In my previous blog on cybersecurity, I provided a high-level perspective on the cybersecurity environment for justice organizations today. I noted that the environment is worrisome — it is a virtual certainty that cyberattackers, at this very moment, are looking for a way to infiltrate your organization’s networks and systems.
But I promised a progression (crawl, walk, run) that you can employ immediately to quickly begin thwarting cyberattackers and protecting your networks and systems, as well as the critical data and applications that run on them. This strategy is based on industry best practices and thought leadership to which MCP has actively contributed.[1]
While cybersecurity can be a huge, costly, and complex risk, basic and fundamental measures will make your organization a more “inconvenient target” and provide rudimentary building blocks for recovery. Here is a quick rundown of the basics:
Let me drill into one of these measures: strong, complex passwords. Updating your organization’s current policy to enforce the use of strong passwords or passphrases is imperative. When doing so, it is vital to consider four critical aspects of password/passphrase creation: length, uniqueness, complexity, and the ability to easily memorize them.
The common wisdom is that this will be a painful, productivity-killing exercise for your workforce. However, that does not have to be the case.
Here are the fundamentals regarding password strength:
But passwords have to be created, maintained, and remembered by human beings. We know that many people, if not most, use only a few passwords across all networks, systems, and applications that they access. They do this because long, complex passwords are difficult to remember. Of course, this is a bad idea. An equally bad idea is writing down complex passwords because they often are left where others can see them—almost unbelievably, people often write passwords on sticky notes and then affix them to their computer monitors for ease of reference, but also theft.
To aid retention in a highly secure manner, we strongly recommend that organizations move away from passwords and toward passphrases. The latter are very easily remembered and yet extremely difficult to crack.
Here’s an example. Let’s say that a user has an affinity for flowers. The user simply could use the common word “petunias,” but a much better option would be the passphrase, “Redrosesrule.” Now let’s use the password-strength-checker tool available from Thycotic, a provider of privileged access management software, to illustrate the difference between them. According to the tool, “petunias” would be cracked in 21 seconds by a computer system using reverse-engineering software; in contrast, it would take 1,000 years to crack “Redrosesrule.” But if we were to add a couple of capital letters and a numeral, to create “3RedRosesRule,” it would take 634,000 years to crack this passphrase. Clearly, leveraging all of the character types identified above is the best approach to password/passphrase creation.
Here’s another example. One passphrase that I use contains 12 characters that reflect all four aspects of password/passphrase creation identified above. According to the Thycotic tool, it would take 373 trillion years to crack this code—adding a 13th special character extends the timeline to an astounding 29 quadrillion years!
While cyberattacks and their aftermath can become a big, complex, costly problem for public safety and justice agencies, protecting your organization and its assets doesn’t need to be. You can start with the basics. Each of the tactics listed above takes some organization, discipline, and persistence — but they can be accomplished.
At MCP, we understand that your organization may lack the ready resources required for these fundamental changes. You may not have access to the technical professionals and industry-leading tools that make these initial steps easier and more cost effective.
MCP maintains these tools and expertise. We couple this with our appreciation of what it takes to meet your mission, an appreciation for how difficult even basic organizational change can be, and an understanding of how to help an organization successfully manage change.
A huge problem for organizations today in the fight against cyberattacks is that the attackers and their tactics are evolving continuously, seemingly by the minute. Because attack vectors mutate constantly, the legacy antivirus and whitelisting approaches cannot possibly keep up. Complicating matters is that numerous malware types have emerged that are completely undetectable by legacy antivirus programs and whitelisting tactics.
The ever-evolving threat landscape requires more and more sophisticated strategies, tactics, and tools. Consequently, MCP recently added an endpoint protection solution to its NetPulse Secure™ cybersecurity monitoring suite. Unlike traditional signature-based antivirus offerings, this solution uses artificial intelligence and machine-learning models to detect malicious software that cannot be detected and/or cannot be mitigated by legacy antivirus signatures. The solution is backed by MCP’s security operations center (SOC), which continuously monitors for threats 24 x 7, and alerts clients of suspicious activities.
This is just one of the resources we will discuss in our next blog. In it, we will identify intermediate and advanced tactics that will help you further improve your organization’s cybersecurity posture with more advanced tools and proactive strategies.
* * * * *
In the meantime, I hope that you will reach out—MCP has numerous subject-matter experts and solutions that will enable you to improve your organization’s cybersecurity posture. We’re eager to be of assistance —because your mission matters.
Joe Wheeler is vice president – justice and courts for Mission Critical Partners, and a member of the IJIS Institute board of directors. He can be emailed at JoeWheeler@MissionCriticalPartners.com.
[1] See the upcoming Joint Technology Committee Resource Bulletin, Cybersecurity for the Courts.