Dr. Alan R. SharkDr. Alan R. Shark

Executive DirectorExecutive Director

Public Technology InstitutePublic Technology Institute

andand

Associate Professor of Practice Associate Professor of Practice

Rutgers University School of PublicRutgers University School of Public

Affairs & AdministrationAffairs & Administration

Security Threat Assessment 2013: Security Threat Assessment 2013: Preparing Your AgencyPreparing Your Agency

It Used to be that paper was the It Used to be that paper was the problem..problem..

But now it been replaced with But now it been replaced with this….....this….....

Cyber Issues……Cyber Issues……

Cyber crimeCyber crime

Cyber hackingCyber hacking

Identity theftIdentity theft

Data theftData theft

Financial theftFinancial theft

Data manipulationData manipulation

What do these organizations What do these organizations have in common?have in common?

What About Our What About Our Employees?Employees?

We can no longer simply rely on the CIO We can no longer simply rely on the CIO or chief security officer? or chief security officer?

Internal

threats…..

Points of Entry – Portable Points of Entry – Portable DevicesDevices

Points of Entry – Wireless Points of Entry – Wireless DevicesDevices

Points of Entry – Storage DevicesPoints of Entry – Storage Devices

Along Came the Cloud(s)Along Came the Cloud(s)………………

Points of Entry – Storage DevicesPoints of Entry – Storage Devices

Personal Connectivity…Personal Connectivity…

Cautions to the Wind!Cautions to the Wind!

Points of Concern……Points of Concern……Internal threats (disgruntled employees)Internal threats (disgruntled employees)

External threatsExternal threats

Mobile devicesMobile devices

BYOD (bring your own device)BYOD (bring your own device)

Storage devicesStorage devices

Cloud-based Cloud-based

Lax security ecosystemsLax security ecosystems

CarelessnessCarelessness

IgnoranceIgnorance

Common Myths (Employees)Common Myths (Employees)1.1. I donI don’’t have anything anyone would ever want;t have anything anyone would ever want;

2.2. I have the best antivirus software installed; I have the best antivirus software installed;

3.3. I donI don’’t use Windows so It use Windows so I’’m safe;m safe;

4.4. My network has a great firewall so I am safe;My network has a great firewall so I am safe;

5.5. I only visit safe sites, so II only visit safe sites, so I’’m okay;m okay;

6.6. My network administrator is the one in charge for my My network administrator is the one in charge for my

data.data.

7.7. I have had my password for years and nothing ever I have had my password for years and nothing ever

happened. happened.

Passwords Weak to StrongPasswords Weak to Strong

“No worries, I keep all the necessary passcodes pasted to my monitor so I don’t loose them!”

Siobhan Duncan

Password Password StrengthStrength

A six character, single case password has 308 A six character, single case password has 308 million possible combinations. million possible combinations.

It can be cracked in just minutes!It can be cracked in just minutes!

Combining upper and lower case and using 8 Combining upper and lower case and using 8 characters instead of 6 = 53 trillion possible characters instead of 6 = 53 trillion possible combinations.combinations.

Substituting a number for one of the letters Substituting a number for one of the letters yields 218 trillion possibilities.yields 218 trillion possibilities.

Substituting a special character 6,095 trillion Substituting a special character 6,095 trillion possibilitiespossibilities

QuizQuizHow long would it take for an individual How long would it take for an individual desktop computer to “crack” a password? desktop computer to “crack” a password?

A.A. 1,000 passwords per second?1,000 passwords per second?

B.B. 100,000 passwords per second?100,000 passwords per second?

C.C.5 million passwords per second?5 million passwords per second?

D.D.More than a hundred million passwords More than a hundred million passwords per second?per second?

Postscript on Postscript on PasswordsPasswords

Using a special high speed computer that is Using a special high speed computer that is GPU-based, it can scan billions of passwords GPU-based, it can scan billions of passwords per second! per second!

Security & Security & PreventionPrevention

1.1. Use strong minimum 8 character Use strong minimum 8 character passwords, with upper and lower case passwords, with upper and lower case letters, and special characters.letters, and special characters.

2.2. Insist on no more than ten tries or less Insist on no more than ten tries or less before the system does an automatic before the system does an automatic lock-out.lock-out.

3.3. Consider CAPTCHA as a means to Consider CAPTCHA as a means to thwart high-speed automated systems. thwart high-speed automated systems.

Security & Security & PreventionPrevention

4.4. Consider fingerprint readers in addition Consider fingerprint readers in addition to or along with password protected to or along with password protected systems.systems.

5.5. Consider iris display readers for added Consider iris display readers for added authentication. authentication.

6.6. Require periodic mandatory training.Require periodic mandatory training.

Policy ConsiderationsPolicy ConsiderationsFrequency of password changes?Frequency of password changes?

Type of secure passwords?Type of secure passwords?

Encryption of files and records?Encryption of files and records?

Access to files and records? (in office & remote)Access to files and records? (in office & remote)

Citizen privacy protection?Citizen privacy protection?

When workers leave?When workers leave?

Laptop and portable device & storage polices? Laptop and portable device & storage polices?

Portable device policies?Portable device policies?

Back-up polices? Back-up polices?

Portable Device cut-off & destroy systems?Portable Device cut-off & destroy systems?

Policy ConsiderationsPolicy Considerations

Back-up polices? Back-up polices?

Portable device cut-off & destroy systems?Portable device cut-off & destroy systems?

Disposal of any equipment with hard drives & storage?Disposal of any equipment with hard drives & storage?

Disposal of copiers?Disposal of copiers?

Encrypted USB and portable storage devices?Encrypted USB and portable storage devices?

On-going training and threat assessment?On-going training and threat assessment?

Public Technology Institute1420 Prince StreetAlexandria, VA 22314

www.pti.org

ashark@pti.org