TACKLING TECH
No matter what defenses they adopt, states cannot guarantee perfect safety and so must be ready for if and when an attacker gets through. That means keeping backups secured offline, where they cannot be contaminated should ransomware infect the state network, said Michigan Deputy Chief Security Officer Jayson Cavendish during the event.
Of course, preventative measures are still essential, and states need to know what kind of attacks to expect. Ransomware perpetrators often find purchase in victims’ systems by going after known vulnerabilities that have been patchable for a year or more — not zero-day exploits, said Chris Jensen, federal business development and capture manager at cybersecurity firm Tenable. The oldness of the vulnerabilities means fixes are available, but also that these particular weaknesses may not be high on organizations’ radars.
The sort of weaknesses ransomware hackers go after might not “even register, necessarily, on a [Common Vulnerability Scoring System] CVSS score” as a critical vulnerability, Jensen said.
There may be quite a few such vulnerabilities lingering in states’ systems, making it important to identify which ones are most at risk of being exploited. Threat intelligence tools and services can help pinpoint those which malicious actors currently appear to be focusing on, helping states prioritize their patching efforts, Jensen said.
USER EXPERIENCE
It’s also just as important for states to attend to risky user behaviors that could introduce weaknesses. Delaware Chief Security Officer Solomon Adote said that organizations working to adopt better cyber hygiene and implement the kind of identity access and management controls and monitoring that can hinder hackers need to consider how these new methods impact workers’ experiences.
For example, personnel who feel that the multifactor authentication (MFA) measures cause too much friction are likely to create workarounds, such as by storing work files on personal devices to avoid having to go through login procedures, Adote said.
“You want multifactor authentications to be a very user-friendly solution and let them accept the connection on your smartphone or smartwatch,” Adote said.
Smooth authentication measures, promptly retiring accounts when employees leave and carefully monitoring account behavior to detect suspicious activity all can help reduce risks, he said.
Adote’s office also has found success with other efforts like sending out bite-sized, two-minute cybersecurity training videos to employees on a monthly basis, to supplement their mandatory annual training.
LOCAL TRUST
And states cannot afford to focus just on their own operations if they truly want to keep residents safe. Reaching out to help local governments is also essential, but only effective if states can win these agencies’ trust, said Rob Main, chief risk officer for North Carolina.
For North Carolina, that’s meant ensuring a strong local voice in whole-of-state cybersecurity efforts. North Carolina’s Joint Cybersecurity Task Force includes among its four key member groups a team of local government IT security professionals. This collaboration is key to opening doors when the state goes to respond to incidents at the local level, Main said.
That team — the North Carolina Local Government Information Systems Association IT Cyber Strike Team (NCLGISA IT Strike Team) — “is probably the one thing that allows us to most effectively support local governments,” Main said.
