Cyberthreats are increasing in number and severity, but an ounce of prevention goes a long way toward protecting systems and information.
This report is based on the activities of the Digital Communities program, a network of public- and private-sector IT professionals who are working to improve local governments’ delivery of public service through the use of digital technology. The program — a partnership between Government Technology and e.Republic’s Center for Digital Government — consists of task forces that meet online and in person to exchange information on important issues facing local government IT professionals.
More than 1,000 government and industry members participate in Digital Communities task forces focused on digital infrastructure, law enforcement and big city/county leadership. The Digital Communities program also conducts the annual Digital Cities and Digital Counties surveys, which track technology trends and identify and promote best practices in local government.
Digital Communities quarterly reports appear in Government Technology magazine in March, June, September and December.
Anyone responsible for the security of city or county information systems has reason for concern. Not only are hackers accelerating their attacks, but nations — including the United States, according to a recent New York Times article — also are joining in with new, well bankrolled attacks so sophisticated that it can take years to spot them. It is almost routine now to read of attacks that expose Social Security numbers, passwords, credit card information, medical records and more.
Even banks, supposedly the gold standard for IT security, have been hacked, and in one exploit — called Operation High Roller — a coordinated cyberattack against 60 different banks netted hackers some $78 million. Chiming in to the growing discord are “hacktivist” groups determined to make political or social points by attacking their opponents. What was once seen as a somewhat benign activity of young nerds has become much more serious.
Photo: Hackers and security researchers once mixed amiably at the annual DefCon hacker conference, but things are becoming more serious.
“The first 20 years in the war between hackers and security defenders was pretty laid back for both sides,” said Kevin Poulsen in a 2009 Wired magazine article. “The hackers were tricky, sometimes even ingenious, but rarely organized. A wealthy anti-virus industry rose on the simple countermeasure of checking computer files for signatures of known attacks. Hackers and security researchers mixed amiably at DefCon [a hacker conference] every year, seamlessly switching sides without anyone really caring. From now on, it’s serious,” he warned. “In the future, there won’t be many amateurs.”
Poulsen — who served prison time for hacking and is now news editor for Wired.com — knows what he’s talking about. Attacks have become more sophisticated and numerous, creating real economic damage as Americans spend more time and money online. Consumer Reports said that in 2010, malware cost Americans $2.3 billion, and globally the annual price tag of consumer cybercrime is $110 billion, according to the 2012 Norton Cybercrime Report.
The threats have accelerated, and costs have spiked just as cities and counties struggle to emerge from the recession in which budgets were cut, IT staff slashed and new hiring virtually stopped. Chief information security officers are in short supply and only some larger jurisdictions can afford them, leaving information systems vulnerable.
But it’s not just smaller jurisdictions that are having trouble. When Eastern European hackers broke a weak password and grabbed 800,000 records from the Utah Department of Health, the state’s highly regarded CIO took the fall. Utah Gov. Gary Herbert said hackers mounted 1 million attacks per day on the state’s IT systems prior to the breach.
And according to a 2011 report from the U.S. Government Accountability Office, “Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity and availability of sensitive information and information systems at risk. Consistent with this risk, reports of security incidents from federal agencies are on the rise, increasing 650 percent over the past five years.”
Is there an end in sight? Will someone create a solution that will solve the problem and give everyone some much-needed relief? Not according to security experts. Some, including Internet pioneer Vint Cerf, have suggested that security might improve with better authentication although that may compromise privacy, while others see only a continual escalation of attack and defense.
In 2009, for example, Columbia University computer science Professor Steven Bellovin said, “The odds on anyone ... finding a magic solution to the computer security problems are exactly zero. Most of the problems we have are due to buggy code, and there’s no single cause or solution to that.”
In a recent interview with Government Technology, Bellovin — who is now the Federal Trade Commission’s chief technologist, but spoke for himself and not the FTC — said his viewpoint remains the same: The complexity of millions of lines of computer code is too difficult a problem to have a single solution. “I think we need to build systems with different architectures, ones that are designed under the realization that there will be security failures,” Bellovin said. “Authentication won’t do it. In most breaches, the bad guys go around the strong authentication, not through it. My own working philosophy is that programs will have security bugs — then what?”
By these accounts, it appears we are condemned to an eternity of infuriating, expensive and seemingly intractable cybersecurity attacks. Fortunately, however, there are things that can be done to improve security and prevent most — if not all — attacks. It’s similar to health, said several experts. No one can guarantee perfect health, but specific steps can be taken now to prevent the majority of illnesses and improve health while science works to eliminate disease. And that’s the practical approach to security advocated by many experts interviewed for this special section.
