Go To Search
Click to Home
Additional Security: Not Controlled by the User, Proactive LGO Security Implementations
By Timothy Neuman

Can protecting the critical and sensitive information accessible within a local government’s (LGO) Information Technology (IT) infrastructure be accomplished without the direct knowledge or significant involvement of the user? The LGO’s IT and internal audit departments must acknowledge and work with elected officials and other users in an environment that is often risk-tolerant and technologically untrained. This culture does not allow a flexible or quick response to computer network changes. For the LGO’s computer networks to have the efficient and effective controls necessary to protect them in the changing cybersecurity threat environment, the LGO’s IT department must adopt flexible policies and procedures, resulting in the biggest protective impact, within a culture they cannot control.  
shutterstock_415618876_350.jpg 



THREAT

Cyber attackers are noticing that personal identifiable information, network resources, and platforms are managed by LGO’s IT departments that are often understaffed. Attackers leverage publicly available information and capitalize on segmented cybersecurity protections. The media has reported the impact of these attacks, which have included the disclosure of sensitive information and denial of critical resources to the public.1


CALL TO ACTION

As LGOs begins to digitize more and more sensitive citizen data, IT departments must counter the risk by implementing more proactive measures. In the past, IT departments tried to gain support for such measures by increasing training for officials, users, and external vendors. These efforts have met with limited success due to lack of interest, the necessary expenditure of limited resources, and the pervading perception that only the IT department is responsible for cybersecurity. So, how should IT and internal audit departments maximize the limited resources available for cybersecurity training, given a mandate to identify and protect the governmental network? By adopting a shift in the security focus.


A NEW FOCUS

In the past, experts blamed the success of significant attacks on the laxity and carelessness of the network users. However, high profile successful attacks on devices with no user terminals are on the rise. Future network attacks can only be thwarted by cybersecurity safeguards that do not require user efforts or knowledge. This new approach can still utilize older stable tools — like single sign-on, automatic access locks, and strict network addressing — but these tools must be implemented in a new way.


SINGLE SIGN-ON TECHNOLOGY

Cybersecurity attackers need only two pieces of information to be successful: a network access name and its associated password. Network administrators admit that high-end computers make brute force password attacks significantly easier, therefore no password can be completely safe. While we cannot completely give up on regularly-scheduled training on improving the users’ password behavior, its efficacy is diluted by the necessity for frequent password resets and users’ tendencies to write down their passwords. A February 5, 2019 article in Forbes reported on the results of a Google and Harris Poll2, which “… found there to be quite a gap between security perception and reality.” Forbes reported that 65 percent of the users sampled reuse their passwords, and 50 percent write their passwords down on paper. While the sampling was taken from the private sector, I am confident those statistics also apply to LGO users. The risks represented by these statistics are multiplied when LGO IT departments continue to allow and enable user accounts with simplistic user names and passwords.

But, what about the usernames? Has the LGO developed a road map to the highest-privileged accounts? We need to add defenses for usernames, especially the higher privileged accounts. The benefits of using a single sign-on strategy include fewer demands on the IT Help Desk and the need for only one, more secure, password.

Network single sign-on technology can be leveraged to include the username. After the first log-in screen, the common user will not directly view — nor want to interact with — the assigned network user name; the network administrators automate and control this security measure. Such a measure requires the attacker to break multiple accounts, blindly, before meaningful privileges can be identified and exploited.


ACCESS LOCKS

Government IT departments physically secure their server locations, usually behind a locked door, which closes automatically and to which few users are approved for access, or with an entrance protected by human security guards during business hours. The purpose of the locks and guards is not fast security measures, but to slow down the access process sufficiently to make a physical attack risky for the attacker. Why are we so careful with our usually off-the-shelf hardware, yet so careless with our digital information, which is much more valuable?

When networked computers stopped using Cathode Ray Tube (CRT) technology, because of the possibility of screen burnout, we disabled and/or cancelled the security measures within the screensaver program. Our goal was speed and permanent open access to all resources, at all times.

We need to re-enable the automated operating system computer security application, i.e., the window screensaver. While it would be impossible (and pointless) to establish a universally standard delay, the increase in the quantity of time users spend on computers has rendered the possibility of screen information burnout. Network administrators could also control the screensaver content, from inspirational words to system warnings to training content, and/or establish controls to lock the computer with a “secure logon” feature and add time limits or maximum number of wrong passwords. While this will not eliminate cyber-attacks, it will require the attacker to stay engaged for a longer period of time. The longer the attacker is engaged, the greater his (or her) odds of being caught or identified.


NETWORK ADDRESS

Making every computer utilize a private (unrouteable) static IP address restricts them to a specific “right of way”. While dynamic assignment might save time — and with a large network may be the only and necessary action — most LGOs are small enough that static addressing is easily managed. Blocking all other addresses prevents outside or ‘unknown’ users from gaining automated access.

Take this concept to the network routing tables: establish alarms (roadblocks or checkpoints, if you will) for change requests instead of blindly letting anything update every network node. This would require cyber-attackers to spend more time, exert more effort, and take greater chances than they’re willing to risk and would encourage them to move to another target.


SUMMARY

Cybersecurity and network attacks are significantly affecting LGO IT networks. The threat comes from more powerful computers with less intelligent actors. The use of single sign-on for network usernames, an automated and useful screensaver implementation, and address hardening for every network resource can significantly strengthen security policies without additional actions or efforts required from the users.


NOTES

1 McGalliard, T. (2018, March 30). How LGOs Can Prevent Cyberattacks. The New York Times. Retrieved April 12, 2019, from https://www.nytimes.com/2018/03/30/opinion/local-government-cyberattack.html

2 Winder, D. (2019, February 5). Cybersecurity Contributor. Google Reveals A Big Problem With Passwords On Safer Internet Day. Retrieved April 17, 2019, from https://www.forbes.com/sites/daveywinder/2019/02/05/google-reveals-a-big-problem-with-passwords-on-safer-internet-day/#59eca4235e0b


ABOUT THE AUTHOR

Timothy Neuman is a Certified Information Systems Auditor (CISA) and Certified Internal Auditor with over 20 years of Information Systems auditing and consulting experience. He holds a Master of Information Systems and Master of Arts in Teaching. As a Senior Governmental Auditor, and University Adjunct, he utilizes the latest information system tools to evaluate, analyze, and instruct the citizens in the Savannah, Georgia area.