AUSTIN, TEXAS — Texas is beefing up its cyberdefenses with a new contract with a major telecommunications firm offering centralized help to federated agencies, the state's top technology official said during the second day of the annual Texas Digital Government Summit.
But he and a private industry security expert warned hundreds of attendees that the cybersecurity threat to the public sector is growing and becoming more sophisticated.
In December, AT&T announced that the Texas Department of Information Resources (DIR) had hired them to provide state agencies with managed security services — security monitoring, device management, incident response and risk and compliance assessments.
State data center customers may already get some of these services, which are bundled with those they already receive. But Texas CIO Todd Kimbriel, one of Government Technology’s Top 25 Doers, Dreamers & Drivers of 2018, urged agency CIOs to consider taking advantage of the new AT&T offerings, available on a “pay-as-you-go basis.”
“The view that everybody pretty much adopts nowadays is, it’s not whether or not you’ll have a penetration but how are you going to respond to it? You really have to focus on what’s your containment strategy, what’s your forensic strategy, what’s your eradication strategy, to make sure that if you do get infected, you have all of those abilities and strengths and maturities to actually respond and eradicate quickly, to contain whatever that problem might be,” Kimbriel said.
The new pact with AT&T will also enable agencies to comply with House Bill 8, the Texas Cybersecurity Act, approved during the last legislative session. HB8 requires state agencies to do a cybersecurity assessment every two years, the CIO said — essentially a “maturity assessment of your organization, your cyber capabilities.”
But DIR, which typically funds around 15 of these assessments through administrative fees, received additional general revenue from the Legislature — and will now fund as many as 40 assessments per year through the new managed security services contract.
State-level cybersecurity can be constrained by manpower and budget, the CIO said, and its essential nature means every dollar must be spent wisely.
“The one thing that I would say is that we are absolutely focused on injecting a risk mitigation evaluation strategy, so that every dollar that we invest is really targeting the high probability, high impact risk that we have. Not only for ourselves, but for you guys as well,” Kimbriel said.
The agency’s perspective on cybersecurity has changed 180 degrees since he joined DIR in 2008, Kimbriel said — away from a siloed, need-to-know “cloak of darkness” outlook toward transparency and being “stronger by sharing.”
But he emphasized the danger from bad actors is constant and on the rise — a viewpoint that Etay Maor, executive security advisor at IBM Security, shared and made clear in a vivid dissection of common online threats and strategies to avoid them or mitigate their effects.
Public agencies and private businesses focus on defense, but that’s difficult unless they know “how the other side is attacking,” said Maor, who warned listeners to beware of so-called Wi-Fi pineapples — a device invented to serve penetration testers, but easily capable of being used to steal sensitive passwords and execute man-in-the-middle attacks that capture online communications.
Hackers have evolved their strategies quickly to outmaneuver public- and private-sector cybersecurity officials, he said. He said he's seen instances where victims of phishing attacks clicked on links that sent them to landing pages, which then passed them on to a login page that captures their information. But cybersecurity technicians who are wise enough to find the login page directly will instead get a “404 error” message.
“They understand how we operate, and they put in these little traps to make our job a lot harder. They reverse-engineer our procedures and our tools to make their procedures more efficient,” Maor said.
Even so-called velocity checks — solutions capable of spotting fake, automated logins to sensitive, secure sites because they occur too quickly to be hand-typed — have been thwarted, the advisor said. In this case, he said hackers can rewrite their code in hours to insert a random, tiny delay between keystrokes — whereas a corresponding fix from banks and institutions on the other side can take weeks.
Humans, with our multiple online platform presence, weak passwords and lack of cyber savvy remain the key issue, Maor said, urging those present to change or update their passwords. Just be sure to harden and train the right way, he counseled, offering the World War II survivorship bias example of statistician Abraham Wald, who suggested the military armor areas on returning bombers that were untouched by enemy fire — because that’s exactly where fallen bombers would have been fatally struck.
“At the end of the day, if their employees don’t know that they shouldn’t connect to an unsecure Wi-Fi like the pineapple, then that doesn’t matter, I’m already inside (your organization). You’d much rather have a red team give you a huge headache today than an interview on NBC where you have to explain how you get hacked,” Maor said.