IN.gov - Skip Navigation

Note: This message is displayed if (1) your browser is not standards-compliant or (2) you have you disabled CSS. Read our Policies for more information.


Mobile Site RSS Feeds

IOT > Security > CISO Blog CISO Blog

Subscribe for e-mail updates

Tad Stahl, the Chief Information Security Officer (CISO), will share thoughts on a regular basis on information security issues facing the State of Indiana workforce. The web software does not permit you to comment in typical blog fashion. Please send your questions and comments to
IOTCISO@iot.in.gov. Your comments and questions, along with the CISO’s response, will be manually appended to the blog. Only questions and comments from state government email addresses will be addressed.

Stand Tall, Don’t Install

October is Cyber Security Awareness month!

As I was prepping some security awareness materials I came across an article that had some common sense advice worth reinforcing.  That advice:  Don’t install software that won’t be used.  IOT ensures this happens on work PCs by providing a standard configuration and limiting our ability to install software.  Home PCs can be a very different story.  The PCs we buy are often loaded with many “free” software programs.  We also purchase or download more software along the way.
Each software program installed requires ongoing care and feeding.  If we fail to stay abreast of weaknesses, neglect to install security updates, or configure the software insecurely we end up with a system more vulnerable than we want or realize.  In the end we’re better off bypassing opportunities to install software we won’t use and uninstalling those we don’t.  Doing so results in a more secure system and chances are good that your system performance will improve.

Dolphins and Sharks

Over spring break I had a bonding experience via a shared kayak with my 12 year-old son.  Paddling in the Gulf of Mexico we saw a pair of dolphins gliding through the water near us.  We charted a course to get a better view.  Actually, I set the course while my son fought it with every evasive maneuver he could imagine and muster.  I chuckled and chided believing I understood the reasons for his response.  Even though dolphins are typically not aggressive they are large and we were in their domain.  So I had no intention of getting too close.  In spite of his fighting to the contrary, we did gain a great view of them swimming by.  As we continued on our journey dolphins became a common site.  I believed that my youngster’s initial fear had subsided and that he had found a comfort level with the kayak, the sea, and the dolphins.  I was very wrong!  Spotting a lone dolphin thrashing walls of water right and left with his tail, presumably showing off for a female, I headed that way with gusto.  As we approached, I noticed my son’s back stiffen.  He sat up straight.  Then, once again, he implemented his full force back paddle maneuver.  I was puzzled by the resistance until, still a good distance from the thrashing tail; he shrieked “It’s a shaaaaaaaaaark!”  Now I knew full well it wasn’t a shark.  But the deafening decibels and conviction of his cry made me pause to take a second look to be sure (as it did every other boater and beach comber on the Gulf coast).   I tried to contain myself but attempting to stifle laughter only served to increase the severity of the resulting cramps.

I laughed a little too hard.  I can relate to the uncertainty that ran through my son’s head that day.  Information security forces you to consider worst case scenarios and I’m seeing some fins of my own.  For example, I wonder just how much more risk the Internet can pose and remain viable.  Our state workforce already knows far more than they’d like to about WORMs, Viruses, Trojans, and other forms of malware.  But we are now seeing infections come from legitimate websites.  Malware, historically targeting a single weakness, is now able to probe a PC and exploit weaknesses found from a lengthy list of possibilities.  In short, it seems here lately like the bad guys are advancing faster than the good guys.  It forces us to reconsider the risks involved and the alternatives available in the form of additional technical and administrative controls.  Unfortunately, technical solutions can be expensive and the policy options I’m considering would surely involve additional constraints.  I’ve had this feeling before and know better than to panic.  But I can feel my back stiffening, I’m considering back paddling to change the course, and I’m fighting off the urge to yell “It’s a shaaaaaaaaaark!”  I had this coming.

Race into Security

I spent the weekend out at hallowed grounds of the Indianapolis Motor Speedway (IMS).  What a great place!  As a result, working up ideas for this month’s blog was tougher than normal.  Thoughts of this year’s running of the Greatest Spectacle in Racing proved tough competition for malware, complex passwords, and the other security issues that generally race the hearts of my loyal readership. 

It occurred to me that driving improvements in information security is not that different from a race team at the Speedway trying to win the 500.  For any team to succeed you need great sponsors.  We are fortunate to have Gerry Weaver, CIO, the Governor’s Office, and agency leadership supporting our efforts.  Without them, we don’t even get to the track, let alone qualify.  Of course you have to have a pit crew.  The IOT Security team works hard to keep our information security car on track.  Sure, Gharst and Bradley sometimes leave a wheel loose just to watch me struggle but all in all it’s a solid crew.  Then there’s IOT technical support.  Brian Arrowood and his team work to secure servers, desktops and network equipment much like engineers fine-tune a race car to get more speed.  This group has brought us a long way in a short time.  We’re good enough now that we no longer find improvements in 10 mph chunks.  Instead it’s a .5 mph here, .5 mph there, incrementally improving our way toward our goal of achieving the pole speed.  For spotters we have agency IT leaders and security staff helping us navigate and identifying trouble.  We don’t get through Turn 1 without them.  Finally, we have the state workforce behind us.  Occasionally we get some grumbling about a policy or security measure but for the most part our workers are supportive and conscientious. 

