In late 2012, Virginia experienced roughly 200 malware infections per quarter. By early 2013, the number of attacks executed on the state’s machines had climbed to 250, then spiked to an alarming 350 attacks by the second quarter of that year.
State IT leaders took swift action to stem the onslaught of malware. Today, the number of successful malware attacks hovers at about 50 per quarter. Virginia Chief Information Security Officer Michael Watson describes the fix as almost shockingly simple: Reduce the number of users with local administrative rights by 60,000 and push out approximately 35,000 Java patches. With these two changes, Watson says, “we were able to identify a pretty sound way of reducing the attacks.”
The IT department arrived at the solution after running detected viruses through virtual sandboxes. Malware initially made its way onto desktops due to vulnerable Java software, but was much easier to execute when machines had local administrative rights.
“With admin rights, applications can run in the background without a user knowing it,” Watson says. “They may click through initially and realize it’s a fake, but something in the background may do a callback and download additional malware.”
As governments struggle to combat ever-evolving threats, insufficient security budgets are a grave concern. According to the 2014 Deloitte-NASCIO Cybersecurity Study, 76 percent of IT officials cite inadequate funding as the top barrier to security program effectiveness, topping the increasing sophistication of threats and a lack of available cybersecurity professionals.
Accordingly, states are focusing on initiatives like Virginia’s to address their most pressing threats and maximize the impact of their security investments. Officials in the Old Dominion estimate that their efforts saved around $450,000 in downtime and remediation costs in just the first six months.
“You have to make sure you’re focusing your resources on the right things at the right time,” says Virginia CIO Samuel Nixon Jr. “It’s all about focusing the right amount of effort on those things that have the potential to create the most harm.”
Organizations can’t address their biggest cybersecurity threats unless they first know where they exist. To that end, Iowa uses Tripwire IP360 to continuously scan its system for everything from faulty Windows patches to machines that are protected only by default passwords. As a result, the state has cut its vulnerabilities in half in the past year, says CISO Jeff Franklin.
“This has been one of the best multiagency initiatives that we have,” Franklin says of the Tripwire rollout, which was partially funded by a U.S. Department of Homeland Security grant. “When we have specific threats like Heartbleed and Bash, we’re able to look for those specific vulnerabilities in our system and then take action against those threats.”
Previously, Iowa agencies each combed systems on their own and achieved inconsistent results based on their varying tools and expertise.
In addition to providing financial assistance in the form of grants, federal agencies and other organizations can further support state and local government cybersecurity initiatives by lending technical expertise.
California has called in the National Guard’s cybersecurity network defense team to assist with risk assessment for its IT operations — for free at first, and now at a reduced rate. In the past year, the Guard has conducted health checks and vulnerability scans for a few dozen California agencies and universities.
“We are starting to see some really positive results,” says Michele Robinson, the state’s CISO. For example, the Guard helped agencies identify a number of vulnerabilities that could be patched, unnecessary services that could be disabled and open ports that could be closed to mitigate risk.
Massachusetts CISO Kevin Burns says his state has worked with both the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center to check for cybersecurity vulnerabilities.
“The quality of these technicians is amazing,” Burns says of the MS-ISAC group. “It’s a plethora of services that are free.”
The Homeland Security help also came free of charge as part of the national Cyber Hygiene Campaign. That type of independent review would ordinarily cost Massachusetts anywhere from tens of thousands of dollars to six figures, according to Burns. “The more eyes and ears you can put on these things, eventually people turn up pieces of information that are important to remediate.”
As cybersecurity threats evolve, employees must be trained to avoid falling victim to new forms of attack. After seeing an uptick in spear phishing emails (which target users’ personal information or connections to get them to click on a pernicious link), Massachusetts responded by educating users.
“That doesn’t cost anything,” says CIO Bill Oates.
The state is also launching a pilot program to test software aimed at identifying and filtering spear phishing messages.
In Virginia, officials noticed a large spike in fake anti-virus pop-up warnings several years ago, many of which were coming from Russia. Officials simply blocked .ru domains by default, allowing users to request access if they needed it for business reasons (only a handful of users did). As a result, the IT team was able to block 60 percent of the pop-up alert scams.
More recently, Virginia prevented hackers from logging in with stolen passwords by blocking employees who were out of the country from logging on to email, except through mobile clients and virtual private network connections.
“Sometimes you’ve got to get a little bit creative and know when to push and when to pull back,” says Virginia’s Watson. “Every situation is unique, and the threat landscape changes every time you turn around. If there’s only going to be a minimal impact on our users and there’s even a minimal benefit to security, we might as well do it.”