?
Many great Password policies exist for example use a 10 character randomly assigned password with 2 Capitals and 2 special characters and 1 numeric. Pair with a 2 Factor Authenication Authenicator application. This would satisfy most standards.
The Specops Software research team reveals startling findings: up to 83% of known compromised passwords would technically satisfy regulatory requirements. Despite regulatory standards such as NIST, HITRUST/HIPAA, PCI, ICO/GDPR, and Cyber Essentials, passwords found in compromised datasets often meet these criteria, posing significant security risks. For instance, the NCSC/Cyber Essentials recommends a minimum password length of 8 characters, yet 82.98% of compromised passwords fulfill this requirement. Similarly, GDPR's ICO suggests a minimum length of 10 characters without mandating special characters, with 43.48% of compromised passwords meeting this standard. The HITRUST/HIPAA and PCI guidelines face similar challenges, with compromised passwords aligning with their recommendations by 56.87% and 59.14%, respectively. Even NIST's stringent guidelines fall short, as 78.27% of compromised passwords adhere to its criteria. Specops Breached Password Protection offers a solution by blocking over 4 billion compromised passwords in Active Directory, safeguarding networks against real-world attacks and ensuring compliance with industry regulations.
Yes 2 Factor Authenication!
Many individuals rely on strong passwords to safeguard their online accounts, yet hackers employ various methods to obtain or guess these passwords. Phishing attacks, purchasing stolen credentials from data breaches, and password guessing are common tactics used by hackers to compromise accounts. While maintaining secure passwords is crucial, the most effective defense against hackers is utilizing two-factor authentication (2FA).
2FA requires users to provide two authentication factors, such as something they know (e.g., password) and something they have (e.g., verification code), significantly enhancing account security. It prevents unauthorized access by requiring credentials from at least two of three categories: something you know, have, or are.
The most prevalent 2FA methods include receiving a one-time passcode via text or email, using an authenticator app, or utilizing a security key. Authenticator apps generate passcodes, offering increased security compared to text-based codes vulnerable to SIM card swap attacks. Security keys, physical devices confirming association with an account, provide the highest level of security as they cannot be easily compromised.
To enable 2FA, users can navigate to account settings and follow provided instructions. It is recommended to prioritize sensitive accounts, such as banking or email, when implementing 2FA and avoid enabling account/device memory on public computers. Implementing 2FA significantly strengthens account security, mitigating the risk of hacking attempts and potential identity theft.
The recent SEC incident, extensively covered in numerous news articles, brought attention to the absence of two-factor authentication (2FA) as the root cause. Specifically, the US Securities and Exchange Commission (SEC) encountered a significant issue when its Twitter account falsely announced approval of a spot bitcoin exchange-traded fund (ETF). This misleading information led to a surge in Bitcoin prices until the SEC clarified the tweet as unauthorized. An investigation revealed that the compromise resulted from a simple SIM-swap rather than a sophisticated hack, emphasizing the lack of 2FA on the account at the time. This incident underscores the critical role of 2FA in preventing unauthorized access, especially amidst concerns regarding cybersecurity protocols at the SEC. Despite its effectiveness, the adoption of 2FA faces challenges such as perceived costs and complexity, as highlighted in a CyberEdge survey.
Two-factor authentication (2FA) is a security measure involving the entry of a password along with a code sent via email or text to access a website or application. It adds an extra layer of security, requiring both something you know (password) and something you have (phone or email) for authentication. While essential for all users, 2FA is particularly crucial for administrators or C-level employees with access to critical network resources, as their compromised accounts could lead to severe consequences.
The significance of 2FA lies in its ability to mitigate the risk of brute force attacks, where hackers attempt to guess passwords through repeated login attempts. Even if a hacker guesses the password, they would still need access to the email or cellphone associated with the account for authentication. Without 2FA, vulnerabilities like using the same password for multiple accounts can be exploited by hackers. It's essential to maintain strong and unique passwords, and a password manager with 2FA functionality can simplify password management.
Following breaches on their social media accounts due to disabled 2FA, the US Securities and Exchange Commission (SEC) serves as an example of the consequences of inadequate account security measures. The incidents underscore the importance of enabling 2FA in account settings, choosing between a code-generating app or physical security key, and generating backup codes. Additionally, avoiding linking a phone number for account recovery can reduce SIM-swap threats. Learning from these incidents, users are urged to prioritize strong account security measures.
