SOX password compliance: Not taking it seriously can be costly
(Last updated on October 7, 2020)
Many people may have been surprised by the massive Sony Pictures hack that happened late 2014, but security experts saw it coming a long time ago. In 2005, Sony received an auditing report that they were Sarbanes-Oxley (SOX) incompliant. The auditor uncovered several security weaknesses that were likely to result in a breach, including insufficient access controls and failure to meet common password best practices. How did Sony’s then executive director of information security Jason Spaltro respond to the news? He said “It’s a valid business decision to accept the risk. I will not invest $10 million to avoid a possible $1 million loss.” It has been more than a year since Sony Pictures’ hack. Their estimated financial loss is $35 million and counting. Was it really worth the risk?
The main intention of SOX is to establish verifiable security controls to protect against disclosure of confidential data, and tracking of personnel to detect data tampering that may be fraud related. Simply put, SOX requires all publicly-traded companies to show evidence that financial applications and supporting systems and services are adequately secured. While SOX does not lay down password policy requirement, security experts recommend that organizations follow password management best practices. Some of the common password best practices include:
- Use passphrases. No matter how complex your password is, if it is less than 9 characters long, brute force attack can guess every single possibility in a short amount of time since the number of possible passwords is too small. A password like w@gZ23!! only takes three days to crack. Enabling the passphrase functionality and increasing the length beyond 20 characters makes password attacks very time consuming and expensive – to the point of rendering such an attack infeasible. Specops Password Policy supports passphrases which allows users to set passwords longer than 20 characters to increase security.
- Avoid common words. The simplest way to crack a password is the use of a word list or dictionary program to break the password by brute force. Password-cracking tools compare lists of words or character combination against password until they find a match. Specops Password Policy enhances security by blocking user names, display names, incremental passwords, dictionary words and password hash lists from major leaks. With Specops Breached Password Protection, a hosted service comprised of more than 2 billion leaked passwords, you can block all compromised passwords with ease.
- Use more than just password to authenticate users. Multi-factor authentication requires users to supply at least two pieces of information (e.g. something they know such as the password and something they have such as one time passcode generated on a mobile application) each time they log into an account or regain access to a locked account. This effectively secures accounts against unwanted access even when a password is compromised.
- Remove human error from password reset process. A classic social engineering technique is calling the service desk for password resets by pretending to be someone else in order to gain access to organization’s sensitive data. Specops uReset gives employees direct control over their own accounts. The automated process removes human interaction and lowers the opportunity for user impersonation. It also has built-in user verification into the Helpdesk interface so Helpdesk staff can verify users’ identities before proceeding with a reset.
Oftentimes, careless behavior and failure to comply with the simplest rules of security are top reasons that contribute to a data breach. Following these password best practices can go a long way in facilitating SOX compliance and strengthening access control