Here are some examples of the different types of exploits launched against individuals and jurisdictions over the past few years.
Example: In California, hackers inserted scanners into gasoline pumps, so that when a customer inserted a credit or ATM card and punched in a PIN, those bits were copied and later retrieved by the hacker. Then that information was used to empty bank accounts, run up fraudulent charges, etc.
Example: Hackers broke into Sarah Palin’s email account while she was running for vice president and posted her personal emails online.
Example: Bradley Manning, a soldier, is charged with providing hundreds of thousands of diplomatic cables, intelligence reports and other classified information to WikiLeaks.
Example: Hackers got into a University of Houston College of Optometry database and deleted the records of 7,000 patients.
Example: When a Russian court sentenced members of the band Pussy Riot to jail, hackers defaced the court’s website inserting a video and anti-Putin statements.
Example: Utah’s Health Exchange website was defaced last August.
After being hacked, you may need to:
1. Change all passwords.
2. Find out how the hack was made and fix the vulnerability.
3. Go through huge numbers of records to see if any were tampered with, changed, deleted, etc.
4. Check for “back doors” left by hackers so they can get back into your systems.
5. Notify citizens, patients, staff, etc., that their information may be compromised.
6. Pay large fines if certain information was revealed (credit card information, Social Security numbers, bank account information, medical records) and you had inadequate security in place.
7. Pay for credit monitoring services for anyone whose information is at risk.
8. Defend against lawsuits from people whose information was exposed and who became victims of identity theft.
9. Restore what you can from a backup, after checking the backup for contamination.
10. Reformat and reinstall software and rebuild your systems from scratch.
11. Find another job.
Example: Someone broke into the Santa Clara, Calif., University website and changed the grades of 60 students.
Example: In a demonstration of particular interest to government, a power generator was damaged over the Internet.
Example: Earlier this year, Gen. Keith Alexander, head of the National Security Agency and the U.S. Cyber Command, warned that within two years, computer hackers could have the ability to shut down the country’s electrical grid. He said that between 2009 and 2011, cyberattacks on American infrastructure increased 17-fold. Attacks on critical infrastructure such as water, electricity, communication and computer networks also are escalating.
Example: In 2008, rebooting a single computer shut down a nuclear plant in Georgia, and the U.S. Department of State warned that such facilities are vulnerable to attack.
Example: In 2008, a San Francisco city employee learned that his job was going to be terminated and locked everyone out of the city’s local area network, denying access to personnel records, police reports, etc.
Example: Both dc.gov and nyc.gov were brought down by distributed denial-of-service attacks that overwhelmed those websites with traffic.
Example: Offshore gambling sites were told to pay $50,000 each or they would be hacked and brought down.
Example: Hackers distribute a virus that enables infected computers to be taken over and used to launch a denial-of-service attack on other websites. Some even rent out the network of hacked computers to others who want to launch such an attack.
An ounce of prevention, as the saying goes, is worth a pound of cure. And while nothing can guarantee a perfect defense against attacks, there are some concepts that can help greatly. Will Pelgrin, CEO of the Center for Internet Security, likens cybersecurity to layers of an onion, and said there are simple steps that anyone can take to reduce the likelihood of a successful attack on computers, data and systems.
For example, he said, if a jurisdiction were to follow these four strategies, 85 percent of all cyberattacks could be avoided:
1. Patch applications such as PDF viewers, Microsoft Office and Java within two days of threat notification.
2. Use the latest operating system version and patch within two days for vulnerabilities.
3. Limit the number of users with administrative access privileges to those who really need access.
4. Whitelist applications to help prevent malicious software and other unapproved programs from running (e.g., by using Microsoft Software Restriction Policies or AppLocker).
Pelgrin said security measures must be as automatic as putting on seat belts. Drivers don’t necessarily wear seat belts because they think they may be in an accident, nor do they buckle up because they fear a traffic ticket. They do it because it’s become a routine part of driving. Securing computers and systems should become just as routine.
So what are some other onion layers? A helpful analogy is to think of how you secure your home. You lock the doors and windows at night, set an alarm if you’re gone, put valuables in a safe, tell your children not to invite people over when you’re not there and buy homeowner’s insurance. If you live in a high-crime neighborhood, you might have a dog and bar the windows and doors.