While two-factor authentication (2FA) may not provide absolute immunity to attacks, it remains highly effective, with success rates typically ranging from 96% to 98%. Despite the small margin for potential vulnerabilities, 2FA stands out as one of the most robust security measures available. By requiring users to provide two forms of authentication, such as a password and a code sent to their phone or email, 2FA significantly enhances the security of accounts and systems. This additional layer of protection acts as a formidable barrier against unauthorized access, making it considerably more challenging for hackers to compromise accounts. Therefore, despite its slight susceptibility to attacks, 2FA remains the gold standard in safeguarding digital assets and sensitive information.
领英推荐
Stronger Passwords
Many individuals rely on strong passwords to safeguard their online accounts, yet hackers employ various methods to obtain or guess these passwords. Phishing attacks, purchasing stolen credentials from data breaches, and password guessing are common tactics used by hackers to compromise accounts. While maintaining secure passwords is crucial, the most effective defense against hackers is utilizing two-factor authentication (2FA).
2FA requires users to provide two authentication factors, such as something they know (e.g., password) and something they have (e.g., verification code), significantly enhancing account security. It prevents unauthorized access by requiring credentials from at least two of three categories: something you know, have, or are.
The most prevalent 2FA methods include receiving a one-time passcode via text or email, using an authenticator app, or utilizing a security key. Authenticator apps generate passcodes, offering increased security compared to text-based codes vulnerable to SIM card swap attacks. Security keys, physical devices confirming association with an account, provide the highest level of security as they cannot be easily compromised.
To enable 2FA, users can navigate to account settings and follow provided instructions. It is recommended to prioritize sensitive accounts, such as banking or email, when implementing 2FA and avoid enabling account/device memory on public computers. Implementing 2FA significantly strengthens account security, mitigating the risk of hacking attempts and potential identity theft.
Comprimises at the SEC
The recent SEC incident, extensively covered in numerous news articles, brought attention to the absence of two-factor authentication (2FA) as the root cause. Specifically, the US Securities and Exchange Commission (SEC) encountered a significant issue when its Twitter account falsely announced approval of a spot bitcoin exchange-traded fund (ETF). This misleading information led to a surge in Bitcoin prices until the SEC clarified the tweet as unauthorized. An investigation revealed that the compromise resulted from a simple SIM-swap rather than a sophisticated hack, emphasizing the lack of 2FA on the account at the time. This incident underscores the critical role of 2FA in preventing unauthorized access, especially amidst concerns regarding cybersecurity protocols at the SEC. Despite its effectiveness, the adoption of 2FA faces challenges such as perceived costs and complexity, as highlighted in a CyberEdge survey.
Two-factor authentication (2FA) is a security measure involving the entry of a password along with a code sent via email or text to access a website or application. It adds an extra layer of security, requiring both something you know (password) and something you have (phone or email) for authentication. While essential for all users, 2FA is particularly crucial for administrators or C-level employees with access to critical network resources, as their compromised accounts could lead to severe consequences.
The significance of 2FA lies in its ability to mitigate the risk of brute force attacks, where hackers attempt to guess passwords through repeated login attempts. Even if a hacker guesses the password, they would still need access to the email or cellphone associated with the account for authentication. Without 2FA, vulnerabilities like using the same password for multiple accounts can be exploited by hackers. It's essential to maintain strong and unique passwords, and a password manager with 2FA functionality can simplify password management.
Following breaches on their social media accounts due to disabled 2FA, the US Securities and Exchange Commission (SEC) serves as an example of the consequences of inadequate account security measures. The incidents underscore the importance of enabling 2FA in account settings, choosing between a code-generating app or physical security key, and generating backup codes. Additionally, avoiding linking a phone number for account recovery can reduce SIM-swap threats. Learning from these incidents, users are urged to prioritize strong account security measures.
2FA is Immune?
While two-factor authentication (2FA) may not provide absolute immunity to attacks, it remains highly effective, with success rates typically ranging from 96% to 98%. Despite the small margin for potential vulnerabilities, 2FA stands out as one of the most robust security measures available. By requiring users to provide two forms of authentication, such as a password and a code sent to their phone or email, 2FA significantly enhances the security of accounts and systems. This additional layer of protection acts as a formidable barrier against unauthorized access, making it considerably more challenging for hackers to compromise accounts. Therefore, despite its slight susceptibility to attacks, 2FA remains the gold standard in safeguarding digital assets and sensitive information.
Take action now! Schedule an appointment with the cyber coach to Password Policies and 2 Factor Authenication and ensure your systems are adequately protected. Don't wait until it's too late!