StateTech Magazine - Technology Solutions That Drive Government en Training Can Go a Long Way to Help Teleworkers Defeat Ransomware <p>Seventy-three percent of government employees expressed concerns about future ransomware attacks against U.S. cities, <a href="" target="_blank">according to an IBM Security survey</a> released earlier this year. In the survey, 1 in 6 respondents said their agency was affected by a ransomware attack in 2019.</p> <p>Soon after the survey’s publication, state and local government employees found themselves in a mass shift to unprecedented telework, and as state CIOs told the <a href="">Midyear Conference of the National Association of State Chief Information Officers</a>, the ransomware threat did not go away. Instead, bad actors changed the script to entice employees working remotely to click on malicious links in emails designed to read as if they were teleworking alerts or purchase orders.</p> <p>Yet, there is much state and local agencies can do to combat ransomware even when employees work remotely.</p> Tony Sivore Group Aims to Help States Streamline Software Projects <p>State governments across the country are facing many common challenges right now, with <a href=";module=Spotlight&amp;pgtype=Homepage" target="_blank">unemployment claims still at historic levels</a> and <a href="" target="_blank">legacy systems facing strain</a>. States also need to keep track of coronavirus cases and <a href="" target="_blank">analyze reams of data about the virus</a>. </p> <p>A new group recently formed to help states increase software efficiency and streamline solutions. In early May, the Beeck Center for Social Impact and Innovation at Georgetown University launched the <a href="" target="_blank">State Software Collaborative</a> to allow similar state government agencies to procure, develop and maintain common software they need to fulfill their missions. </p> <p><a href="" target="_blank">As StateScoop reports</a>, the group is the creation of Robin Carnahan and Waldo Jaquith, who both recently left 18F, the U.S. General Services Administration’s digital services division.</p> <p>“Our theory is that up to 80 percent of what states do is the same,” Carnahan tells StateScoop. “And there will be some customization for changes in policy among states, but most of it is quite similar.” </p> <p>The collaborative says that in response to the coronavirus pandemic, it has seen that<br /> “even if lawmakers move quickly to pass legislation to get money to laid-off workers, small businesses, and hospitals, those policies can’t be implemented effectively when the technology tools used to apply for, distribute, and track funds can’t be easily modified or don’t work.”</p> Phil Goldstein How Windows Virtual Desktop Supports Remote Working <p>Working from home creates challenges to the usually simple delivery of apps and data to users. <a href="" target="_blank">Windows Virtual Desktop</a> provides security at a fraction of the cost of traditional virtual desktop infrastructure. Client virtualization isn’t anything new and has been available in the cloud for several years. </p> <p>Here are a few of the features available in WVD, <a href="" target="_blank">Windows 10</a> multi-session and Office that can assist workers’ productivity and also keep data secure:</p> <h2 id="toc_0">How to Secure Windows Virtual Desktop </h2> <p>Windows 10 multi-session, which is only available as part of WVD, is the enterprise version but allows multiple users to utilize the same host. It’s the same arrangement as Windows Server Remote Desktop Services, but with a client operating system that improves performance and application compatibility. This just about removes the need to assign static desktops to specific users. Being able to use the host resources more efficiently will also reduce costs and complexity.</p> <p>In most cases, if an agency is properly licensed for WVD and <a href="" target="_blank">Office 365</a>, it already has what is required to enable conditional access and multifactor authentication. MFA has been proved to block 99.9 percent of account hacking attempts. </p> Drew Shanahan, Brandon Pierce Governing from Home: Best Practices for BYOD Agency Telework <p>State and local governments across the country have moved to <a href="" target="_blank">unprecedented full-time remote work</a> over the past few months, migrating practically overnight from highly monitored networks to less secure home internet connections. This transformational shift in the way state and local governments operate creates a host of new security and risk management challenges. </p> <p>BYOD is a major concern. When government workers use devices for both personal and professional functions, sensitive work-related documents sit next to social media, messaging, games and potentially malicious third-party applications. It’s difficult to micromanage employee security practices on personal laptops or phones, even with the right policies in place.</p> <p>As a result, state and local governments need a strategy built on the right policies and immediately implementable tools to provide secure remote access within their organizations.