Deploy multifactor authentication

Summary 
653
services, such as Google, now offer multifactor authentication as an additional measure of 
protection. 
Use account lockout controls.
Account lockout controls help prevent online password 
attacks. They lock an account after the incorrect password is entered a predefi ned number 
of times. Account lockout controls typically use clipping levels that ignore some user errors 
but take action after reaching a threshold. For example, it’s common to allow a user to 
enter the incorrect password as many as fi ve times before locking the account. For systems 
and services that don’t support account lockout controls, such as most File Transfer Protocol 
(FTP) servers, extensive logging along with an intrusion detection system can protect the server. 
Account lockout controls help prevent an attacker from guessing a pass-
word in an online account. However, this does not prevent an attacker from 
using a password-cracking tool against a stolen database file containing 
hashed passwords.
Use last logon notification.
Many systems display a message including the time, date, and 
location (such as the computer name or IP address) of the last successful logon. If users pay 
attention to this message, they might notice if someone else logged onto their account. For 
example, if a user logged on to an account last Friday, but the last logon notifi cation indi-
cates someone accessed the account on Saturday, it indicates a problem. Users who suspect 
someone else is logging on to their accounts can change their passwords or report the issue 
to a system administrator. If it occurs with an organizational account, users should report 
it following the organization’s security incident reporting procedures. 

Download 19,3 Mb.

Do'stlaringiz bilan baham: