Our highest priority is ensuring your data is private and secure. Did you know your FastTrack360 system has it's own isolated database separate from all other customers, and that we conduct independent penetration testing on all new releases?
We are making further enhancements to the way you access your business data to ensure improved security, including introducing Multi-Factor Authentication (MFA) and CAPTCHA to the login process. We have also provided recommendations on a password policy and user access for you and your team to ensure your data is as safe as it can be.
Multi-Factor Authentication (MFA)
What is it?
Multi-factor Authentication, or MFA, is an enhanced authentication process of confirming a user is who they claim to be by assessing two or more pieces of evidence (factors).
This evidence, or authentication factors, are:
Knowledge - Something the user knows
Possession - Something the user has
Inherence (Biometrics) - Something the user, and only the user, are
By introducing a second step to the login process, this increases the likelihood that only authorised users are able to gain access to your system. FastTrack360 is introducing possession-based authentication (something the user has) through a users mobile phone, in addition to the existing knowledge-based authentication (i.e. usernames, passwords, security questions and answers).
This feature will be commercially available from the 11.36.3 release available in June 2019.
Learn more with our quick overview video here (~1min) or click here to visit an online help page about MFA.
Why is it important?
User credentials (login and passwords) can be compromised through poor security practices. For example, sharing passwords between people or password re-use across systems where a system has been compromised are both considered poor security practices. By offering an additional layer of security, a second factor, it is much harder for malicious actors to access your FastTrack360 system and the business critical and personally sensitive information within.
The Australian Tax Office (ATO) also requires cloud-based Digital Service Providers (DSPs), such as FastTrack, have multi-factor credential systems in place where users have access to taxation or superannuation related information.
How does it work?
Multi-factor Authentication (MFA) is an enhanced authentication process of confirming a user is who they claim to be by assessing two or more pieces of evidence (factors).
MFA can be configured as SMS or Time-based One-Time Password (TOTP). Our default configuration is SMS, which is a simpler experience for end users and easier to set-up. End users will then be prompted for their SMS code whenever logging into FastTrack360. Please note that SMS use requires an active account with MarketPlace partner SMS Central, appropriate configurations for system users to receive SMS, and sufficient credit to send an SMS.
TOTP can be configured by contacting our Support team and requires end users to configure a compatible device, for example using the Google Authenticator app, on a smartphone or internet browser. End users will then be prompted for their TOTP code whenever logging into FastTrack360.
Where is it mandated?
The Australian Taxation Office (ATO) mandates that all Australian agency users with access to taxation or superannuation information of other people (e.g. candidates) have MFA enabled. This will be a default setting in FastTrack360. This may expand as further jurisdictions update their compliance requirements.
What additional security steps do we recommend?
To minimise the chance of unauthorised access to your FastTrack360 system, we recommend that MFA is enable for all users.
How does it impact Users?
Users may be prompted for a second factor of authentication after logging into FastTrack360. This will require users to have their mobile phone available when logging into FastTrack360.
CAPTCHA
What is it?
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is an automated test to ensure a user is not a robot.
This feature will be commercially available from the 11.36.2 (NZ Payday) release.
Learn more with our quick overview video here (~1min)
Why is it important?
Malicious actors can automate attacks against systems, making compromises more efficient. CAPTCHA is commonly used on an externally facing areas of software, such as a login screen, that are vulnerable to automated system attacks to try and limit exposure to automated attackers.
How does it work?
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is an automated test to ensure a user is not a robot.
Google's reCAPTCHA has been added to FastTrack360 to mitigate automated attacks against your data. It will be visible on the login, unauthenticated password reset, questionnaire and candidate registration pages.
CAPTCHA on the login page can be set to only appear after a set number of consecutive failed login attempts per IP address. Where users have a shared IP address they may be prompted to verify they aren't a robot due to consecutive failed attempts by other users on the same IP address. We have defaulted CAPTCHA to appear after 2 consecutive failed attempts to mitigate automated locking attacks. You are able to adjust this value in Maintenance > Password Policy > Password Policy > No of Login Attempts Before CAPTCHA.
Please note that Google's reCAPTCHA will present a challenge based on a threat-based security model - end users may be presented with a simple checkbox to assert they are not a robot or could be given a more detailed challenge that could take several minutes to solve. This is based on a multitude of factors, such as how frequently you are encountering the CAPTCHA and Google's assessment of risk.
What additional security steps do we recommend?
To minimise the chance of unauthorised access to your FastTrack360 system, we recommend CAPTCHA to appear after 2 consecutive failed login attempts to mitigate automated locking attacks.
CAPTCHA can be adjusted at Maintenance > Password Policy > Password Policy > No of Login Attempts Before CAPTCHA.
How does it impact End Users?
Users may be asked to confirm they are not a robot when interacting with FastTrack360. FastTrack360 uses Google's reCAPTCHA which may ask users a series of questions to confirm they are not an automated bot trying to maliciously access the system.
Password Policy
What is it?
Within FastTrack360 you can configure your own password security policies to suit your specific business requirements. This is found within the product Maintenance area on the Password Policy page.
