We are going to start gathering the IP addresses of our agency partners. We prefer to gather these addresses directly from the IT department of our partners, as this is the most efficient way to go about it. Not all of our partners have an IT department, however. So in some cases we will gather these IP addresses on our own, which requires a visit to the actual physical location of the agency partner.
We require the IP addresses to prevent our security measures from “over compensating” when the staff of agency partners repeatedly mistype their passwords or user names. We had an encounter while doing a partner training, in which our security measures temporarily blocked the IP address, preventing anyone in the training from logging onto URC. The IP block was in response to several agency staff in the training repeatedly mistyping their password or username. Our security AI misinterpreted this as a brute force attack, and took precautionary measures.
It is delicate balance when configuring white hat security AI to protect against brute force attacks (black hat AI attempts at guessing usernames and passwords), but to simultaneously allow for some human error. To prevent this overcompensation from happening again we will be configuring our security AI to recognize (whitelist) our agency partner IP addresses. Partner IP addresses will not be publicly disclosed.
This topic could rightly be placed in either the policy or technology forum, but we decided the technology forum is the best place for a continued discussion around any questions that arise in response to the new policy. Any questions or suggestions concerning this policy are welcome.