Public Sector Cybersecurity Weekly Briefing 04-13-2018

Pennsylvania Rolls Out Risk-based Authentication to Agencies
To access cloud-based email or Office 365, commonwealth employees working remotely may be required to provide additional information in the form of a PIN sent via text or email.  The decision to require multifactor authentication is based on various factors including the sensitivity of the data or application, the geographical location of the request, the nature of the device being used and the number of times that user has sought access in a given time period.

 

Ground Zero in Russia’s Hack of U.S. Election Infrastructure
“This could be the Iranians next time, could be the North Koreans next time,” says Lankford. “This is something that’s been exposed as a weakness in our system that we need to be able to fix that, not knowing who could try to test it out next time,” he tells Whitaker. The sweep of the Russian operation in 2016 caught the Obama administration off guard. Michael Daniel, President Obama’s cyber czar, envisioned a troubling scenario: hacked voter rolls causing chaos on Election Day.  “Lines begin to form. Election officials can’t figure out what’s going on,” says Daniel. “You would only have to do it in a few places. And it would almost feed on itself.”

 

Arizona Hires Cybersecurity Firm to Manage Risk Across State Government
Arizona announced Monday that it will use a single cybersecurity firm to monitor and manage the risks to computer systems in all 133 state agencies. The company, RiskSense, is based in neighboring New Mexico and was chosen over other potential vendors in part because of its software that rates a network’s vulnerability to cyberattacks with a proprietary scoring metric modeled on personal-credit ratings.

 

Colorado has Spent More Than $1 Million Bailing Out From Ransomware Attack
The recovery has been slow and costly. It took about two weeks for systems administrators to contain the ransomware infection, and another two weeks after that until CDOT’s operations were brought back online, Simmons said. Rebuilding CDOT’s computer systems also required more than just experts from the IT office. The state also leaned on cybersecurity consultants and federal agencies to repair the damage.

 

DHS Is Falling Short on Securing Its Classified Intelligence Systems
The tools that continuously monitor those systems for cyber threats aren’t interoperable with each other, the auditor found. The department also has not established qualitative or quantitative measures for whether that continuous monitoring is effective or ineffective, the report said. The U.S. Secret Service, a Homeland Security division, also hasn’t ensured its employees and contractors are completing required annual security training.

 

 

Stay up to date on the Public Sector Information Security news that you need to know by signing up for our Public Sector Briefing Here.

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.