It’s critically important for local governments and school districts to safeguard their information systems. In 2022, estimated losses from cyberattacks were over $775 million, while losses nationwide totaled $10.3 billion. The State Comptroller’s office works with local communities to reduce their vulnerabilities through training and auditing of their cybersecurity measures. Richard Saunders, an information systems auditor in our division of local government and school accountability, is one of the good guys working to test and secure critical local networks and systems. We asked Richard about what he loves about his work and why it matters. 🔵 Why pursue a job in IT auditing? I’ve been interested in computing and technology my whole life. Public service has always been incredibly important to my family – my mom was a public school teacher and my dad had a long career in the Air Force. I use my knowledge of information security to help protect New York taxpayers and it aligns with my own values and desire for a better work-life balance. 🔵 How do you help local governments proactively protect themselves against cyberattacks? Schools and local governments are rich targets for bad actors out there that are looking to make a quick buck. Many schools and local governments do not have the funding or the expertise to develop a robust set of security programs. We examine their operations, show them the gaps in their security programs, and help them find practical, cost-effective solutions. One thing that we talk about a lot is doing preparedness drills. It’s an easy, low affordable step that people can take right now. It also helps you get back on your feet faster if there is an incident. 🔵 What advice do you have for young professionals? Cybersecurity is a growing field and the need for trained professionals is high. At the State Comptroller’s office, you can really have an impact. Our work keeps the lights on, the water flowing and protects taxpayer money. We’re not out there trying to sell a product, we’re trying to make life better for people. Join Richard in making a difference for local communities! The State Comptroller’s office is hiring information systems auditors for regions across the state. Whether you’re graduating from college or looking to change jobs, you can build a career with purpose with our team. Visit osc.ny.gov/jobs to learn more and apply.
Office of the NYS Comptroller Thomas P. DiNapoli’s Post
More Relevant Posts
-
I'm writing a password generator, in that many of my passwords haven't been changed in ages. So let's talk a moment about security. You may as well assume that an attacker knows my system, or has guessed it. Maybe there are ten possible systems, or 100, and the attacker tries them all. My system therefore is only secure if disclosing its details would not compromise it. Okay, here it is. I have a list of 1000 words. Got it by downloading the Scrabble word list and cherrypicking ones that I liked. Assume that my word list is public. Passwords are seven words long. Each word starts with a capital letter, and "35%" is appended to the end to satisfy 'strong password' requirements. Now I have lg(1000)*7=70 bits of entropy. That is, 1000^7 possible passwords with no preference within that set. That's why it would be okay for an attacker to know my word list, and the system for password construction. For every word, I have to choose at random from the list. Really at random, and that's harder than it sounds. I do it with dice. Yeah, the old polyhedral d20 to the rescue. Three tosses of a d10 and I have a 1000x choice that you cannot crack. This does not scale. But whatever - I don't need millions of passwords. All the attacks that get me to type a password into a compromised site are still valid. But none of the attacks based on cracking a downloaded database are. Oops, that assumes the site at the other end does things right. Essentially, they need to store the hash value of my password and not the password itself. Any site storing raw passwords needs to be taken out back. How did I arrive at 'seven words long'? Well, that's questionable. With a 1000-word dictionary, that's 70 bits of entropy. If an attacker can analyze a certain number of trials per second, and is willing to wait perhaps 1 year for a result, then how many bits of entropy do I need? Every time I add a word to the pasword length, I multiply the cracking time by 1000. Hey, why am I using words at all? Simple number sequences would produce entropy just fine, and are easy to type. That's a possibility. Replace every word from my list with 3 decimal digits and you have the equivalent security. I think that's harder to work with. Easier to mistype, for instance. The scheme's not original, in that I couldn't patent it. I heard this approach somewhere, somewhen. And it's fairly obvious once you start thinking about how to defend against crackers. But here it is.
To view or add a comment, sign in
-
The significance of good #cyberhygiene cannot be overstated, particularly in mitigating or stopping a #cyberattack from causing significant #businessrisks. We offer our expertise in developing an Information Security Program for your organisation, aimed at fostering organisational resilience and information security maturity. This program can serve to reduce the occurrence of #breaches and downtime. By partnering with us to implement this program, your organisation can benefit from a tailored approach to addressing the complexities of safeguarding information assets. Our team of experts can provide you with the necessary guidance and support to ensure that your organisation's information security framework aligns with industry best practices. https://lnkd.in/grYQjHyx
To view or add a comment, sign in
-
Recent M.S. Graduate in Information Technology at Pace University | IT Support | Linux | Active Directory | Jira | Windows Server
Sharing this blog I saw earlier from Katlyn G. for those interested in learning about Discretionary Access Control. "Guide to Discretionary Access Control (DAC) with Examples" | Built In https://lnkd.in/ex7pk9Vw #dac #security #systemsecurity #learning #tech #securitypolicy #techcommunity
Guide to Discretionary Access Control (DAC) With Examples
builtin.com
To view or add a comment, sign in
-
Cyber Security Professional | GSEC | GFACT | GIAC Advisory Board Member | ISC2 CC | Cyber Advisor | Azure Administrator | CCNA in Progress | Specialist in Tech Marketing | Public Speaker | Content Creator