Just like a race team, it takes all parts working together to be successful.  If any component breaks down it can mean failure.  It’s a long race and we’re far from victory but we are moving up nicely. 

How bad is it at home?

As I stated in my response to one of the questions below, we battle malware here at the state every day.  On our side are some pretty good tools, excellent technical support, and improved user awareness.  Even so, fighting off malware threats can still be a struggle.  Someone asked me the other day just how bad I thought the malware problem was in the home environment.  I’m afraid if I gave my honest assessment I’d make Chicken Little seem like the calm, cool, voice of reason.  Suffice to say I think it is bad.

To compete with malware you need a hardened operating system that is appropriately patched, current and capable malware protection, and alert and aware users.  I think it is safe to say we would find the majority of homes are missing at least one of the things.  For example, I shudder to think of the percentage of home PCs that don’t apply security patches for the operating system and other key software.  I fear another significant percentage go to be without adequate anti-virus protection.

Finally, let’s consider the typical home user environment.  For state workers we filter email and the Internet and clearly identify acceptable use guidelines.  It’s just a hunch but let me head out on a limb and guess that the limitations we put on use here (you may not like them but they greatly enhance security) are not applied at home.  In addition, if it’s anything like my house, you have an impulsive youth or two driving the mouse.  I try to teach my kids about SPAM, Phishing, and the dangers of certain web sites.  But if I can’t get through to them about keeping their rooms clean just how much they are absorbing when I discuss the pitfalls of the Internet?  I know for a fact I could warn my daughter of a virus capable of destroying our hard drive, causing the monitor to burst into flames, and shooting electrical shocks through her body via the keyboard.  But you wrap that baby up in a picture of the Jonas Brothers and you might as well call the fire department.

The point is the home environment is rarely offered the same layers of defense as are found at the office.  So in this case, I don’t like the odds for the home team.

Two Good Questions

Well, my plea worked.  I received 4 questions and I am grateful for all of them.  However, 2 really weren’t security related and were forwarded to the appropriate expert for answers.  The other 2, as well as my answers, are below.

OK, Tad,I will bite on your offer.  Working in IDHS, I read many notices everyday of new Storm botnet morphing Valentine’s malware and other botnets, Conficker computer worm and other worms, viruses, etc., yet I seldom see anything about them from IOT.  Does that mean that we do not have issues with them?  If so, why and why do many companies and other government agencies have huge issues?

Best regards,
Concerned in IDHS

Dear Concerned,

You ask a terrific question and I’m not just saying that because it is the blog’s first.  We battle malware every day.  About the time I think we’re getting a leg up on the problem we’ll experience a setback.   IOT’s support teams do a terrific job of providing layered protection (anti-virus protection, patches, firewalls, email filters, Internet filters, etc.).  Due to their efforts the virus problems we experience are usually limited in number and scope.  We take proactive measures to keep the network and state users as safe as possible from such exposures.  We do this by utilizing sources of information which provide us insight into upcoming and ongoing exploits and take measures to head-off exploitation attempts.  Ultimately, however, the key to our success rests with our users.  If our users recognize email scams and navigate only to trusted websites, our risk is greatly reduced.  An alert and conscientious workforce serves as our most effective line of defense.

Every organization, including ours, is susceptible to a “huge” issue.  It only takes a break down in one layer of protection to give malware the foot in the door it needs to wreak havoc. 

Tad

Security is important.  Like the air we breathe, it surrounds us, and sustains us; like air, once impaired, the impact is enormous.  To comply with state requirements and ensure that any operator of a state vehicle has a current, valid license, we maintain a copy of all current drivers’ licenses of state employees, on site, and send a copy to Indianapolis.
 
I was recently informed that I should not scan and send a copy of a DL via state email, as it could pose a threat of identity theft.  So, in the future, I will not scan and email a DL, but rather send a paper copy in a sealed envelope, via an employee-courier, to Indianapolis.  It just seems like a more cumbersome process.

Sincerely,
Conscientious Emailer

Dear Conscientious,

Thank you for a very good and important question.  I could fill pages answering it as there are many related tangents worthy of discussion.  I’ll try to keep it brief and limit it to a couple thoughts.  First, you are correct, security is important.  As such, appropriate security often requires processes that are more cumbersome than those that are insecure.  As state employees, it is our responsibility to do all we can to protect the identities of our citizens even if it demands more time and effort to do so.  This includes our fellow employees. 

The best way to protect personal information is not to gather it.  If you don’t have someone’s social security number (SSN) or other personal information you can’t lose it.  Obviously, in our line of work, we are frequently legally bound to collect it.  However, agencies should consider every possible alternative available to collecting and storing personal information.  A major problem with personal information is the way it grows.  One instance turns into 2 copies, then 3, then 5, and so on.  And with each instance, the likelihood of compromise grows dramatically.