Why is it important?
Ensuring these settings are enabled and set to appropriate values helps secure your data in FastTrack360.
What do we recommend?
Our recommendations are based off security best practices provided by our own research, independent security consultants and government departments (Australian and overseas).
How does it work?
We’re serious about security and implementing industry best practice security standards to limit system access and protect business critical and personally sensitive information. FastTrack360 offers a great deal of flexibility in meeting your individual business requirements, however, with security we recommend you consider the following advice around configuration.
Maintenance > Password Policy > Password Policy > Min No of Characters and Force Password Alphanum
We recommend a minimum of 8 characters for all user passwords. Enforcing a mix of alphanumeric characters can make passwords harder to guess, but may encourage poor password practices like re-using a password. There is a global trend towards 'pass phases', rather than passwords, where users are encouraged to combine at least three random words together, ideally with special character or numbers within. As an example, 'towerpebble2cellarhappy' is harder for a machine to guess than 's4d87df@#' - according to How Secure Is My Password, the former would take a machine 494 quadrillion years to guess whereas the latter would be solved in 16 hours. Encourage your users to think up a unique 'pass phrase' including at least three random words.
Australia - 13 character password length is the minimum recommended by the Australian Cyber Security Centre's Information Security Manual Security Control 0421 as of September 2018 where users only have a single factor of authentication.
United Kingdom - The National Cyber Security Centre (NCSC) recommends, as of November 2018, "you should specify a minimum password length, to prevent very short passwords from being used... Adopting the 'three random words' technique can help users to use suitably complex passphrases that they can actually remember."
United States - 8 character password length is the minimum recommended by the National Institute of Standards and Technology (NIST), as of June 2017, where a user selects their own password.
Maintenance > Password Policy > Password Policy > Enforce Password Reset
We recommend enforcing password resets when new user accounts have been created, or an Agency user has reset another user's password - this means the user that logs in is forced to set their own unique password.
Maintenance > Password Policy > MFA Security Roles (Version 11.36.3 on)
We recommend enforcing Multi-Factor Authentication (MFA) across all user accounts. MFA is mandated for all Australian agency users with access to superannuation and taxation related information by the Australian Taxation Office's Requirements for Digital Service Providers (https://softwaredevelopers.ato.gov.au/RequirementsforDSPs ). MFA usage is also encouraged by the Australian Cyber Security Centre, the United Kingdom's National Cyber Security Centre and the United States' National Institute of Standards and Technology.
Maintenance > Password Policy > Multi Factor Authentication (MFA) Global Settings > Remember this device (Version 11.36.3 on)
The Australian Taxation Office's Requirements for Digital Service Providers restricts remembering a device to a time period of no greater than 24 hours.
Maintenance > Password Policy > Password Policy > No of Login Attempt Before Locking
We recommend no greater than 5 failed login attempts before locking a user account. A maximum of 5 failed attempts before locking is recommended by the Australian Cyber Security Centre's Information Security Manual Security Control 1403 as of September 2018. We also recommend having CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) appear after 2 failed attempts to mitigate automated locking attacks.
Maintenance > Password Policy > Password Policy > Activate Session Timeout and Session Timeout Duration
We recommend no greater than 15 minutes of inactivity before closing a session, where your business doesn’t have a higher layer of security preventing inactivity, for example a Windows session time out. We also recommend users log out of FastTrack360 whenever they will no longer be using it. 15 minutes is the maximum amount of time of inactivity before locking recommended by the Australian Cyber Security Centre's Information Security Manual Security Control 0428 as of September 2018.
Maintenance > Password Policy > Password Policy > Days Before Password Expiry
Australia - The Australian Cyber Security Centre's Information Security Manual Security Control 0423, as of September 2018, recommends having passwords change within 90 days of use.
United Kingdom - The National Cyber Security Centre (NCSC) recommends, as of November 2018, not enforcing regular password expiry.
United States - The National Institute of Standards and Technology (NIST), as of June 2017, recommends not enforcing periodic password expiry unless there is evidence of a compromise.
How does it impact End Users?
This depends on how you configure your FastTrack360 Password Policy. The United Kingdom's National Cyber Security Centre (NCSC) has good advice for end users.
User Access Policy
What is it?
FastTrack360 allows restricting user's access to certain functionality and data through Roles and Data Groups. Wherever possible user access should be limited to just the access and data visibility the user requires to complete their job.
Why is it important?
Ensuring only the right people have access to business critical functions and business critical and personally sensitive information mitigates risk and makes it easier to audit any incidents if they do arise.
How does it work?
FastTrack360 allows restricting user's access to certain functionality and data through Roles and Data Groups. This can be reviewed at Maintenance > Security and Maintenance > Users.
What additional security steps do we recommend?
We recommend:
Agency User access is limited to just the functionality (Roles) and data visibility (Data Groups) the person requires to complete their job
Regular audits are performed to ensure all FastTrack360 user permissions (Roles and Data Groups) reflect the user's current role and responsibilities
How does it impact End Users?
This depends on your User Access Policy and how you configure your FastTrack360 user access.