</p> <p>To start, establish a clear BYOD and remote access policy by defining employee, manager and IT administration responsibilities. IT teams should also begin with an assessment of security tools as well as the technology infrastructure to ensure the most secure and appropriate technologies are used. Selecting technologies that have security built in versus added on can lower risk while protecting data. When developing your organization’s policy, industry guidance such as <a href="" target="_blank">the National Institute of Standards and Technology’s framewor</a>k for telework can help. </p> <p>Communication is also key. Keep employees informed about best practices, including new updates to operating systems and approved applications, such as web browsers, email clients, instant messaging clients and security software. </p> <p>Educate workers on ways to keep their devices safe, like controlling device access by setting a unique PIN and automatically locking a device after an idle period. Networking capabilities, such as Bluetooth and near-field communication, should also be disabled except when needed.</p> Christopher Montgomery Virtual Tour Technology: How State and Local Governments Use It <p>Throughout the spring, as state and local governments shut down or closed museums, parks and other public gathering places to help slow the spread of the coronavirus, millions of people were unable to physically visit their favorite attractions.</p> <p>However, they were not entirely shut out. Thanks to virtual tour technology, state and local governments have been able to give residents access to such sites and buildings. The technology, which can provide users with a 3D virtual tour or a 360-degree tour experience, can help keep residents connect to their local haunts and lay the foundation for future visits, which can drive revenue for state and local governments.</p> <p>Such technology may be less pressing now, as states start to reopen their economies and sites that have been shut down. However, if governments re-enact lockdowns in response to a second wave of the virus, or if residents do not want to go in person to sites because of health concerns, virtual tour technology will be a go-to option for many agencies.</p> <p>“The virtual tour is a fantastic opportunity for people to research, watch that dream,” Melissa Norris, travel adviser for AAA Club Alliance <a href="" target="_blank">tells</a>. “It might be somewhere they’ve never been before, it might be somewhere they want to go. That’s the best way to check out a destination and listen to the professional guide talking about all the awesome things that you can see and do and put that on your bucket list.”</p> <p>State and local governments have been using virtual tour technology to give users access to everything from state parks to state-funded museums and official state and local buildings. </p> Phil Goldstein 4 Steps for Installing Microsoft Remote Desktop Services <p><a href="" target="_blank">Microsoft</a>’s <a href="" target="_blank">Remote Desktop Services</a> is a widely used desktop virtualization product. RDS provides users with <a href="" target="_blank">a Windows client desktop</a> that is shared among other users on <a href="" target="_blank">Windows Server</a> and allows administrators to provide a Windows desktop experience for many users at once, using one or more servers and a Remote Desktop Protocol client.</p> <p>As such, RDS is a valuable and widely available tool for operations continuity, empowering government workers with the capabilities to function both in the office <a href="">and away from it</a>.</p> <p>With two servers, administrators can set up an entire RDS implementation in only four steps.</p> <h2 id="toc_0">1. Install RDS Base Roles</h2> <p>A typical RDS implementation has five roles: RD Connection Broker, RD Web Access, RD Session Host, RD Licensing and RD Gateway. </p> <p>Think of the RD Connection Broker, RDP Web Access and the RD Session Host roles as base roles, which need to be installed on the primary RDS server.</p> <p>Within the Add Roles and Features wizard, select Remote Desktop Services installation using the Quick Start option on Windows Server. The RDS wizard will then serve as a guide to installing all of these roles at once.</p> <h2 id="toc_1">2. Install the Licensing Server</h2> <p>From within the Server Manager application, add a server to manage what will become a licensing server. Navigate to Remote Desktop Services and click on the green plus sign for RD Licensing. From there, add the other server under the Add RD Licensing Servers screen.</p> <p>Once Windows installs the licensing server, a green plus sign should be visible above RD Licensing in the RDS Deployment Overview section.</p> Adam Bertram Election Day Is Less Than 6 Months Away. Now Is the Time to Instrument Infrastructure <p>Elections have two critical components. The first is visibility and transparency to the participants. The second takes place behind the scenes and <a href="" target="_blank">may not be apparent to the participants</a>. </p> <p>Voters see how computers have become more important to the election process, whether for collecting individual votes, tallying totals, transmitting results or displaying outcomes. What they have not seen is how these processes take place. </p> <p>It’s impossible to address all network security monitoring components of the election process in a few hundred words, but the overarching role of the network is worthy of an assessment. </p> Richard Bejtlich VDI Serves Up a Uniform Experience for Teleworkers <p>In March, as the coronavirus crisis spread, IT departments at state and local agencies everywhere <a href="" target="_blank">suddenly had their work cut out for them</a>. Charles Ash, deputy director and CIO of the Division of Information Technology at the <a href="" target="_blank">Ohio Department of Transportation</a>, recalled the marching orders for his team involved rapidly equipping ODOT’s office-dependent employees with the tools they needed to do their work remotely.