The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
WWW.ILTANET.ORG 31 GB of compressed data was extracted. How much does 70 GB of data cost? For the State of South Carolina, tens of millions of dollars and rising. For a law firm, it could be easily that amount or much more, depending on data content. Going back to our math for a moment, and using our example from above, if the passwords were forced to be changed from 90 days to 45 days, something interesting happens. Under the most optimistic scenario, the password does not get cracked before it is discarded. In fact, more than 50 percent of the time this will be the case. The worst-case scenario is 45 days of exposure, with the average days of exposure being 23 days. Half is what we can expect, but the value gained is much more than that. We have zero time exposure for nearly half of the duration of The worst-case scenario is 90 days (90 – 0). The average is 54 days of exposure. Have we seen this happen in real life where unwanted actors roamed freely on a victim network? Yes, we have. The South Carolina Department of Revenue breach in 2012 was the nation's largest loss of personal information by a government entity. According to the autopsy report by the security group Mandiant, the password was first captured (not broken) by a phishing attack on August 13. On August 27 the attackers used the compromised password to gain access to the network. The final theft of property occurred on October 10. This means that the attackers had 56 days of unmitigated access to the network. At no time was the original compromised user forced to change his/her password. Over 70 one.) But what happens if we add a few more computers to this attack, running in parallel? First, is this even possible? Answer: it sure is. Amazon AWS sells GPU services in which anyone can subscribe to as much processing power as they can afford. (By the way, organized crime and state-sponsored actors can afford it.) Now, let's just double our processing power. By doing that, any password under 10 digits, using the above complexity rules, can be broken in an average of less than one day. Passwords containing 11 digits can be broken in an average of 46 days. Quadruple the processing power and 11 character passwords, on average, can be cracked in just 12 days. Yikes! So what does this mean? Let's use our most optimistic example: a 10-digit password surviving 71 days. This means that if you have a password policy in which passwords are not forced to be changed (or not required to be complex), you may be exposed to that many days of a breach and unwanted access to your network once the password is broken. Exposure (E) = days until password change (C) – days it took to crack password (P) E = C – P A common time frame for password changes is 90 days. That means the best case example is that your organization will endure 19 days before a breach. E = 90 – 71 E = 19 days