As we all know by now, the Heartbleed Bug was a significant vulnerability in the OpenSSL cryptographic software, utilized by the SSL/TLS encryption that protects many internet sites. The policyIQ team and Amazon Web Services, our hosting partner, reacted immediately to the discovery of the vulnerability by upgrading all impacted servers to the corrected OpenSSL software. We also replaced all SSL certificates, as the key information could have been compromised.
The primary recommendation coming from this incident for users was to change your passwords immediately to any sensitive sites. Banking, email, social media – if you haven’t changed your passwords to these services since the Heartbleed bug was discovered, consider doing so now. We recommend that all policyIQ users change their passwords, as well.
Take Steps to Stay Secure
Heartbleed has been corrected, but this should serve as a wake-up call to every internet user. For our policyIQ clients, we would suggest that you revisit the security options that you utilize on your policyIQ site, and consider making any necessary changes to further secure your site:
- Require Frequent Password Changes – We all groan when we have to change a password, but frequent password changes are a necessary security measure in this age. Consider requiring password changes every 30 or 60 days for your users.
You can mitigate the frustration of password changes by making sure that you allow users to reset their passwords using their user name or email address from the log-in screen. (Temporary passwords are sent to the email address in policyIQ for that user.)How? Site Administrators can make this change under Tools & Settings > Password Policy
- Require Complex Passwords – If your password is your dog’s name, you need to change it. If you use any combination of 123456, password or ABC123 – you need to change your password. And if you are responsible for setting the password policy, consider requiring a more complex password to include letters, numbers and special characters.How? Site Administrators can make this change under Tools & Settings > Password Policy
- Lock User Accounts after a Number of Login Attempts – Did you know that you can have a user account locked if they attempt to log into policyIQ incorrectly too many times? How many tries they get is up to your Site Administrators, but setting a limit reduces the risk of any automated services attempting to gain access with “brute force” log-in attempts. (We suggest a number like 5 or 10, although some corporate policies may require a maximum of 3.)How? Site Administrators can make this change under Tools & Settings > Password Policy
- Remind Users to Log Out or Lock Computers – How many times have you seen a colleague (or maybe even yourself) walk away to get a cup of coffee, and leaving the computer running, logged into all of his or her daily applications? We don’t like to think about the risk of someone using our computer while we’re away, but encouraging all employees to either log out of all applications or lock their computer when they walk away is a great way to reduce risk.How? Send an email annually – or include this in your annual sign-off process in policyIQ! (And if you catch a colleague with his computer unlocked while he’s at lunch, give him Justin Bieber desktop wallpaper. He’ll never do that again.)
- Utilize IP Restrictions – Your organization can restrict policyIQ use to specific IP addresses or IP ranges. This can be done only for specific users – such as an open “guest” account that may be accessible only from within the company network; or can be done on a site-wide basis, requiring that all users log into the network (perhaps via VPN if off-site) before they can access policyIQ. This isn’t practical for all uses of policyIQ, as travelling for audits means needing to access policyIQ from a variety of locations. However, if your users are stationary, you might consider tightening access.How? Contact our support team for more information on how we can add IP addresses or ranges (at no additional cost).
If you have questions about your data security, please do not hesitate to contact us. If your company is concerned about your overall data security program, please reach out to us and we’ll connect you with the RGP Information Management and Data Security practice for more information.