Passwords should be the “last line of defense”. So before you start looking into 30-day-45-day-90-days policy, complexity, re-use and whatnot, you need to do an inventory of what you are trying to protect, what the potential risks are, how a loss of this resource will affect the business, how feasible and costly (time, effort, money) and complex securing this asset is. I.e. What are the risks/threats - what can you live without, what will ruin your business, etc. Do you have a disaster recovery plan in place, with procedures printed out (assume your network is down), with “mint condition” hardware that can be put to use if the day-to-day computer systems are down for critical users.
Ransomware should come to you through one of several avenues - for example:
- Through email with attachment or link to attachment on another site
- Through phone by tricking the user to visit an off-site link
- Through “free USB keys” the user just found somewhere, for example if it is a big company with lax security, someone who dresses up like a big name supplier - Say Dell, and carries with them a bowl of USB Keys that are weaponized, can probably just place the bowl it in the reception after sweet talking the people working there, and people who walk past it on their way to work will most assuredly take one USB key with them, then plug it into the computer when they get to their desk.
- Through waterhole attacks (If you work in a special industry, like aerospace, oil, gas, etc, there will be “The go to site” for your industry that you always visit (like how many in the game industry probably visit GamaSutra). Where the web site is either hacked or has a weaponized AD waiting for the correct “target profile”)
- Through BYOD such as Mobile Phones connected to the users laptops for charging/file copying/media either because of actual files or “BADUSB” style attacks
- General web surfing
What you want to do is minimizing the threat/risk surface (think disabling addons or at least “site-limiting them”, other browser settings, ad blockers, faking browser-agent strings, etc).
If there is an internal network, do all the users need write access everywhere? Are the users local administrators on their computers? Are the applications they run “isolated”, do you run EMET on each computer? Is there an outbound “proxy/web filtering solution” for all network traffic? Is the company using a registered public IP-block under the company name?
When it comes to passwords one thing that I’ve noticed is that if you force periodic password change on users, for example 12 times a year, and you require 1 Uppercase, and numbers in your password policy, do not be surprised if the passwords next year will be:
January2017, February2017, etc… or something similar.
But before you do anything; Ensure you have a off-site RESTORE option. Notice I use RESTORE and not BACKUP. As everyone can take a backup, but they’re worth very little if you cant restore it in a timely manner with guaranteed integrity.
(If you’re doing VM’s look into using VEEAM for example - they should support HyperV and have supported VMWARe for a long time - think the basic version of their product is free*.).
Always work under the assumption that:
- You will be attacked
- The attack will be successful
- We will have downtime
That means your objective will be:
- Detecting when you are attacked
- Preventing the attack from propagating, or stopping it
- Getting back up - and secure
Depending on what business you are in, detection should be possible (basic organized crime, script kids) or will be very difficult/near impossible (state sponsored - discounting GCHQ/NSA who are tapping your network elsewhere already).
So: Very little there about passwords. Good luck :)
- 2-factor authentication should be a “must have” when it comes to remote access.
- If you let users who are out of office connect through, for example a open hotel WIFI - consider having their computers always on VPN when offsite (I see you mention this)
- Admin passwords should have a stricter security policy than normal user passwords with auditing
- Consider using password vaults and teach the users on how to use this – the vault file itself shouldn’t be stored on their computers but a “ISOLATED” USB stick. That way they can remember fewer passwords and yet use more of them.
- Accounts names shouldn’t be obvious “ADMIN-EXCHANGE” for example
- Admin Credentials shouldn’t be cached “in memory”/process (Pass-the-hash style attacks)
I guess these days there are two approaches to password complexity:
A lot of suggestions is to make it a phrase (The famous XKCD BatteryHorseStaple thing…) whereas others want it to be 2££@$/&AHfsdFPI^/AOPJKDF^aSG;Y%I_ for example, and good luck typing that when all you see is *********.
Most people when pressed will probably use “Passw0rd” or “P455w0RD123” or similar versions, and they match 3 password requirements already: Upper/Lowercase + Number.
- Passwords that are used on public sites must all be different, or be in different categories with different password requirements depending on the risk connected to the site.
Seeing as you’ve only got 15 users, and depending on their computer skills, it is probably easier for you to handle their passwords than allowing them to set their own - unless you frequently email the users about “safe computer habits” so they slowly learn it themselves.
Have fun :)