How to Keep Hackers Out of Your Capitol

(The following are notes from an NCSL session about keeping government systems secure from hackers. It was presented to IT staff and CyberSecurity personnel from a security expert. So, the information is presented from an angle of “you guys are responsible for securing your government systems, here’s what to consider.”)

Moderator: Joel Redding, Legislative Research Commission Kentucky

Speaker: Jerry Gamblin, Information Services Division, House of Representatives, Missouri

“If you spend more on printer ink than on IT security, you will be hacked. What’s more, you deserve to be hacked.” – Richard Clarke, White House CyberSecurity Advisor

www.jerrygamblin.com

Legislators say:

  • Too busy for security
  • Nothing to hide
  • Hate to be embarrassed

Hackers

  • Have plenty of time
  • “I have nothing to hide” is a challenge
  • Love to embarrass people

* Close to 500 US House staffers’ email passwords hacked

* South Carolina with a recent breach and exposure of over 4,000,000 SSN’s and personal information

Security Awareness

  • Social Media used correctly; must configure Facebook and Twitter correctly; all staff must learn privacy configurations; state systems can be exposed through these websites;
  • Long password policy; over 10 characters; use multiple words with spaces; i.e. “I love NSCL 2013” versus “I<3NSCL2013”;
  • Hackers have machines which can break a password with 2,000,000 guesses a second using just three key words or phrases connected to the user;
  • Password “reuse.” Use different passwords on all your accounts (social media, bank, official)
  • $31 billion in lost cell phones a year; hackers get access to your information if they can get into your phone; huge risk exposure; people not as aware to protect their phones;
  • SSN theft moves into a personal realm; staffers have SSN’s when they help people with “casework,” walking through solving problems with state agencies;

Improve security infrastructure

  • 97% of hacks NOT Windows;
  • The entry point is PDF, JAVA, Flash
  • Update Adobe

Update firewall

  • “Next Generation Firewalls” updates
  • Firewalls from as early as two years ago are prehistoric in comparison to what’s out there now;

 Remote Access

  • Some legislatures do not allow remote access; mistake!
  • Offer it and be safe with it, with secure ability
  • Otherwise, guess what? Users want remote access and will do so themselves (Dropbox) and other non-secure programs
  • Have to use and allow for remote access

 Website auditing

  • Have someone try and hack your website
  • These are called “white hat” hackers
  • “White hat hackers” are for hire
  • Most big computer companies provide this service (Dell, HP, Apple, etc.); lots of options

Responsibility

  • Whose responsibility is it to safeguard government systems? Does not matter – once it’s done, it’s done, regardless of who gets blame; damage is done

Time

  • Having a secure system is a long term goal
  • Invest money over the long haul
  • Brand new system not worth having if it’s not secure

 

* Must have “buy-in” from leadership to be able to move forward on funding the most secure system possible; it is expensive, but necessary; explain it to them so they know WHY they need to pay for it;

* “security is a team”

* No silver bullet

 

 

Share this post:

Leave a Reply

You must be logged in to post a comment.

Subscribe to our campaign e-mail updates!