3.5.11 has a weight of -1 points

(Identification and Authentication Family) 11/11

Obscure feedback of authentication information

Video:

Example of Sysytem Security Plan (SSP):

    System Security Plan: Obscuring Authentication Information Feedback

    1. Policy Statement:
    2. Our organization has implemented a policy to obscure authentication feedback, ensuring that unauthorized individuals cannot compromise our authentication mechanisms.
    3. Feedback Obscuring Method:
    4. To prevent sensitive information like passwords from being observed, we employ feedback obscuring methods during the authentication process. The method chosen is based on the system type and threat level.
    5. Desktop or Notebook Computers:
    6. For systems with larger monitors and a significant shoulder surfing threat, we use the following feedback obscuring methods:
    • Displaying asterisks or non-revealing characters during password input.
    • Minimizing the time authentication feedback is visible to limit sensitive information exposure. 

     

    Example of Plan of Action and Milestones ( POA & M):

    1. Objectives

    • Implement feedback obscuring methods across all desktop and notebook computers.
    • Regularly review and update feedback obscuring methods to adapt to emerging threats and technologies.
    • Educate users about the importance of obscured authentication feedback.

    2.. Milestones and Actions

    a. Desktop and Notebook Computers Implementation

    • Action: Implement displaying asterisks or non-revealing characters during password input across all systems.
    • Responsibility: IT Department
    • Timeline: [Insert specific deadline]
    • Status: [Ongoing/Completed]

    b. Minimize Time of Visibility for Authentication Feedback

    • Action: Implement measures to minimize the time authentication feedback is visible.
    • Responsibility: IT Security Team
    • Timeline: [Insert specific deadline]
    • Status: [Ongoing/Completed]

    c. Regular Review and Update of Methods

    • Action: Conduct regular assessments of the feedback obscuring methods to ensure effectiveness.
    • Responsibility: Security Audit Team
    • Timeline: [Quarterly/Semi-Annually]
    • Status: [Ongoing/Completed]
    RELEVANT INFORMATION:

    The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.