Several ministries and departments’ cyber security audits have shown recurring, serious errors and non-conformities, mostly with regard to internal network internet access, a weak password management policy, and credential sharing.
A “Cyber Security Advisory: User-Level Common Oversights” has been released by the National Telecommunication and Information Security Board (NTISB). It states that a cyber security audit of various ministries and departments has uncovered recurring critical oversights and non-conformities, namely the following:
internet connectivity for internal networks.
The policy for managing passwords is ineffective.
sharing of credentials.
Mechanisms for device control are seen.
Consultations
The following corrective actions are highlighted to protect against becoming victims of cyber incidents:
The internet should not be connected to any internal network-based IT systems or user terminals, including the official communication system.
Enforce a password policy across all systems. Ten times the character length (at least one uppercase and one special character) should be the minimum requirement.
Passwords should not be typed or copied on workstations or stored in browsers. Ensure that all appointments follow the clear desk/clean screen policy.
It is completely forbidden to share login details (user name and password).
For official systems, separate USBs should be used (after whitelisting).
Implement a strict device control policy, especially for USBs.
Official emails should never be forwarded to personal email addresses.
