Protecting IT systems (2) Level 2 Diploma Unit 11 IT Security
Password security Password protection is the most common Password policies need to be defined Do not write passwords down Change the password periodically Use a strong password Use nonsense words Protect against multiple attempts Longer time between attempts Lock out after so many attempts
Password vulnerability Passwords are not stored as entered, they are “hashed” to a new value which is stored Hashing mathematically changes the string to a value which cannot be decoded without knowing a key Passwords should be stored in hidden system files only accessible with system privileges Passwords can be obtained by “sniffing” wireless transmissions or getting access to a system (e.g. via a back door) A WEP protected wireless system can be cracked in under a minute
Password strength A user-selected eight-character password with numbers, mixed case, and symbols can be cracked on a desktop PC in 16 minutes A minimum secure password length is now 12 characters
Physical access control Access authorisation Who grants access rights? Who is allowed in? How are they identified? Are there different levels of control?
Exercise Complete the table with the items on the left Item Area Permitted access IT Staff Reception Staff Principal’s office Students Finance office General public IT office Principal Server room Classrooms IT Help desk staff Computer rooms
Access control system The key requirements are: Central control For authorisations Flexible access permissions Temporary upgrades Visitors Reporting For audit control Unauthorised attempts
Control and permissions Add users Bar users Change users’ access permissions Control many buildings in different locations using TCP/IP Set permissions individually or by department. Restrict areas to certain groups. Set shift patterns
Monitoring View real time events as they are happening Monitor who is where in a building if doors have been left propped open if a door has been forced Generate reports