With the Internet, however, there are no safe neighborhoods — your “house” is accessible from anywhere in the world. And since cities and counties provide access to the public for information and transactions, you must be prepared to sort the traffic and attempt to keep out the bad guys even with high traffic volume.
The first element of strong security is a strong password — as boring as that may sound. You have a key to the front door of your house; computers and computer systems use passwords. Weak passwords are like simple door locks that can be sprung with a paper clip. Short, simple words — for example, your dog’s name “Scotty” — make weak passwords. Cybercrooks can break these in a few seconds. For starters, a good password is at least eight characters long. Using upper- and lowercase letters also increases the time required to crack it. Adding a number or two strengthens your defenses even more, and adding a punctuation mark or other symbol gets you into “strong password” territory that could take years for a hacker to crack. Use tools like Microsoft’s password strength checker to make sure you’re on the right track.
RESOURCES FOR CITIES AND COUNTIES: Tools, Templates and Guides
Multi-State Information Sharing and Analysis Center cybersecurity guides for nontechnical managers.
SANS advice on protecting mobile devices: PINs, passwords, pattern locks, encryption, backups, remote wiping, and what to do if your device is lost or stolen.
White House Guide to bring your own device (how to safely integrate personal mobile devices into your network).
McGraw-Hill basic security training, concepts, definitions, two-minute drill and a self-test.
A four-page nontechnical acceptable use template developed by MS-ISAC and LeRoy, N.Y.
This webpage contains many different types of security policy templates from the SANS Institute.
NIST Computer Security Incident Handling Guide
The Open Web Application Security Project live CD: testing tools for website security
Metasploit penetration testing tools
Trustwave perimeter scanning for vulnerability and PCI compliance
Strong passwords are complex — but how do you remember them? Writing them on a sticky note attached to the screen or under the keyboard means anybody with physical access to your computer can get into your data. But experts have come up with a few tricks to jog your memory. Start with a phrase, for example, that commemorates a family activity: “We camped at Humbug Mountain in 2010.” Your password could be the first letters of that phrase: “WcaHMi2010.” Microsoft’s checker rates this password as “medium” strength.
To strengthen it, trade some letters or numbers for symbols. For example, trade the “a” for an ampersand (&), the “i” for a colon (:) and swap the two zeros for letter Os. That gives you: “Wc&HM:2O1O”. Microsoft’s checker says that’s a “strong” password, and it’s much easier to remember than a randomly generated strong password. So you’ve beefed up your front door and installed a deadbolt.
Pelgrin said using the same password for your home computer and work systems is like using the same key for your house, car, office and storage facility. If someone makes a copy of that one key, they have access to everything. Typically, if hackers crack one password, they will try that password on any other systems (e.g., social networks and mobile devices) that you use. “Keep your city or county login password strong and don’t use it anywhere else,” Pelgrin said. And, even though it’s inconvenient, passwords should be changed regularly.
If you have too many passwords to remember, try using a password manager, which stores multiple passwords in an “online safe” where users only need one password for access. “They let you randomly generate strong passwords for all your accounts and store them securely,” said Joanne McNabb, chief of California’s Privacy Protection Office, in a newspaper article. McNabb said there are a number of free password managers including: KeePass (for Windows, OS X, Linux, Android and iOS), Password Safe (Windows) and Keychain (Mac).
In some cases, biometric devices that require a fingerprint, retina scan or facial recognition can provide secure access without a password. For instance, staff members at the Sacramento, Calif., City Clerk’s Office are piloting fingerprint readers for their mobile devices.
Americans lose $7 million in mobile devices every day. Yet Pelgrin said he’s astounded at how many people don’t use a sign-on password for their smartphones. Simply setting a four-digit passcode will keep a thief out of smartphone users’ personal information, bank accounts, contact lists, etc., and after a certain number of wrong attempts at cracking the password, the phone will freeze everything or erase all data.
Using strong passwords isn’t the only security measure to take, but it’s a good start. The next layer of the “onion defense” is a firewall. If someone knocks on your front door, you would certainly find out who they are and what they want before inviting them in. A firewall does that for a computer. It analyzes traffic coming from the Internet, for example, that’s going into the computer system and allows some traffic to enter and stops other traffic based on operating rules designed to protect the system from attacks. Most firewalls offer a choice of “on” or “off.” To have this layer of protection, make sure your firewall is on. If the firewall stops a connection you want, then add an exception in the firewall settings.