</p> <p>“The good news for us was, we’d already been heading in that direction because so many of our customers had been requesting mobility applications” that would allow them to access agency systems no matter where they happened to be, Ash says. </p> <p>“We have a mantra around here: ‘Any app, any device, from anywhere there’s an internet connection,’” Ash says. They weren’t exactly ready to transition their entire workforce out of ODOT’s offices and into people’s homes. “But we did have what we needed to do it, and in the end it only took us about three days.”</p> <p>Key to the department’s success was <a href="" target="_blank">virtual desktop infrastructure</a>, or VDI.</p> <p>According to <a href="" target="_blank">Andrew Hewitt</a>, an infrastructure and operations analyst with Forrester, VDI solutions using on-premises servers have been popular among early adopters of the technology with highly skilled and well-staffed IT teams. “Traditionally, it’s worked very well for organizations like that. They’ve seen it as an effective way to manage their PC fleets, and as a secure solution for remote working because it prevents the need for data storage on endpoint devices,” he says.</p> <p>This trend has shifted in the past few years, Hewitt says, as cloud-based VDI solutions have come on the market, making the technology more accessible to a wide range of organizations, including state and local governments, which have increasingly adopted the technology. </p> <p>“With cloud-based VDI, the major advantages are around scalability and cost savings,” mainly because it allows IT teams to shift focus from server management. “You save on staffing, and you save on time. You get additional flexibility, and you don’t need as many resources for implementation as you do when you go with one that’s on-premises,” Hewitt says.</p> Chris Hayhurst 5 Steps to Proactively Address Unauthorized IT Among Workers <p>The term “<a href="" target="_blank">shadow IT</a>” has been around for several years — and for years, it has challenged IT departments. The practice of using applications and systems without the explicit approval of IT staff, or sometimes even without their knowledge, poses real risks for a government agency, particularly now that more employees are working from home. </p> <p>Shadow IT is widespread in government. Several years ago, Skyhigh Networks <a href="" target="_blank">found that the average agency was using 742 cloud services</a> — about 10 to 20 times more than the IT department was managing. With the pervasive nature of cloud-based services and the popularity of hybrid cloud environments, the Cloud Security Alliance believes the situation is likely much worse today. </p> <p>The Everest Group <a href="" target="_blank">reported last year</a> that dismantling shadow IT accounted for 50 percent or more of IT spending in large enterprises.</p> <h2 id="toc_0">Shadow IT Can Lead Down a Slippery Slope</h2> <p>Shadow IT grows due to lack of awareness, both on the part of the user and the IT department. A wide variety of tools are brought into the agency under the radar, without explicit IT approval or knowledge. </p> <p>A user needs something to get the job done and, without thinking, signs up for a web-based application: Need online messaging? Why not the same WhatsApp you employ for your personal life? Want to do a VoIP or videoconference call? If you’re a pro at using Zoom at home, use it at the agency as well. Need to transmit large files? It’s easy to sign up for a Dropbox account, <a href="">particularly when you’re trying to get the job done remotely</a>. But in each of these scenarios, no thought is given to control, management or security. Self-reliance is often a virtue, but not when it puts the agency at risk. </p> <p>The IT department may be blind to the issue, with no clue how many unauthorized apps are being used, particularly when those applications are connecting from a home office. It’s not just a question of the apps’ security — frequent reuse of login credentials, weak passwords and phishing attacks leave user accounts on unauthorized services ripe for exploitation; by extension, the agency itself is at risk. </p> Tanya Candia How States Can Secure Public Health Telehealth Deployments <p>At a time when public health departments have been stretched thin by the coronavirus pandemic, telehealth solutions have helped ease the strain by connecting doctors remotely to patients. That has been especially useful during a time when everyone has been advised to maintain social distancing to help reduce the spread of the virus.</p> <p>The Health Resources and Services Administration at the U.S. Department of Health and Human Service <a href="" target="_blank">defines telehealth</a> as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications. </p> <p>In March, the HHS Office of Civil Rights <a href="" target="_blank">relaxed its rules on telehealth to increase its usage</a>. The office said it would use discretion when enforcing HIPAA compliance for telehealth communications tools.</p> <p>HHS said it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.</p> <p>“A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the pandemic “can use any non-public facing remote communication product that is available to communicate with patients.” </p> <p>Still, it is critically important for public health departments and the healthcare providers they work with to provide as much security for telehealth solutions as possible. Such security technologies, including multifactor authentication, help ensure that patient data remains confidential and that patients have confidence in using such tools to get care. </p> Phil Goldstein