Re: NETWARCOM Conducts Network Security Training Day

[InfoSec News <alerts () infosecnews org>]

Forwarded from: Richard Forno <rforno (at) infowarrior.org>

> "Everyone has to complete their annual information assurance 
> training," he said. "Unauthorized e-mail accounts can open up the 
> system to hackers--so avoid them. You need to keep your system 
> password secure and not write it down where it can be easily seen and 
> you should not tell others what it is.

Of course this is the DOD, who has a record of making password 
requirements so cumbersome that users with the best of intentions are 
forced to write them down at times, at least based on some of the 
networks I've been on over the years and the security policies governing 
them.  I suspect many of their requirements for 'good'; password 
security actually contribute to greater password insecurity by folks 
circumventing that policy in the interests of performing their regular 
jobs.

> Seth Gang, NETWARCOM's identity protection and management manager, 
> talked about the importance of securing CACs, which allows personnel 
> to have a cryptographic log-on to the network.
>
> "You must have physical possession of your CACs at all times," said 
> Gang. "It doesn't matter what you are doing; if you go to the grocery 
> store, or you are in your home, it must always be in your possession."

Not owning a CAC card or being part of the DOD infosec funhouse, does 
this "always in your posession" policy somehow suggest a vulnerability 
with the CAC card system that's not widely known?  One would think the 
loss of a CAC card, either intentionally or deliberate, would not 
present a single debilitating point of failure in the DOD infosec 
architecture.  I have CAC-like cards/devices for other organizations and 
never was told it had to be in my posession 100% of the time.  Curious.

-rf


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/