Viruses are so named because they copy themselves and infect computer systems, traveling from computer to computer over the Internet or wirelessly. They can erase, change or steal information, and even hijack a computer and allow someone else to use it.
Your protection against biological viruses is immunizations, isolation, use of hand sanitizers and so on. Your protection against digital viruses is anti-virus software, along with common-sense measures like not clicking on suspicious emails or email attachments. Anti-virus software should always be installed and kept updated, Pelgrin said. There are a number of subscription-based anti-virus offerings, and Windows now comes loaded with its own free virus protection software called Security Essentials.
In a house, you may put valuables like jewelry, laptops, guns and cash in a safe. It provides an additional layer of protection for things people would be likeliest to steal. Likewise, cities and counties have data that would be most attractive to thieves, and that needs an additional layer of security. Encryption takes data that may be in plain text and substitutes symbols, etc., for that text. Many databases come with encryption, and some very secure encryption is even available for free.
As with a household safe, not everything will be encrypted, there’s not enough room, or it’s too expensive, or it makes daily work too slow. So how does one decide what needs extra protection?
Ilene Klein, chief information security officer of Phoenix, has some suggestions. For instance, she said there’s no justification for encrypting public data. “On the other end of the spectrum,” Klein said, “there is data that if released could cause harm. For example, police officers’ home addresses. That data has to be protected. There is data that has to be protected for legal or industry requirements.” This includes health information, which is protected under the Health Insurance Portability and Accountability Act, and for agencies accepting credit cards, Payment Card Industry security standards must be followed. In addition, criminal justice information and homeland security data often demand special protections too.
“In between [public and sensitive data] you have information that is for internal use only, like employee data, some of that is public information,” Klein said. “For example, my salary is public information. But public information is interspersed with confidential information. My Social Security number is part of that employee record, but that’s confidential, so that field needs to be protected. If somebody requests my employee record, the public part can be released, but my Social Security number has to be redacted. And hopefully, my home address would be redacted as well.
“Another type of information that falls into that middle category is some procurement information. It is not public yet, because a deal is pending, but after the deal is done, the information becomes public. Make sure you have policies behind everything, make sure all your employees know those policies and know how to handle information appropriately.”
Klein said public information can be password protected and posted on the public Internet. The middle layer is password protected, stored on a server, not a laptop. Sensitive information, she said, should be encrypted, stored on a file server, and password protected with access limited to only those people who need it.
Sometimes, executives demand access to encrypted material because they are executives, not necessarily because they use that data. The more people with access, the less secure the data.
Seattle’s Hamilton said the proliferation of mobile devices has made it harder to control data entering or leaving city systems. “We don’t have control over anything resembling a perimeter,” he said. “It would be ludicrous to assume we could address security on every end point; there are just too many flavors of them, so that horse has left the barn. To address the growing risk … it’s important to focus on those assets that are really important in the context of city and county government.”
Hamilton reeled off some of Seattle’s most valuable assets. “We manage transportation, all the signal timing, signage, cameras, that’s a big IP network,” he explained. “We manage communications that tie together different law enforcement organizations. We deliver energy, water, we remove sewage, and those are all control systems.
“Then we have our big pots of gold,” he said. “We have our [human resources] database with everybody’s bank routing number, we have a little bit of cardholder data, business license data, so it’s very important for us to quit thinking about ‘how am I going to control every one of those end points?’ I’m going to do risk-based application of controls, and I’m going to build little mini-moats around the really important stuff.”
OK, you have strong passwords, have your firewalls turned on, have installed and updated your anti-virus software, and are patching software and operating systems and following security best practices. Now — to continue the home-security analogy — you need to establish some agreements with the family. In city or county governments, those agreements are called policy or acceptable use agreements. Most of these, like security 101, are just common sense.
A family might have policies like: The last one to leave the house turns off the lights, checks the doors and windows to make sure they’re locked and sets the alarm. Parents might tell the kids that their friends can’t visit unless a parent is present, and if someone is at the door not to open it unless they know who it is. Sometimes people will object to policy or acceptable use agreements, as they are often not the easiest way to do things. Hackers will certainly object to them as it makes their jobs more difficult, which is the whole idea.
Acceptable use policies might be that staff can’t use their personal computers to connect to the internal city or county network from home unless they use a virtual private network, which encrypts the information going back and forth. Or a government policy might say that staff members can use their mobile phones to access email and calendaring that are available on the Internet but may not connect by personal mobile device to the internal network. Or that personal thumb drives may not be connected to internal computers as they may contain a virus picked up elsewhere.
