Dr. Alan Shark
37
Dr. Alan R. Shark Dr. Alan R. Shark Executive Director Executive Director Public Technology Institute Public Technology Institute and and Associate Professor of Practice Associate Professor of Practice Rutgers University School of Rutgers University School of Public Public Affairs & Administration Affairs & Administration Security Threat Assessment Security Threat Assessment 2013: Preparing Your Agency 2013: Preparing Your Agency
-
Upload
nextgovprime -
Category
Documents
-
view
98 -
download
0
description
Slides presented by Dr. Alan Shark, Executive Director and CEO of Public Technology Institute
Transcript of Dr. Alan Shark
Dr. Alan R. SharkDr. Alan R. Shark
Executive DirectorExecutive Director
Public Technology InstitutePublic Technology Institute
andand
Associate Professor of Practice Associate Professor of Practice
Rutgers University School of PublicRutgers University School of Public
Affairs & AdministrationAffairs & Administration
Security Threat Assessment 2013: Security Threat Assessment 2013: Preparing Your AgencyPreparing Your Agency
It Used to be that paper was the It Used to be that paper was the problem..problem..
But now it been replaced with But now it been replaced with this….....this….....
Cyber Issues……Cyber Issues……
Cyber crimeCyber crime
Cyber hackingCyber hacking
Identity theftIdentity theft
Data theftData theft
Financial theftFinancial theft
Data manipulationData manipulation
What do these organizations What do these organizations have in common?have in common?
What About Our What About Our Employees?Employees?
We can no longer simply rely on the CIO We can no longer simply rely on the CIO or chief security officer? or chief security officer?
Internal
threats…..
Points of Entry – Portable Points of Entry – Portable DevicesDevices
Points of Entry – Wireless Points of Entry – Wireless DevicesDevices
Points of Entry – Storage DevicesPoints of Entry – Storage Devices
Along Came the Cloud(s)Along Came the Cloud(s)………………
Points of Entry – Storage DevicesPoints of Entry – Storage Devices
Personal Connectivity…Personal Connectivity…
Cautions to the Wind!Cautions to the Wind!
Points of Concern……Points of Concern……Internal threats (disgruntled employees)Internal threats (disgruntled employees)
External threatsExternal threats
Mobile devicesMobile devices
BYOD (bring your own device)BYOD (bring your own device)
Storage devicesStorage devices
Cloud-based Cloud-based
Lax security ecosystemsLax security ecosystems
CarelessnessCarelessness
IgnoranceIgnorance
Common Myths (Employees)Common Myths (Employees)1.1. I donI don’’t have anything anyone would ever want;t have anything anyone would ever want;
2.2. I have the best antivirus software installed; I have the best antivirus software installed;
3.3. I donI don’’t use Windows so It use Windows so I’’m safe;m safe;
4.4. My network has a great firewall so I am safe;My network has a great firewall so I am safe;
5.5. I only visit safe sites, so II only visit safe sites, so I’’m okay;m okay;
6.6. My network administrator is the one in charge for my My network administrator is the one in charge for my
data.data.
7.7. I have had my password for years and nothing ever I have had my password for years and nothing ever
happened. happened.
Passwords Weak to StrongPasswords Weak to Strong
“No worries, I keep all the necessary passcodes pasted to my monitor so I don’t loose them!”
Siobhan Duncan
Password Password StrengthStrength
A six character, single case password has 308 A six character, single case password has 308 million possible combinations. million possible combinations.
It can be cracked in just minutes!It can be cracked in just minutes!
Combining upper and lower case and using 8 Combining upper and lower case and using 8 characters instead of 6 = 53 trillion possible characters instead of 6 = 53 trillion possible combinations.combinations.
Substituting a number for one of the letters Substituting a number for one of the letters yields 218 trillion possibilities.yields 218 trillion possibilities.
Substituting a special character 6,095 trillion Substituting a special character 6,095 trillion possibilitiespossibilities
QuizQuizHow long would it take for an individual How long would it take for an individual desktop computer to “crack” a password? desktop computer to “crack” a password?
A.A. 1,000 passwords per second?1,000 passwords per second?
B.B. 100,000 passwords per second?100,000 passwords per second?
C.C.5 million passwords per second?5 million passwords per second?
D.D.More than a hundred million passwords More than a hundred million passwords per second?per second?
Postscript on Postscript on PasswordsPasswords
Using a special high speed computer that is Using a special high speed computer that is GPU-based, it can scan billions of passwords GPU-based, it can scan billions of passwords per second! per second!
Security & Security & PreventionPrevention
1.1. Use strong minimum 8 character Use strong minimum 8 character passwords, with upper and lower case passwords, with upper and lower case letters, and special characters.letters, and special characters.
2.2. Insist on no more than ten tries or less Insist on no more than ten tries or less before the system does an automatic before the system does an automatic lock-out.lock-out.
3.3. Consider CAPTCHA as a means to Consider CAPTCHA as a means to thwart high-speed automated systems. thwart high-speed automated systems.
Security & Security & PreventionPrevention
4.4. Consider fingerprint readers in addition Consider fingerprint readers in addition to or along with password protected to or along with password protected systems.systems.
5.5. Consider iris display readers for added Consider iris display readers for added authentication. authentication.
6.6. Require periodic mandatory training.Require periodic mandatory training.
Policy ConsiderationsPolicy ConsiderationsFrequency of password changes?Frequency of password changes?
Type of secure passwords?Type of secure passwords?
Encryption of files and records?Encryption of files and records?
Access to files and records? (in office & remote)Access to files and records? (in office & remote)
Citizen privacy protection?Citizen privacy protection?
When workers leave?When workers leave?
Laptop and portable device & storage polices? Laptop and portable device & storage polices?
Portable device policies?Portable device policies?
Back-up polices? Back-up polices?
Portable Device cut-off & destroy systems?Portable Device cut-off & destroy systems?
Policy ConsiderationsPolicy Considerations
Back-up polices? Back-up polices?
Portable device cut-off & destroy systems?Portable device cut-off & destroy systems?
Disposal of any equipment with hard drives & storage?Disposal of any equipment with hard drives & storage?
Disposal of copiers?Disposal of copiers?
Encrypted USB and portable storage devices?Encrypted USB and portable storage devices?
On-going training and threat assessment?On-going training and threat assessment?
