IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cybersecurity Summit Question and Answer Period, Part 1

The way an agency handles customer information is also how it handles personal information belonging to agency staff.

In his keynote address to a recent cybersecurity summit attended by California state and local government employees responsible for implementing security policies, Larry Johnson, special agent in Charge with the U.S. Secret Service, Criminal Investigative Division, provided an overview of threats to information security and general strategies agencies can implement to deal with them at a meeting of California government employees responsible for securing information entrusted to state and local agencies.

After Johnson's keynote, a panel of security experts from industry and state and local government responded to the results of interactive polls as well as questions raised by individual members of the audience concerning the challenges facing California state agencies in securing constituents' personal information while maintaining quality service. Panelists included Johnson, as well as Joanne McNabb, Chief, Office of Privacy Protection, California Department of Consumer Affairs; Thomas Gilheaney, Nortel Security Team; Doug Barbin, Verisign; Russell Jones, Deloitte and Touche; and Rick Dehlinger, Citrix. Kevin Dickey, deputy chief information officer and chief security officer for Contra Costa County, Calif., moderated the question and answer period.

Critical Security Issues
The number of devices connected to the Internet and the increase in the length of time these devices are online, combined with laptops becoming more prevalent in organizations, added to the spread of organizations geographically and the increasing use of outsourcing and contracting to provide technology products and services are converging to create a new set of security challenges, Gillheney said.

Voice over Internet Protocol (VoIP) is another emerging technology that presents significant security challenges, since VoIP can be attacked in the same way as Web sites are comprised, Gillheney said.

Gillheney that security implementations tend to focus on technology and leave out the rest of the equation. Focus on people and processes as well as regulatory compliance and technology in order to be successful, he said.

McNabb agreed with Gillheney about the spread of government's information technology operations and importance of regulatory compliance and focusing on the people in government.

However, her focus was on protecting people from privacy invasions. Here, she said the major challenge is the need for a real culture change of all the people in the state or local agency or company. The security staff knows what to do, she said. It is relaxed computer use by end-users that is the weakest leak.

The challenge is to get agency staff to follow the process for handling citizens' data. To bring this home, bring up identity theft, she said. The way an agency handles customer information is also how it handles personal information belonging to agency staff.

Johnson pointed out that data security requires that each entity handling sensitive information needs to do its own due diligence on successive parties that data is passed onto. The due diligence of Choicepoint and LexisNexis in the recent incidents involving the theft of personal information has been very good, he said; but as the info gets passed along, that due diligence gets less and less. As the passer of the info, an agency's staff needs to know who they are dealing with.

Barbon stressed the security of end-points -- such as desktops, laptops, handheld devices and users in remote offices -- as well as the use of host-based intrusion detection and prevention as more effective than host-based intrusion detection and prevention systems. Also, a database may be encrypted, but application logs are not, he said.

Dillinger noted that government agencies are risk adverse, while hackers are defining the bleeding edge and outdated policies will be hard-pressed to fight hackers. The four components of good cybersecurity are the technology, people, processes and social engineering as a means to carry out the attack.

Dickey said that federal and state agencies, counties and cities have different standards and cities and counties are left on their own to fund cybersecurity initiatives. However, Dickey did acknowledge that the tools were there for local governments to implement cybersecurity policies.