It’s convenient to sit at a coffee shop using an unsecured Wi-Fi connection. It’s convenient to put work files on a memory stick and transport them between home and work. But hackers take advantage of carelessness and convenience, so policies are basically agreements that will help avoid vulnerabilities.
You can notice changes in your children that might indicate they are coming down with a cold or the flu. Something unusual: a higher than normal temperature, for example, or coughing. With computer systems, said Pelgrin, there are likewise symptoms of infection by malware. Slower-than-usual operation, an unexplained lack of disk space, applications that don’t work right, crashes, or correct passwords that don’t work. Each of these is an indication that the computer may be infected with some kind of bug. Time to make a trip to the doctor; time to scan your system or take the computer in for repair.
Photo: Will Pelgrin, CEO, Center for Internet Security
A home alarm system and surveillance cameras are useful if something is missing or a mysterious problem arises. Camera footage can be reviewed. If no one is home, an intrusion is noted and authorities are notified. Without an intrusion detection system or computer logs, bad things might be happening without anyone noticing. Someone, for example, trying a password unsuccessfully hundreds of times would be an indication of an attack. Was an attempt to crack into the system successful? If so, which files were compromised? What were they after? How much damage was done? How did they get in? Did they leave a back door so they can return? To answer those and other questions, logs must be kept and audited.
That can be troublesome, said Klein. Security logs use a lot of storage space, and they are time-consuming to audit. But some way or another, they must be maintained and monitored. “Reputable cloud providers have more resources so that’s one advantage of going to a cloud provider,” she said. “But if your information is breached, you are still responsible. You can outsource the work, but not the accountability.”
On the Internet, there are no gated communities; no safe little neighborhoods tucked away off the beaten track. Seattle’s Hamilton said his city has been the recipient of targeted attacks. “And frankly,” he said, “we see a lot of countries with very dubious law enforcement controls, knocking on our door all the time.” But local governments can join together in a sort of “Neighborhood Watch” to keep an eye out for unusual activity.
King County, Wash., for example, is doing just that, Hamilton said. “We have set up something called PRISEMS — the Public Regional Information Security Event Management System. In today’s world you have all these preventive measures in place, but the bad guys are going to get in, there’s no stopping them. Especially if you have a nation state coming after you, they’re going to do it.”
The cities of Seattle, Bellevue, Lynwood, Kirkland and Redmond, along with Kitsap County, Thurston County, Seattle Children’s Hospital, Snohomish Public Utility District and six maritime ports now send their security logs to one location for analysis, Hamilton said. “So we watch the attack surface of the region. We’re all connected; we have trust relationships between all of us because we do manage transportation, communications, law enforcement. … The bad guys are out there looking for the weak door, and we’ve been able to prove that.”
The Multi-State Information Sharing and Analysis Center is another good security resource for local government. Links to it and other useful resources can be found in the resources chapter of this special section.
As computers, servers, storage media and other system components reach the end of their useful life, they may be donated, recycled, etc. But there’s a security component to even such mundane actions. According to the Center for Internet Security, “Deleting files does not erase the information. It only makes the space containing the files available to store additional data. The information can often be retrieved by using forensics or other recovery tools. As new computers are purchased, older computers may be sold or surplused. You should assume that sensitive information may have been stored or viewed on all computers at some point in time. Before discarding your computer or portable storage devices, you need to be sure that that data has been erased or ‘wiped.’”
Defense-grade wiping software is available for free on the Internet. CDs and DVDs need to be shredded, and hard drives and other storage media returned under warranty should be destroyed.
If the house burns down, or someone trashes it, there’s insurance to rebuild or repair. If someone hacks into your information system and cleans you out, or messes things up, there’s a backup … isn’t there? Irreplaceable data on an individual computer can be backed up on an external drive, or one of the new “mini cloud” offerings like iCloud for Apple devices, or Dropbox for a variety of applications, subject to a jurisdiction’s security policies.
Some anti-virus software has an optional online backup service for protected computers. Some agencies have cloud email, calendaring and other applications so that mobile devices can get access without coming into the protected city or county system, and that also serves as a backup for those materials.
Bigger systems often have backups that are continually synchronized from somewhere offsite. In any case, if the system is hacked, the burning question is: Have you backed up your data?