Security Threat Assessment 2013: Preparing Your Agency Dr. Alan R. Shark Executive Director Public Technology Institute and Associate Professor of Practice Rutgers University School of Public Affairs & Administration
Points of Concern……Internal threats (disgruntled employees)External threatsMobile devicesBYOD (bring your own device)Storage devicesCloud-basedLax security ecosystemsCarelessnessIgnorance
Common Myths (Employees)1. I don’t have anything anyone would ever want;2. I have the best antivirus software installed;3. I don’t use Windows so I’m safe;4. My network has a great firewall so I am safe;5. I only visit safe sites, so I’m okay;6. My network administrator is the one in charge for my data.7. I have had my password for years and nothing ever happened.
Siobhan Duncan“No worries, I keep all the necessary passcodespasted to my monitor so I don’t loose them!”
Password Strength A six character, single case password has 308 million possible combinations.It can be cracked in just minutes! Combining upper and lower case and using 8 characters instead of 6 = 53 trillion possible combinations. Substituting a number for one of the letters yields 218 trillion possibilities. Substituting a special character 6,095 trillion possibilities
QuizHow long would it take for an individual desktopcomputer to “crack” a password?A. 1,000 passwords per second?B. 100,000 passwords per second?C.5 million passwords per second?D.More than a hundred million passwords per second?
Postscript on PasswordsUsing a special high speed computer that is GPU-based, it can scan billions of passwords persecond!
Security & Prevention1. Use strong minimum 8 character passwords, with upper and lower case letters, and special characters.2. Insist on no more than ten tries or less before the system does an automatic lock- out.3. Consider CAPTCHA as a means to thwart high-speed automated systems.
Security & Prevention4. Consider fingerprint readers in addition to or along with password protected systems.5. Consider iris display readers for added authentication.6. Require periodic mandatory training.
Policy ConsiderationsFrequency of password changes?Type of secure passwords?Encryption of files and records?Access to files and records? (in office & remote)Citizen privacy protection?When workers leave?Laptop and portable device & storage polices?Portable device policies?Back-up polices?Portable Device cut-off & destroy systems?
Policy ConsiderationsBack-up polices?Portable device cut-off & destroy systems?Disposal of any equipment with hard drives & storage?Disposal of copiers?Encrypted USB and portable storage devices?On-going training and threat assessment?
Public Technology Institute1420 Prince StreetAlexandria, VA email@example.com