In 2012, Utah suffered a tremendous data breach. Hackers stole Medicaid files, gaining access to the sensitive data of roughly 280,000 state residents. The state CIO was fired in the fallout, and officials scrambled to remediate the damage.
"It took us a while to work through the process and understand what happened," said Utah CIO Mike Hussey, who assumed his current job in late 2015. Hussey spoke during a panel discussion during the midyear conference of the National Association of State Chief Information Officers outside Washington, D.C. on Monday.
As it turned out, a significant challenge for Utah was that the state lacked a comprehensive inventory of its hardware and software assets and what was required to protect them. The state now has accomplished this goal, along with several other critical management objectives, with the assistance of Forescout Technologies, a network security company based in San Jose, Calif.
While painful, the journey to remediate the management shortfalls that allowed the data breach "proved to be a valuable experience," Hussey said. The state eventually established short-term and long-term responses. In the short term, officials identified the cause of the incident and remediated the problem, notified the public and addressed the root cause of the breach. In the long term, the state gave its networks additional scrutiny and changed its business processes for the future.
"We had lost a lot of trust," Hussey said, noting that the state had a long list of things to address and "a lot of boxes to check." Not a single one of those boxes had been checked by the time Hussey became CIO in 2015, however.
Five Critical Management Controls Addressed Utah’s Challenges
At the time of the Medicaid breach, Utah CISO Phil Bates worked for the state Department of Public Safety. He had a front-row seat for the response effort. During the NASCIO panel discussion, he described the conditions that led to the data breach.
At the beginning of 2012, Utah would receive about 20,000 network scans a day, potentially by people wanting to break into its systems. When the National Security Agency began considering the establishment of a facility in Utah, scans of state networks jumped to 100,000 a day, Bates recalled. "There was more scanning than ever before, and those people doing that scanning were finding a lot of vulnerabilities that we were never aware of."
Utah authorities discovered that a development system was left on and accessible. It had not been patched in several years, and it proved to be an irresistible target for hackers. Utah learned the hard way to inventory its hardware and software systems.
"We didn't have a clue as to what was out there," Bates said. "It took us three to four years to get a handle on it."
Today, Utah has implemented five basic management controls, which proved to be the hardest controls to apply, Bates said:
- Hardware inventory
- Software inventory
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configurations
Inventory alone defeated the state in the Medicaid breach, but "now that I know what I have out there, I can determine what we are running that could be exploited," Bates said.
That's important because today, Utah sees on average 1 billion scans a day against its networks. Only about 100 million of those scans go through, suggesting the state blocks a significant amount of reconnaissance and surveillance traffic.
Forescout Proved a Capable Partner in Utah’s Recovery
Utah took control of its networks with the help of Forescout, Bates said. "We went out to find solutions, and we found a very good partner in Forescout, which helped us to get a handle on those top five critical controls," he said.
Forescout implemented cyber controls on the state's inventory, provided visibility for BYOD devices and established a means for accurate endpoint counts to bill state agencies. The state IT department charges other agencies for supporting their hardware on the state network and for providing security for online assets.
"Instead of chasing problems, we get ahead of problems before they happen," Bates said. It once required two or three hours to identify a machine under attack. Now, it takes about 20 seconds, plus another 10 seconds to shut it down, Bates said.
Chris Dullea, manager of systems engineering at Forescout, told NASCIO that many of the company's clients are seeking hardware and software asset management. He described a typical query as "what's on our network, and how do we protect it?" Meanwhile, there has been a big push at the state level for compliance.
Hussey said Utah is discovering things it didn't realize it could do, such as implementing accurate charge rates for its customer state agencies for network or security services. In addition, Forescout empowers Utah to detect which systems haven't been patched and to take them offline until updated.
"We are starting to discover there are a lot of things on our network that we didn't know about," Hussey said.
Read more articles from StateTech’s coverage of NASCIO Midyear 2019 here.