VA reaching breaking point as malware attacks rise

SPC Jan Allbright, M.Sc., R.S. That actually just makes me twinge. As a former intel guy / Facility Manager (Physical Security Lead), that's just creating problems.

I'd lean towards "Authenticators" (8/10 digit code generator) on a Cell phone or mini dongle which is paired with a "simple" password. Sure they can break a password, but without the Authenticator, they can't get in.

Sgt Aaron Kennedy, MS
Yup - once use passwords - challenge & response

Sgt Aaron Kennedy, MS - That password requirement is the same for most federal employees. I can't speak of the DoD, or military.

Use of acronyms and special characters as letters is the way to go.

I work at the VA in InfoSec (and am a disabled vet so my own data is at risk as well) and while not giving away our security footprint I can say that we follow Federal Guidelines in all aspects. Just like any other agency especially ones dealing with National Security, we are constantly under attack, so those numbers are not veterans trying to contact the VA.

As for using one time passwords and dongles. That's all well and good if your working in a Secret or TS environment. Here are a couple thoughts on this point.
1. Private Healthcare facilities do not use this type of security and everybody (especially the media) is fine with it.
2. Even if things were managed better financially, the "worth" of the data being protected does not outweigh the cost of that technology.
3. I have enough problems with employees losing their CAC cards or forgetting passwords. Can you imagine the wait times if we had to institute 1 time passwords or dongles?????

95% of those attacks are coming from overseas. The attacks are not coming from veterans.