JEFFERSON CITY, Mo. — Ninety percent of successful cyberattacks originate from phishing. And though phishing is a technologically unsophisticated attack strategy, it remains viable and is enjoying resurgent popularity thanks to its reliance on human behavior, cybersecurity experts told attendees at the Missouri Digital Government Summit*.
The event, held Tuesday, June 13, showed how very real and quick even a simulated network hack could be, and attendees had their own staffing and end-user security challenges confirmed by high-level state officials.
IT staff is in dramatically short supply as a generation of staffers continues to retire, state and industry officials agreed, but they also identified bright spots emerging on the technology landscape that should be capitalized upon.
Perhaps most fundamentally, moderator and Missouri Chief Operating Officer Drew Erdmann told a lunchtime crowd that public employees must realize that “IT is not IT’s problem.”
“I see that as one of the biggest challenges across government," he said. "It’s actually a top management challenge, and I think one of the things we’re trying to do at the state is make sure all leaders and managers view cybersecurity as part of their management agenda."
He pointed out that Sarah H. Steelman, commissioner in the state Office of Administration, has been leading the cabinet in a discussion of how to confront cybersecurity threats.
Panelists Michael Roling, state chief information security officer; Terry Hect, director and chief security strategist at AT&T; and Sean Telles, manager of systems engineering, public sector state and local at ForeScout Technologies Inc., highlighted cybersecurity issues endemic to state and local agencies.
The advent of mobile technology has amplified the role of cybersecurity professionals in part by allowing access to large-scale networks virtually everywhere device users travel, Hect told the audience. But he said technology may also offer solutions to staffing shortages private and public sectors face.
“There aren’t enough people to do that work, period, end of story," Hect said, "so we’ve got to rely on automation and analytics and machine learning to build into the architecture to do that heavy lifting."
Telles, whose firm offers solutions designed to monitor security and control network access, said too often companies and agencies that hire “great people” are hamstrung by multiple best practices.
“Find one best way of doing something. We incorporate that across our organization, then we automate our workflow,” he advised those assembled.
Roling, one of three Team Missouri members recognized as Government Technology’s Top 25 Doers, Dreamers & Drivers of 2017, agreed that staffing is a common issue across public and private sectors, and said staffers must be instilled with a sense of mission and of the number of public-sector opportunities for advancement.
But in a common theme during the panel, and in a smaller cyber-focused session and during an exploration of phishing psychology, Roling emphasized the continued success of basic attack strategies.
The Symantec 2017 Internet Security Threat Report, released on Wednesday, April 26, bolstered the direction of his remarks with its finding that criminals increasingly rely on email and common IT tools in mounting attacks.
Organized crime and hacktivists represent significant threats, Roling told the lunch crowd, but third-party contracts are also a significant source of risk — and in the private sector, a third-party vulnerability led to the historic 2013 Target breach.
During the smaller session that followed, Roling joined Verizon officials as they demonstrated just how easy it is for hackers, hacktivists and cybercriminals to breach networks regardless of distance or type of asset — capturing a password and gaining access within minutes as an audience of IT officials looked on.
Steve McCluskey, manager solutions architect of Internet of Things (IoT) Development at Verizon Wireless, advised those assembled to restrict MAC addresses, cover their bases, check their firewalls, don’t waste time on ineffective solutions, don’t broadcast Service Set Identifiers (SSID) — and use strong passwords.
“It’s just going to raise your level. Modern-day hackers, they’re millennials,” McCluskey said — admitting that’s perhaps increasingly but not always the case.
But generally, if hackers “have to work really hard at something, they move on, and that’s what we want,” he added, emphasizing that “there’s no network that’s secure. If somebody wants in your network, they can get in your network.”
Verizon’s Security Director of Public Sector West Gary Schwartz discussed the company’s annual Data Breach Investigations Report (DBIR) released on Thursday, April 27 — which ranked the public sector midrange among five types of entities assessed for data breaches last year.
The basics still aren’t covered, he told the audience, noting one in 14 users assessed in the DBIR fell for a phishing attack — just 7 percent of users. But a larger number of that group, 25 percent, were victims of phishing a second time.
“Not once but twice,” Schwartz told the group, recommending strong passwords, limiting attachments, regular patching and dual-factor or multifactor authentication.
Lucas Waldren, help desk technician in IT for the city of Nixa, a municipality of more than 19,000 in the southwestern part of the state, said he attended the summit to research dual-factor authentication, which he indicated Nixa might potentially adopt later this year for its law enforcement and code enforcement officers in the field.
“We have faced some threats here,” Waldren told Government Technology, indicating entities had previously tried to “brute-force” the agency.
Enhanced authentication for employees’ internal-facing Microsoft Windows profiles would only improve Nixa’s cybersecurity strategy, he added, “so that anybody that is going to go into our terminal server, they’ll have to deal with the two-factor.”
On the inside, Roling told the audience during the session he led, officials need to help employees modify their own thinking to combat phishing, which he characterized as “really no different than any other classic swindle.”
“The bad guys they figure out a way to exploit the fast side of our brain. They’re trying to make us think fast, jump the gun and do things that we normally wouldn’t do. You can mitigate your risk."
"Even behavior can be changed,” Roling said, noting the state assesses its end users every four to six weeks.
Breaches and incidents aside, Roling and his fellow lunchtime panelists agreed the cybersecurity landscape is not the minefield it may sometimes appear.
Public agencies have overcome any shame or shyness they may have had at reporting breaches and seeking help from private technology companies, Hect said, noting the two sectors are regularly “together in lockstep at nearly every event.”
“Something that we might mention is the IoT — and we all wish it was called the Internet of Secure Things,” Missouri Acting CIO Rich Kliethermes said, seeking industry thoughts during a lunchtime question-and-answer session after the panel.
Hect noted he usually refers to IoT as “Internet of Abandoned Things” — a reference to the state of IoT security — and said agencies and companies need to drive developers to center on common standards.
Telles questioned whether every IoT device really needs to contribute to Internet traffic and pointed out that, as they did during the initial rise of the Internet, leaders are implementing first and securing second.
The state’s Deputy CIO Steven Siegler asked Hect for tips on hiring and retraining staff.
Hect said he sees “an open mind and the ability to chase problems” as essentials, along with “the will to do it and the understanding of some technologies,” but that staffers can absolutely be retrained as technologies evolve.
Telles said when he interviewed candidates, he typically asked only three questions designed to reveal their work ethics and ambitions. Fostering those ambitions, he said, is how “we’re going to get some of the best talent and hold on to it.”
Roling said he looks to hire “people who have that fire, have that spark.”
Asked how they get buy-in from end-users — the so-called first lines of defense, the CISO said organizational culture begins at the top but agreed end users are the “first-line and the last-line in many situations.”
Telles noted he has said “for 23 years, culture kills IT,” and agreed “executive sponsorship” from the top of an agency or organization is essential.
Hect urged audience members to make tools and changes “as absolutely easy as you can” for employees to use to keep endpoints secure.
Asked for their overall takeaways, the three panelists agreed agencies should work to learn from any past mistakes or incidents, and retrain employees as one way to solve staffing issues.
*The Center for Digital Government is part of e.Republic, Government Technology's parent company.