2 out of 3 passwords could be cracked before you finish reading this sentence. Even a seemingly complex P@$$w0rd is not enough to keep you safe. Here is what to do instead: 👇👇👇 You might not believe this. But a complex password like “P@$$w0rd” can be cracked instantly — in 0.0000001 seconds. A simple four-word passphrase like “boundary coal communication defeat” on the other hand, would take up to 63.41 million trillion trillion trillion centuries. Before I explain why the second one is more secure, let’s discuss the math of password cracking. “P@$$w0rd” is 8 characters long. Let’s say each character could have 102 possible values (UPPERCASE, lowercase, 0123456789 + special characters). That's 11,716,593,810,022,656 possible combinations to try! Impossible? Well, actually no. Today, a high-end PC can check 1,400,000,000,000 unique password combinations per second. Meaning an attacker would take 2 hours and 19 minutes to break this password. Computers have come a long way! But why wait this long if there's a faster method? One that takes less than a second! We can download a compromised password database to check if P@$$w0rd is on it. With 1.4 trillion guesses per second, it only takes 50 milliseconds to test all 82 billion entries of the RockYou database. And what do you know... Over 34,168 accounts used P@$$w0rd to protect their account. “boundary coal communication defeat” on the other hand is 100% unique. Cracking this four-word passphrase with brute force would require 63.41 million trillion trillion trillion centuries, even with the fastest computers. Want to create a super-secure 4-word password? All you need are 4-5 dice and a wordlist. Match the word to the numbers you rolled. Combine words without spaces, LikeThis. Use-dashes-between-each-word. Or empty spaces work too! :) I recommend using physical dice with one of the EFF’s wordlists at https://lnkd.in/ec8hcGvK You can also use the Diceware Password Generator on this website: https://lnkd.in/eNEDSmty In my next post, I'll explain how to use your new 4-word passphrase with a password manager. Follow me if you want to read it, or if you are generally interested in relatable #cybersecurity content in your newsfeed. Is your password secure? Let me know in the comments. 👇👇👇 Additional references: https://lnkd.in/eYqMBnzE https://lnkd.in/eJxhvikR https://lnkd.in/gQzEgVfJ
To view or add a comment, sign in
-
Some versions of a popular open-source operating system got exploited and was *accidently discovered* noticing some odd behaviors, among which, is a millisecond delays in logins! The scale, buildup, and complexity of this exploit is just mind blowing and there are lots of lessons learned that auditors need to be aware of: - Don’t overlook minor discrepancies, the devil is in the details. - Incorporate Insider threat in risk analysis. - Maintain strong mindset and professional skepticism, if you believe something is wrong chase after it. - Be quick to act, especially in reporting vulnerabilities, the sooner the better. More about the exploit here: https://lnkd.in/dSUNMAdH Now think about this, if your desktop wallpaper does not immediately change to the one set by admins once connected to a secured private network; Should you be bothered? How are you going to handle this in your next IT audit?
To view or add a comment, sign in
-
Hello LinkedIn Friends and Associates! I'm venting but I am stuck in Password H311. My company has us change about every two months but we must select a very lengthy password, can not use a password vault and somehow the system determines if your password is close to a word or not. The frustration is not remembering the password. It is guessing what the system considers a word or sentence with all the random letters and symbols in it. F@LL1NGB@CKW@RD5 is too close to a word or phrase. I would choose random but I cant even cut and paste the password within the system to save it in a file somewhere. I know I'll eventually put it on a post it note somewhere to remember it. It must be at least 12 characters, no words or phrases, random assortment of letters and at least three numbers and three symbols. I completely understand zero trust. But having policies to not write the password down, not save it anywhere and use no mnemonics to remember it is starting to make the zero trust ensure users don't follow the rules because of ability not because of lack of wanting to comply. How do IT organizations faced with security develop this in a way that is easy for users to comply?
To view or add a comment, sign in
-
Garbage in, garbage out. Here we explore why data quality is fundamental to access recertification success. #cybersecurity #dataquality #informationsecurity
3 Reasons Data Quality Determines Your Access Recertification Success
i-confidential.com
To view or add a comment, sign in
-
Not Ready To Call Us Just Yet? No problem! We still want to send you a copy of our recently published report, '21 Questions To Ask Before Hiring An IT Team.' Are you sure your financial service business isn't vulnerable to costly issues like lost data, viruses, hacker attacks, and other critical problems? Do you know your IT professional's policies, procedures, and service standards? This report provides crucial questions to ask your current IT provider. Simply fill out the form at https://lnkd.in/eGZdFYN9, and we'll send you a copy today! #ITReport #DataSecurity
To view or add a comment, sign in
-
Certified Cybersecurity Expert & Privacy Advocate | Public Speaker & Media Analyst | Author, Educator & Podcaster | Opinions are my own, but happily shared.
A sweeping report analyzing #government software #security reveals that almost 60% contain vulnerabilities unpatched for over a year. Here are my top 3 takeaways: 1. More than half of critical vulnerabilities are due to dependence on 3rd party code 2. Unsurprisingly, large legacy apps contain most unpatched flaws 3. The US gov has introduced a new self-attestation agreement to push #accountability onto software providers #CISA #Veracode #breach #prevention #standards #cdnpoli
Veracode Research Reveals Government Applications at Heightened Risk of Cyber Attack: 59% Have Flaws Left Unfixed for More than a Year | Veracode
veracode.com
To view or add a comment, sign in
-
Garbage in, garbage out. Here we explore why data quality is fundamental to access recertification success. #cybersecurity #dataquality #informationsecurity
3 Reasons Data Quality Determines Your Access Recertification Success
i-confidential.com
To view or add a comment, sign in
10,124 followers
Chief of Applied Technology Unit (Cybersecurity & AI) | at Office of the NYS Comptroller, Thomas P. DiNapoli
3moOutstanding! Great to see your leadership and expertise spotlighted, Rich 🙌