1. Security Threat Assessment 2013:
Preparing Your Agency
Dr. Alan R. Shark
Executive Director
Public Technology Institute
and
Associate Professor of Practice
Rutgers University School of Public
Affairs & Administration
21. Points of Concern……
Internal threats (disgruntled employees)
External threats
Mobile devices
BYOD (bring your own device)
Storage devices
Cloud-based
Lax security ecosystems
Carelessness
Ignorance
22.
23.
24.
25.
26. Common Myths (Employees)
1. I don’t have anything anyone would ever want;
2. I have the best antivirus software installed;
3. I don’t use Windows so I’m safe;
4. My network has a great firewall so I am safe;
5. I only visit safe sites, so I’m okay;
6. My network administrator is the one in charge for my
data.
7. I have had my password for years and nothing ever
happened.
30. Password Strength
A six character, single case password has 308 million
possible combinations.
It can be cracked in just minutes!
Combining upper and lower case and using 8 characters
instead of 6 = 53 trillion possible combinations.
Substituting a number for one of the letters yields 218
trillion possibilities.
Substituting a special character 6,095 trillion possibilities
31. Quiz
How long would it take for an individual desktop
computer to “crack” a password?
A. 1,000 passwords per second?
B. 100,000 passwords per second?
C.5 million passwords per second?
D.More than a hundred million passwords per second?
32. Postscript on
Passwords
Using a special high speed computer that is GPU-
based, it can scan billions of passwords per
second!
33. Security & Prevention
1. Use strong minimum 8 character
passwords, with upper and lower case
letters, and special characters.
2. Insist on no more than ten tries or less
before the system does an automatic lock-
out.
3. Consider CAPTCHA as a means to thwart
high-speed automated systems.
34. Security & Prevention
4. Consider fingerprint readers in addition to
or along with password protected systems.
5. Consider iris display readers for added
authentication.
6. Require periodic mandatory training.
35. Policy Considerations
Frequency of password changes?
Type of secure passwords?
Encryption of files and records?
Access to files and records? (in office & remote)
Citizen privacy protection?
When workers leave?
Laptop and portable device & storage polices?
Portable device policies?
Back-up polices?
Portable Device cut-off & destroy systems?
36. Policy Considerations
Back-up polices?
Portable device cut-off & destroy systems?
Disposal of any equipment with hard drives & storage?
Disposal of copiers?
Encrypted USB and portable storage devices?
On-going training and threat assessment?