230 likes | 249 Views
Learn about election security measures, vendor management, system upgrades, and user training for secure elections. Improve physical, operational, and technical security to safeguard the election process. Take steps to protect against vulnerabilities and promote secure practices. Prioritize encryption, access management, system upgrades, and anti-virus measures. Ensure secure email practices, strong passwords, and updated hardware and software. Stay vigilant about physical security and report any suspicious activity. Play your part in election security by following best practices and utilizing available resources. Stay informed and proactive to help maintain the security and integrity of the election process.
E N D
Elections, Security, & You Selena Tonti, Chief Information Security & Privacy Officer King County Information Technology June 13, 2019
In the news… Elections, Security & You
Election Process Vulnerabilities Physical Security Operational Security Technical Security Elections, Security & You
I.T.- Secure elections! • Vendor Management • Backups • User Training • Logging & Monitoring • Encryption • Access Management • System Upgrades & Updates (Patching) • Anti-virus & Spam filters • Firewalls and segmented/ isolated systems Vote YES Elections, Security & You
User: Secure elections! Vote YES
#1- Manage your Email …don’t let it manage you! Don’t get phished! • [enter details Sender email is Gmail Attachment Known vendor Elections, Security & You
#2- Passwords are important! …quit acting like they’re not! • 15 characters! • Mix it up! • Unique Seriously, do not share– EVER! • If concerned of compromise • Every [90] days Only as strong as our weakest link! Elections, Security & You
#3- Dinosaurs are dead …so why are you using for important work? • Upgrade your hardware and software • Improve Performance • Additional Security Capabilities • Available security patching & updates Elections, Security & You
#4- Nothing is for FREE …you get what you pay for. • Where is the hardware and software sourced from? • Did you review the Terms of Use and Conditions? • Reputable software generally have Trial periods OR Elections, Security & You
#5- Physical Security … facilities, people, systems and processes, • ASK without hesitation: • Lock your computer when you walked away? • Has something changed? • What is that device? • Is someone acting or doing something odd? • Who is that person? Elections, Security & You
Election Results: Back to the Basics • You play a role in security! You can do it! • Systems must be cared for, not ignored • Use available resources • Take the time– trust but verify! • Know your surroundings and report suspicious or odd activity Elections, Security & You
KCE Cyber Audit Mark Hinds, IT Engineer Margaret Brownell, IT Div Director King County Elections June 13, 2019
State Auditor Office – Cyber Audit • Not too scary and very helpful • Penetration Testing of our applications • Twice • 5 CIS Critical Security Controls • Helps prioritize and set framework for your security program • Free • 12 – 18 month process Elections, Security & You
Penetration Testing • Performed by Emagined over 4 days on-site • Couldn’t get to our Tabulation system! • Didn’t get into our web systems • Did get into Printers • Did get into some staff accounts • Found old accounts for past or temp staff • Did get into some older or less utilized workstations • 2nd Pen Test to retest what they found after we implemented our security plan Elections, Security & You
What have we learned and done? • 1st & easiest: Securing accounts • New password requirements • Minimum 12 characters; encourage > 15 • Anything over 15 characters removes hackers ability using legacy Windows protocols • Phrases are great! • Stopp3dbyWoodson$nowyEv3ning = 28 • V0t1ngf4r#very0ne = 17 • Passed 2nd Pen Test • No accounts compromised • Moving to Windows level MFA within 12 months Elections, Security & You
Old Accounts • Created and implemented a policy and process to managing old AD accounts • All temps that get accounts have deactivation date when set-up • May ‘keep’ the account in deactivated state for up to 12 months • Easier & faster set-up for returning temps • Work closely with HR for hire / exit dates • KCE IT has one person dedicated to accounts as our volume was too much for our central IT • Also manages the Yubikeys and VoteWA access Elections, Security & You
Printers – the hidden security risk • Any printer on the network is open to be compromised…..unless you take action • During Pen Test Emagined engineers got into our printers and printed old print jobs • Completed: • Printer hardening – Referenced HP and NIST • Leased printers have vendor meet security settings • Removed wireless so only wired network connection • Will share a generic version of hardening settings with what protocols and services we shut off. Ask us Elections, Security & You
Patching and Anti-Virus • Keep PC’s up-to-date on patching • Have a scheduled patching day / night • King County does Tuesday nights / Wednesday morning • The patches have the latest security fixes for the operating system • Search for "Windows Update" on your computer to check your update status. • Anti-Virus – use it • Microsoft Defender, McAfee, Norton • Keep it updated - don't let your subscription expire • Perform weekly Virus scan • Check your settings to ensure your Anti-Virus is current Elections, Security & You
Critical Security Controls 1 - 5 • Inventory of Authorized/ Unauthorized devices. • Inventory of Authorized/ Unauthorized Software. • Secure Configurations for Hardware and Software • Continuous Vulnerability Assessment and Remediation • Controlled use of administrative Privileges • Scored on a maturity level of 0 – 4 • Each organization needs to determine their goal between 1 – 3+ Elections, Security & You
User Cyber Security Training • Online training required yearly by all KCE staff • Short modules: 2 – 5 minutes each • ~ 30 minutes of modules per user • Huge awareness by staff and eagerness to “catch” something • Virtually stopped the clicking of attachments without looking ( Hover over links to see source) • O365 has great Attachment and link scanning features Elections, Security & You
Next Steps • Work with both KCIT and OSOS to stay aligned with their Security Programs • Implement consistent vulnerability scanning • Remediation process • Sharing what we’ve learned and / or developed • Regular Pen Tests and audits to ensure we keep our focus and measure our security program progress Elections, Security & You
Q&A Selena Tonti, KCIT, CISO stonti@kingcounty.gov Margaret Brownell, KCE IT margaret.brownell@kingcounty.gov Mark Hinds, KCE IT mark.hinds@kingcounty.gov Elections, Security & You