The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 32 the password, versus best-case scenario of 19 days. Let's quantify this. Best-case scenario for one to 19 days of exposure Top speed of Internet – 10 MB (might be more in your organization, but let's keep the math simple) 19 days x 24 hours x 60 minutes x 60 seconds = 1,641,600 seconds 1,641,600 seconds * 10 MB/second = 16,416,000 MB or 16,031 GB or about 15.7 TB of data In simple terms, by keeping password expirations at 90 days, an organization risks losing 15.7 TB of data in the best-case scenario. By implementing a 45-day password expiration, the best-case scenario is zero days of exposure, and therefore zero data loss. And the cost? Nothing. Let's make it easy and place a dollar amount of $1 per GB of data loss. The real number would most likely be a lot more, but it doesn't matter. Again, this is the best-case scenario. The worst case in both examples would be a great deal more. Best-case scenario for a 90-day policy: 16,031 GB = $16,031 cost Best-case scenario for a 45-day policy: 0 GB = $0 cost $0 < $16,031 Therefore, it is more cost-effective to have a password policy that forces a change every 45 days versus 90 days. The argument to alter how often passwords should be changed was won with business talk, not IT talk. ONE BATTLE IN THE WAR The longevity of passwords is just one layer in our password defenses, but it doesn't account for phished passwords or passwords obtained by trickery and not brute force. The example listed above is also just one scenario under a certain set of conditions, but these conditions are real and contain possibilities that exist today. In fact, with modern multicore processors and cloud computing available on demand, and on the cheap, this example could actually be very generous in its calculations. Potentially, much stronger passwords can be cracked under less time. The purpose of this example was to point out the real business value in making a change regarding to increased password expirations. In warfare you prepare plans and setup defenses for what your enemy can do, not what he actually will do. The vast and seemingly unlimited resources of today's persistent threats change how we have to look at everyday security. The continual training, protection and enforcement of stronger passwords are still much needed. But, as shown here, those actions could all be undermined with little notice and with little to moderate effort. Until the day when passwords are no longer needed to secure a network, the decreased longevity of passwords, and the non- reuse of old passwords after expiration, is a solid and cost-effective means to help protect any organization. CASE STUDIES On Wednesday May 3, 2006, a civil servant working for the Department of Veterans Affairs went home as he did every night, carrying his work laptop and day-to-day things. Later, in what law enforcement would describe as an ordinary breaking- and-entering, his work laptop and a very small external hard drive were stolen from his home. Two full weeks after the theft, officials announced to the public that the data stolen might include sensitive personally identifiable information (SPII) related to 26.5 million veterans and their families. It was eventually determined that, among other things, the SPII contained information on 1.1 million active duty troops, 430,000 members of the National Guard and 645,000 members of the reserves. Information included, but was not limited to, Social Security numbers, numerical disability ratings and date of birth. After the disclosure and the press fallout, Congress determined the damages could amount to over $250 million dollars. This lack of any perceivable data security was the proverbial ticking time bomb. Common, easy to use, everyday software could have prevented all of this. In this case, an ounce of prevention (the encryption software) would have prevented the pound of cure ($250 million dollars). Lost Info Costs Over $250 Million by Phil Weldon