Cenartech Security Case, Part 3b

Policy management is one of the most crucial components of a user management and provisioning system and one of the most daunting administration tasks faced by organizations deploying these systems (Abridean, 2004). Policy changes that should be made are to the standard procedure on handling employee terminations. They should also specify how long the terminated employee's disabled account should reside in Active Directory before it is deleted. Most companies keep the account for 90 days since some users are contractors and will return to the company when they are needed for special projects. They should also implement an account lock out policy since the engineering employee was able to try many attempts on the account before it was locked out. The usual lockout policy is three attempts then the user has to go through their IT department to get the account unlocked. A password policy should be implemented as well. Usually at least 8 characters with a combination of lower case, upper case, one number, and one special character is the normal policy for companies. If they wanted to be more secure they should utilize Common Access Cards to log in to machines since it uses two-factor authentication, something you know and something you have.

In the beginning of the of the case Brian had had seen repeated failed log-in attempts

on a couple of different accounts, but with four or fewer repeats, an insufficient number to

cause a lockout (Whitman, 2011). Even though this was not enough to cause a lockout he should have investigated further into the lockouts by reviewing the logs more thoroughly. By being more proactive he may have found out a lot sooner that the lockouts were not logged by the machines where the accounts resided. This would have let him know that someone was trying to access the network by utilizing different user accounts and what location the attack was originating from. He should have paid more attention when the user said she hadn't forgotten her password, which should have raised his awareness that something was going on. If he had been more proactive he may have found the engineering employee sooner and prevented any loss of data or Personally Identifiable Information.

Some challenges Brian may have experienced by being more proactive when the user's accounts had lockouts may have been in finding the pertinent data in the event logs and how to figure out the users accounts were being hacked. He had experience in security which would have assisted him with the task of finding the events; however, reviewing the logs with only a few lockouts in the beginning may not have been clearly defined. They could have been easily construed as a normal user account lockout. The determining factor would be whether or not he could differentiate between the lockouts being normal or from someone trying to infiltrate the network and this would be determined by looking at the data logs and listening and talking to the affected users.

Some procedures I would have done to help the company succeed would be to implement the provisioning of user accounts. If a user is terminated human resources should let the IT department know so their account can be deactivated promptly. This would include access

...