Hackers and Government Systems

(The following are notes from an NCSL session about keeping government systems secure from hackers. It was presented to IT staff and CyberSecurity personnel from a security expert. So, the information is presented from an angle of “you guys are responsible for securing your government systems, here’s what to consider.”)

Moderator: Joel Redding, Legislative Research Commission Kentucky

Speaker: Jerry Gamblin, Information Services Division, House of Representatives, Missouri

“If you spend more on printer ink than on IT security, you will be hacked. What’s more, you deserve to be hacked.” – Richard Clarke, White House CyberSecurity Advisor

 

www.jerrygamblin.com

 

Legislators say:

  • Too busy for security
  • I have nothing to hide
  • Hate to be embarrassed

Hackers:

  • They have plenty of time
  • “I have nothing to hide” is a challenge to them
  • Love to embarrass people

Close to 500 US House staffers recently had their email passwords hacked

 Security Awareness

  • Social Media used correctly; must configure Facebook and Twitter correctly
  • Long password policy; over 10 characters;
  • Hackers with machines to break a password with 2,000,000 guesses a second
  • Password “reuse.” Use different passwords on all your accounts (social media, bank, official)
  • $31 billion in lost cell phones a year
  • SSN theft moves into a personal realm; staffers have this when they help with casework;

Improve security infrastructure

  • 97% of hacks NOT Windows;
  • The entry point is PDF, JAVA, Flash
  • Update Adobe

Update firewall

  • “Next Generation Firewalls” updates

 Remote Access

  • If not set up with a secure ability, users will use Dropbox and other non-secure programs
  • Have to use and allow for remote access

 Website auditing

  • Have someone try and hack your website
  • These are called “white hat” hackers for hire
  • Most big computer companies provide this service (Dell, HP, Apple, etc.); lots of options

 Responsibility

  • Whose responsibility is it to safeguard government systems? Does not matter – once it’s done, it’s done, regardless of who gets blame; damage is done

Time

  • Having a secure system is a long term goal
  • Invest money over the long haul
  • Brand new system not worth having if it’s not secure

Must have “buy-in” from leadership to be able to move forward on funding the most secure system possible; it is expensive, but necessary; explain it to them so they know WHY they need to pay for it;

“security is a team”

No silver bullet

 

 

Share this post:

Leave a Reply

You must be logged in to post a comment.

Subscribe to our campaign e-mail updates!