State Auditor Report Directs Agencies to Clean Up

On July 16, 2019, the auditor of the State of California released a report taking to task at least 21 state agencies for not meeting adequate cybersecurity standards. The auditor claims that these lapses in security controls could potentially open up state residents to identity theft and harm the state’s finances.

It should be noted that these 21 state entities, among others audited, fall outside the authority of the governor’s office and, as a result, aren’t subject to the authority of the office the way other state agencies are. This means because these ‘Non-Reporting’ Entities (NREs) constitute an exception to the usual oversight structure, they’re free to choose the standards by which they apply their cybersecurity, and are not beholden to use the SAM-5300 compliance standard as directed by the governor’s office. That’s where the problems begin, one of which is in the form of deficiencies.

One of the more common deficiencies found among these entities is the lax attitude with which password security is employed. In many cases, the NREs fail to meet basic security hygiene standards, such as regular password changes and changing the default password of network equipment already in production.

Also of note is that while most of the NREs did employ a well-known security standard, such as SAM-5300 or NIST 800-53, they either didn’t use the standard properly or overlooked important parts of it when applying cyber security policy. For any organization, this type of audit result would be bad, but one could argue for state entities this is worse as it’s well-known they handle a large amount of personal information on a daily basis. This results in hackers having a field day launching ransomware attacks targeting intrinsic vulnerabilities.

Cybercriminals are savvy. The 24-page full report issued by the state’s auditor has, unfortunately, provided them with potential targets. Ironically, the report sounding the alarm about the high risk of cyber attacks at state agencies may have set into motion new attacks.

In the world of cyber security we talk about “the breach of the day,” and we’re seeing a large increase in ransomware attacks on cities and states of all sizes, like Atlanta and Baltimore. (See Prepare Now or Pay (Much More) Article.) This trend means municipalities must create a proactive plan immediately, if they haven’t already. Recent statistics show the amount of money hackers are demanding when holding entities for ransom is now upwards of six figures.

Many of the NREs have already implemented plans by choosing a standard they base their IT Security Policy on, such as NIST or SAM. However, a compliance standard is no replacement for policy written by, and for, your own organization. In order to meet the standards set out by these frameworks, you must have a well-written and clearly defined IT Security Policy that is both accessible and understandable to your employees and not just to your IT staff.

Granted, correcting security deficiencies takes time and resources, but there are actions that NREs and agencies alike can take now to get on the path to compliance with a more secure environment.

First and foremost, apply a framework ensuring that your organization’s policy is both comprehensive and coherent. As stated earlier, many of these California NREs have already chosen a popular standard to follow. Most are either using NIST 800-53 (created by the federal government), SAM 5300 (created by the State of California to augment NIST), or some combination of the two. These standards are both free to access, and would be a great place to start in deciding how you want to shape your company’s IT and Cyber Security Policy.

After choosing the standard, an assessment should be conducted to find out which parts of the standard should apply to your agency or organization. This step is crucial because when you’re conducting an honest assessment you’ll determine what controls are in place, noting controls that aren’t. You can then build a roadmap to ensure these gaps are closed in a timely manner. While this assessment is underway don’t wait to strengthen your defenses. In the interim you can establish or enhance the following:

• Awareness – It’s time to change the culture of your agency or organization by making everyone more aware, not simply performing compliance training. Training is teaching a body of knowledge to someone, while awareness is changing the culture. The latter is what’s required to help ensure the bad guys don’t gain access to your IT environment. It’s worth the time it takes to create the required level of awareness by discussing the threats and applying an action plan that addresses the confidentiality, integrity, and availability of your data.
• Password Management – This is your first line of defense, so use this simple tool to help protect the sensitivity of your data and the data entrusted to you by third parties. Passwords must be strong, consisting of numbers, letters, and symbols while staying away from commonly used phrases and sequences such as ‘54321’ and ‘aabbccdd’ or ‘password.’ Passwords should NEVER be shared with anyone unless they’re an authorized member of your technical support staff working on your computer. Even then, your password should only be shared through a secure channel such as a direct voice-to-voice phone call, a text message, or even a sticky note. Most importantly, if you have to share your password, the password should be changed as soon as the needed maintenance task is completed. Finally, your systems should force a password change at fixed intervals to ensure that passwords never become stale. You lock your car and your house with a unique key to keep them secure. You’re essentially applying the same principle to your IT environment by locking it to protect sensitive data.
• Patch Management– Software that hasn’t been updated (patched) is a vulnerability waiting to be exploited by a hacker. Your IT department or vendor must take care of this basic task to help ensure the computers in your environment are at the proper protection level. It can be a simple system such as Microsoft WSUS, or a more complex system that allows you to control encryption, such as McAfee EndPoint. You also need to create a system in which your remote users ‘check in’ often with your network so they can also be updated and managed. Applying patch management is a ‘must do’ in order to make sure that recent vulnerabilities aren’t exploited by malicious actors seeking to gain access to your network.
• Physical Asset Security – It’s important to think about the physical asset when considering Cyber Security. Ensuring the assets your employees use to reach your IT infrastructure are physically and logically secure is a major part of preventing improper access to your network. This goes beyond simply applying passwords to your machines. It should also include encrypting the asset’s hard drive, setting a lockout time for inactive use, applying physical privacy screens so that no one looks over your employee’s shoulder to see confidential information and, above all, making sure assets are not left out for anyone to take. It might seem mundane, but reminding employees to keep an eye on their laptops when traveling and to lock up their laptops or take them home at the end of the day, will go a long way in keeping your data secure.

After all, cybercriminals can’t get into your IT environment without a way to get in first. Don’t make it easy for them.