1 / 23

Secure Elections: Your Role in Ensuring Safety and Integrity

Learn about election security measures, vendor management, system upgrades, and user training for secure elections. Improve physical, operational, and technical security to safeguard the election process. Take steps to protect against vulnerabilities and promote secure practices. Prioritize encryption, access management, system upgrades, and anti-virus measures. Ensure secure email practices, strong passwords, and updated hardware and software. Stay vigilant about physical security and report any suspicious activity. Play your part in election security by following best practices and utilizing available resources. Stay informed and proactive to help maintain the security and integrity of the election process.

acromer
Download Presentation

Secure Elections: Your Role in Ensuring Safety and Integrity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Elections, Security, & You Selena Tonti, Chief Information Security & Privacy Officer King County Information Technology June 13, 2019

  2. Secure Elections need Your…

  3. In the news… Elections, Security & You

  4.     Election Process Vulnerabilities Physical Security Operational Security Technical Security Elections, Security & You

  5. I.T.- Secure elections! • Vendor Management • Backups • User Training • Logging & Monitoring • Encryption • Access Management • System Upgrades & Updates (Patching) • Anti-virus & Spam filters • Firewalls and segmented/ isolated systems Vote YES Elections, Security & You

  6. User: Secure elections! Vote YES

  7. #1- Manage your Email …don’t let it manage you! Don’t get phished! • [enter details Sender email is Gmail Attachment Known vendor Elections, Security & You

  8. #2- Passwords are important! …quit acting like they’re not! • 15 characters! • Mix it up! • Unique Seriously, do not share– EVER! • If concerned of compromise • Every [90] days Only as strong as our weakest link! Elections, Security & You

  9. #3- Dinosaurs are dead …so why are you using for important work? • Upgrade your hardware and software • Improve Performance • Additional Security Capabilities • Available security patching & updates Elections, Security & You

  10. #4- Nothing is for FREE …you get what you pay for. • Where is the hardware and software sourced from? • Did you review the Terms of Use and Conditions? • Reputable software generally have Trial periods OR Elections, Security & You

  11. #5- Physical Security … facilities, people, systems and processes, • ASK without hesitation: • Lock your computer when you walked away? • Has something changed? • What is that device? • Is someone acting or doing something odd? • Who is that person? Elections, Security & You

  12. Election Results: Back to the Basics • You play a role in security! You can do it! • Systems must be cared for, not ignored • Use available resources • Take the time– trust but verify! • Know your surroundings and report suspicious or odd activity Elections, Security & You

  13. KCE Cyber Audit Mark Hinds, IT Engineer Margaret Brownell, IT Div Director King County Elections June 13, 2019

  14. State Auditor Office – Cyber Audit • Not too scary and very helpful • Penetration Testing of our applications • Twice • 5 CIS Critical Security Controls  • Helps prioritize and set framework for your security program • Free • 12 – 18 month process Elections, Security & You

  15. Penetration Testing • Performed by Emagined over 4 days on-site • Couldn’t get to our Tabulation system! • Didn’t get into our web systems • Did get into Printers • Did get into some staff accounts • Found old accounts for past or temp staff • Did get into some older or less utilized workstations • 2nd Pen Test to retest what they found after we implemented our security plan Elections, Security & You

  16. What have we learned and done? • 1st & easiest: Securing accounts • New password requirements • Minimum 12 characters; encourage > 15 • Anything over 15 characters removes hackers ability using legacy Windows protocols • Phrases are great! • Stopp3dbyWoodson$nowyEv3ning = 28 • V0t1ngf4r#very0ne = 17 • Passed 2nd Pen Test • No accounts compromised • Moving to Windows level MFA within 12 months Elections, Security & You

  17. Old Accounts • Created and implemented a policy and process to managing old AD accounts • All temps that get accounts have deactivation date when set-up • May ‘keep’ the account in deactivated state for up to 12 months • Easier & faster set-up for returning temps • Work closely with HR for hire / exit dates • KCE IT has one person dedicated to accounts as our volume was too much for our central IT • Also manages the Yubikeys and VoteWA access Elections, Security & You

  18. Printers – the hidden security risk • Any printer on the network is open to be compromised…..unless you take action • During Pen Test Emagined engineers got into our printers and printed old print jobs • Completed: • Printer hardening – Referenced HP and NIST • Leased printers have vendor meet security settings • Removed wireless so only wired network connection • Will share a generic version of hardening settings with what protocols and services we shut off. Ask us Elections, Security & You

  19. Patching and Anti-Virus • Keep PC’s up-to-date on patching • Have a scheduled patching day / night • King County does Tuesday nights / Wednesday morning • The patches have the latest security fixes for the operating system • Search for "Windows Update" on your computer to check your update status. • Anti-Virus – use it • Microsoft Defender, McAfee, Norton • Keep it updated - don't let your subscription expire • Perform weekly Virus scan • Check your settings to ensure your Anti-Virus is current Elections, Security & You

  20. Critical Security Controls 1 - 5 • Inventory of Authorized/ Unauthorized devices. • Inventory of Authorized/ Unauthorized Software. • Secure Configurations for Hardware and Software • Continuous Vulnerability Assessment and Remediation • Controlled use of administrative Privileges • Scored on a maturity level of 0 – 4 • Each organization needs to determine their goal between 1 – 3+ Elections, Security & You

  21. User Cyber Security Training • Online training required yearly by all KCE staff • Short modules: 2 – 5 minutes each • ~ 30 minutes of modules per user • Huge awareness by staff and eagerness to “catch” something • Virtually stopped the clicking of attachments without looking ( Hover over links to see source) • O365 has great Attachment and link scanning features Elections, Security & You

  22. Next Steps • Work with both KCIT and OSOS to stay aligned with their Security Programs • Implement consistent vulnerability scanning • Remediation process • Sharing what we’ve learned and / or developed • Regular Pen Tests and audits to ensure we keep our focus and measure our security program progress Elections, Security & You

  23. Q&A Selena Tonti, KCIT, CISO stonti@kingcounty.gov Margaret Brownell, KCE IT margaret.brownell@kingcounty.gov Mark Hinds, KCE IT mark.hinds@kingcounty.gov Elections, Security & You

More Related