Matters of Interest
IOT Security will periodically update this page to address common security issues, new threats or other relevant security information.
- Flash Drive Standard
- PeopleSoft Requirements
- Protecting Your Laptop
- Password Management
- 2016 IOT Security presentation
PeopleSoft numbers are required for all state employees as well as state contractors of the executive branch who access the state network. The PeopleSoft number provides a means of ensuring that network access is revoked in a timely manner even if an agency oversight fails to remove the access at termination. Additionally, establishing a PeopleSoft number ensures that all workforce members receive appropriate training on the IRUA, sexual harassment, and other programs.
Protecting Your Data - Tips for Password Management
Personal information is one of the most valuable commodities in society today. Government and public service providers gather a wealth of information from taxpayers, car owners, benefit recipients, patients, clients, customers and voters. Businesses, too, are intent on developing ever more sophisticated ways of capturing and using data about individuals.
Keeping your personal passwords private, secure, and unbreakable is one of the most important steps you can take toward safer computing. If your passwords slip into the wrong hands, identities, finances, and other personal information could be in jeopardy. With this in mind, it is vital that those who collect and use personal data preserve the confidentiality of those who are asked to provide it.
How do you choose a good password?
Most people create easy to remember passwords that are based on personal information, however, this is not a good idea; by doing so, you are making it easier for an attacker to correctly guess your password and crack into your personal records. Consider a four-digit PIN number. Is yours a combination of the month, day, or year of your birthday? Is it the last four digits of your social security or phone number? What about your address? Consider for a moment just how easy it is to find this sort of information about another person. These numbers can easily be found in your normal, everyday phonebook. What about your email password, is it a word that can be found in the dictionary? If so, it may be susceptible to "dictionary" attacks, which attempt to guess passwords based on words found in the dictionary.
To avoid dictionary attacks, we recommend you create your own acronym and use memory techniques to help you remember how to decode it. For example, instead of using the password "hoops," use "IlTpbb," which stands for: I like To play basketball." We also recommend that you use both capital and lowercase letters when creating your password because it adds another layer of obscurity. Your best defense, though, is to use a combination of numbers, special characters, and both capital and lowercase letters. For example, the I like To play basketball password could be changed to "Il2pBb; this makes the password much more difficult to crack.
Warning: Once you have developed a strong password, do not assume that you should use it for every system or program you log into. If an attacker does successfully guess your password, he would have access to all of your accounts. We recommend that you develop unique passwords for each of your accounts.
Remember that cyber security is everyone's responsibility. Just as one leak can sink a boat, one data leak, one security breach, or one malicious worm can sink an organization. By protecting yourself and the systems entrusted to you, you are protecting your co-workers as well as your entire organization's network and data and, ultimately, the citizens who are depending on you for service.
Complex passwords will soon be required for all users on the state network. This will increase the state's security position and bring it in line with industry best practices. Complex passwords will be harder for you to remember, but they also make it tougher on hackers to crack. This information is designed to help you transition to the use of complex passwords.
The State of Indiana defines complex passwords as:
- A password that contains at least eight characters (on mainframe accounts the maximum length is also 8 characters).
- A password that contains characters from 3 of the following categories:
- English uppercase characters (A - Z)
- English lowercase characters (a - z)
- Base 10 digits (0 - 9)
- Non-alphanumeric ($, #, or %)
Formulating and Remembering Complex Passwords
Make every effort to memorize your password instead of writing it down. Writing it makes it easier to steal and could allow someone else to use your ID to access systems. The last thing you want is someone from the night crew using your PC to surf porn or using your email account to pull a prank on the agency director.
It will be challenging to remember your complex password in the first few days after it changes, but keep in mind that IOT is extending the password change interval from 30 days to 90 days for Active Directory, PeopleSoft and the mainframe. This will allow you to use the same password for these systems and change them at the same time.
To help our customers through the implementation of the new password requirements, IOT drafted the following password management tips:
- Create a valid and secure "pass phrase" to memorize a complex password.
For example, "Peyton Manning, Marvin Harrison equals a touchdown.?
- Use lines from a poem or song:
Back home again, in Indiana
Password: Bha!n In1
- Think of activities and/or foods:
Food: Stew (so good)
- Join two words or use a combination of two words together.
Example: dog and cat
Example: fish bait
Click here for a list of password usage and creation dos and don'ts.
If You MUST Write It Down
Only as a last resort should you write down a password. If you must write it down, never store it with your User ID, under your keyboard, on your computer screen or in your desk drawer. To ensure your password is safe, use some sort of simple coding rather than recording it exactly. For example:
- Password: Bha!n In1
- Take the first two characters moving them to the end: a!nIn1Bh
- Take the last two characters and move them to the beginning: n1Bha!nI
Password Management Links
Laptops are popular productivity tools for both business and personal use. The portability of laptops makes them extremely convenient. However, we must also be aware of the security risks from the loss or theft of laptops and take proper precautions. The potential loss is twofold; the loss of the laptop itself and any personal, private or sensitive information that it may contain.
While you can take steps to secure the data on your laptop by installing a firewall, updating your antivirus software, using strong passwords and encrypting your information (all state provided laptops should be encrypted), it is also very important to physically protect your laptop. Laptops can easily be stolen from the locked trunk of a car, at an airport security checkpoint, at an Internet café or even from a hotel room. Keep these tips in mind when you travel with your laptop:
- Secure your laptop when unattended. Consider a laptop a security cable. There are several types available that can connect to something immovable or to a heavy piece of furniture when it is unattended. Other alternatives include devices that sound an alarm when there is unexpected motion or when the computer is moved outside a specified range around you.
- Don't store your password with your laptop. You should secure your laptop (and all other computing devices) with a strong password. Preferably you will be able to remember this password without writing it down. If you must jot it down, scramble the letters in some way and don't keep the password in the laptop case or on a piece of paper stuck to the laptop.
- Don't leave your laptop in your car. Don't leave your laptop on the seat or even locked in the trunk. Locked cars are often the target of thieves. Don't store your laptop in checked luggage. Never store your laptop in checked luggage. Always carry it with you.
- Keep track of your laptop when you go through airport screening. Hold onto your laptop until the person in front of you has gone through the metal detector. Watch for your laptop to emerge from the screening equipment.
- Record identifying information and mark your equipment. Record the make, model and serial number of the equipment and keep it in a separate location. Consider methods of labeling the laptop case labeled with your agency's contact information.
- Backup your files. Make a backup of your files regularly, especially before every trip. In the event that your laptop is lost or stolen, you will still have a copy of your data.
If your laptop is stolen, there are a number of steps you can take:
- Report it immediately to the local authorities.
- Report it immediately to your agency's security liaison and the state's CISO.
- Contact IOT so that they can contact the laptop manufacturer (so if the thief sends it in for repair, the state will be notified) and begin the procurement process for a replacement.
In February 2016, IOT and partners provided an security update to all agencies and separately-elected offices. The presentations can be viewed below.