Preventing fraud through enterprise password management
The past few years the world has seen various incidents where students have fraudulently modified their school grades, progress reports and attendance records. Recently, there was the incident at the Dutch Barleaus Gymnasium where pupils managed to glean the principal’s password, upon which they modified their grades and attendance data from throughout the entire year.
In 2011, a similar incident occurred where students modified their grades and even got paid for doing so. In this case, students were able to spot the passwords through the beamer screen after teachers entered them in the wrong field, which was visible to their class members.
Another incident was featured the television program, Telefacts, (a Belgium news show) of October 21, 2014, which featured a report on the modification of grades and attendance data.
Not a recent problem
The modification of grades and attendance data is not something of the last few years, nor is this solely and issue for students and their schools. However, using schools as an example for other enterprises, in the past, there have been reported cases of student attendance records going missing on occasion and teachers’ grade books go missing.
Imagine this information is something less “trivial,” but has a deeper, more profound impact on a business’ operational environment. The recent Sony breach or the Anthem insurance breach in the US comes to mind. However, with the advent of computers and LANs, this type (loss of data at the hand scoundrels) of data has become less accessible, but at the same time less visible, so modifications can be easily be users or administrators backs.
An example of this can be found in the following story. Recently, a professional acquaintance of mine told me that when he attended secondary school about 15 years ago, he discovered he was able to access the network folder that contained the student’s grades. He duly reported this to his teacher, but was ignored as the teacher considered this an unimportant event. However, a few weeks later, the student decided to go ahead and change all his grades into straight As. The teacher wanted to report this as fraud, but it never went that far because the student’s earlier reporting of this possibility and vulnerability.
Password policy
A few simple steps can go a long way to making things much more difficult for individuals to commit fraud. The first step is a strong password policy. For example, make sure passwords meet the strictest security requirements. This is possible by using passwords with a minimum number of characters – say, seven — setting maximum password validity of between 30 and 90 days, and requiring random using special characters, capitals, small letters and digits.
A major pitfall here is that it is difficult for users, though, is their knowing whether or not they have met the password requirements of the organization, so firms should employ solutions that ensure password complexity and that when users enter their new password, IT and security manager can see straightaway whether the password meets the requirements or not.
Organizational leaders must also remember that end-users tend to have trouble remembering complex passwords. Therefore, it is important to users from jotting down passwords on sticky notes or writing them in their agendas or on their mobile devices. Mitigating this problem can be done by implementing single log on password synchronization, involving the synchronization of passwords across various different applications. This means users/employees/students/teachers/etc. need only log in once to get immediate access to all their applications. Thus, they only need to remember a single, complex password.
Strong authentication or two-factor authentication
Organizations that use a strong password policy and single log on and password synchronization will have made their first step toward a less fraud-sensitive environment. To further re-inforce access, organizations can take an additional step and require users to log into their accounts using simple tools like an access badge or a token. This approach is known a strong authentication. However, two-factor authentication strategies take security and access protection another step further entirely. Two-factor authorization involves logging in using a combination of something users have (e.g. an access badge or token) and something they know (a PIN code or password).
In the very least, these approaches only would have kept my colleague from being able to access restricted data and from changing his own grades.