During a recent security assessment RedZone asked the customer a standard question about password management:
“Are your passwords being changed on this outsourced web server?”
With Heartbleed,WordPress, and SSL vulnerabilities, an assessor must ask this question. The customer was insistent that the passwords are being changed frequently. That same day the customer received notification from the FBI that their site was hacked, and was being used as spam relay. Vast quantities of data were being hoisted from their site. Why? Because they had not recently changed their passwords. They had made the process of guessing the password easy. The attacker literally had to do nothing except guess a password.
Recently Jonathan Cogley, CEO ofThycotic Softwareand I sat down to discuss his unique corporate culture and in the process of this I uncovered not only his unique strategy with company building but also a very unique perspective on enterprise password management.
I love sharing unconventional thinking about topics that we normally think we have under control.
Jonathan is this type of thinker. He said to me that a CIO and CISO must ask, “Do I have control of my human and non-human accountson my network….???”
When the topic of employee and administrator password management comes up do you assume all is well or have you asked the question in this way to your staff?…It will evoke a different response based on how you ask the question and will present a different level of risk as well.
The CIO role is a hugely creative position that can have immense power of good if used correctly.
However, there has to be a better way to handle stress in life than building and managing lists of to do lists, having a better work ethic, being more efficient, developing more will power, working harder, etc.
I found an expert on this topic, Jean Gomes who is Chairman of The Energy Project and we discussed the work he and his organization are doing with leaders to transform old patterns of approaching work into healthier and better methods.