Upating

Another basic information security practice is updating things e.g.:

• Patch promptly (update software)
• Lock-n-load (physical security)
• Counter cons (social engineering)
• Nuke nasties (update antivirus) 
• Read rules (security policies)

Those short alliterative phrases are memory-joggers to catch people's imagination and remind them about the things they ought to be doing regularly.

Conspicuously missing from the list is changing passwords: once upon a time, it was generally accepted practice to force people to change their passwords every few weeks or months. I have never quite understood the rationale for this. It takes effort to think up and commit to memory yet another strong password, and there are security costs when people forget their passwords, so what's the benefit? I suppose it might frustrate someone who has been surreptitiously watching a colleague enter their password every day, trying to figure out what they are typing ... but really? Arguably it would reduce the success rate of repeated brute-force password guesses - that ought to be triggering alarms anyway. I just don't get it and nor, now, does NIST:

"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

That comes from NIST Special Publication 800-63B - Digital Identity Guidelines: Authentication and Lifecycle Management, published in June and recently picked up by the security press.

The list of things to include in the Information Security 101 awareness/training module is becoming clearer by the day.