Let’s talk about email.  The problem with emailing personal information is the frequency of error and loss of control. It is fairly common to see messages addressed incorrectly.  If that happens, unauthorized individuals may have access to personal information they should not.  Once you hit the send key, you’ve lost control of the information you sent.  The recipient, either purposefully or in error, may forward or distribute the email inappropriately.  It can also easily be read in transit by someone sniffing traffic at any point along the network on which the email travels.  By default, email is not encrypted and is therefore easy to read.

Finally, mailing personal information, either in paper or digital form, is not recommended.  Mail is often lost and passes through many hands to get to its destination.  Redaction and encryption offer additional safeguards, but secure electronic delivery options are readily and affordable available.

Tad

It’s Response Time

Now I will confess that when I started this blog I knew that I would not be competing with ESPN or the Indianapolis Star for hits.  Information security is not a leisure time reading subject for most folks and I’m not going to lure many through my imagination and writing skills.  So my expectations were low. 

With this edition, we are celebrating my 10th entry.  I’ve never bothered to look up the statistics on hits to the page, but I do know that a few people read the blog.  For example, I know my team does (they know there will be a pop quiz in the staff meeting).  I’ve also given the URL to my wife and kids (they love to talk about it over supper).  And sometimes, on those rare, rewarding occasions, someone unexpectedly will, out of the blue, let me know that they read the blog.  Forget the fact that they don’t say it was interesting or thought provoking or of benefit in some way.  That’s not important.  We’re building momentum here one small step at a time.

Now it’s time for the next step.  I hate to impose on my loyal readership, but I’m going to ask a favor.  I have an email address at the top of the blog page that is practically begging for your comments, questions, or concerns.  To date, I’ve not had a single one.  Your assistance can make this blog more interesting and beneficial.  My only requirement is that we keep it on the topic of information security.   I will then post your question or comment (protecting your anonymity) along with my reply.  

Happy Holidays

What a great but busy time of the year.  The holidays add to already booked work and personal schedules.  Usually it’s all good but I have to admit that there are few things more stressful for me than trying to buy my wife a gift.  I really should skip the anxiety because it doesn’t really matter.  Even my best effort gets returned.  However, I gauge my success in terms of how long it takes her to reach that conclusion.  A bad year is when she doesn’t even finish taking the wrapping paper off (known here forward as the year of the vacuum and the year of the Chia pet).  A good year is when she will at least try it on before asking for the receipt.


 On the other hand, I’m the easiest person in the world when it comes to gifts.  Here are some suggestions for those looking to do something a little special for their friend in security:

  1. A cure for malware.  This problem bites us all the time.  I’m tired of writing about it and you’re tired of reading my writing.  I just hope you’re tired of reading my writing because it’s about malware.
  2. The end of SPAM.  What a wonderful world it would be. 
  3. State of Indiana system owners protecting their systems with personal vengeance.  It makes me smile to think of them in a blood stained butchers apron, cleaver in hand, and remnants of security threats laying in fine pieces on the floor.
  4. Secure operating systems and software.  It seems there’s always some vulnerability now days that has to be patched immediately.
  5. A 1963, Riverside red, split window Chevrolet Corvette coupe.  It wouldn’t help our security but I’d still like it.

Thanks to all state employees for helping us improve information security this year.  There’s much more to do and I look forward to working with you next year.  Happy Holidays!

Take care of your personal information at home

Halloween has passed but if you want to read something frightening, type “sinowal” into your favorite search engine’s news search.  You will see a number of articles and read plenty about a piece of malware that has been collecting bank account information for more than 3 years.  More than 500,000 accounts are known to be compromised and most security experts believe this is just the tip of the iceberg.  And this is only one example of many that threaten your family’s personal information residing on a home PC.
At work most PCs are protected with the following:

• Firewalls protecting the network from outsiders
• Virus software installed setup to update automatically to the latest version
• Security patches applied as soon as possible
• Email and Internet filtering
• IDs and passwords limiting access to your computer
• Limited rights on a computer
• Security awareness information keeping the state workforce aware of threats

Even with these defenses in place, we struggle mightily to keep malware like “sinowal” at bay.  Imagine the increased risk in your home.  Not only are some of these protections listed above unavailable but you may also have users more susceptible to email and Internet threats. 

We always appreciate your diligence in securing citizen information at work.  But for your own protection make sure your home computer is appropriately fortified, that your family is aware of potential dangers, and that bank accounts, social security numbers, and credit card numbers are stored and used securely.

October is Cyber Security Awareness Month

It seems appropriate that the scariest month of the year is also cyber security awareness month.  Treating the little ghouls and goblins raiding the candy basket is much more fun than denying the menacing tricksters that would like to raid our network.  Cyber security awareness month gives us a chance to reinforce the message that “security is everyone’s job.”  You can help by making sure you do your part to ward off five end user threats we worry about.

  1. Malware downloads:  As good as you’ve gotten at recognizing spam, and most of you by now are experts, a few weak links remain.  Some Spam messages are just too tempting for a few to turn away from.  So they click on an email link or open an email attachment and become infected with malware.  Don’t be fooled or foolish, just delete them!
  2. Missing security updates:  A PC or laptop frequently turned off or not connected to a network may miss a virus protection or security patch update.  This leaves the machine vulnerable to threats.  Take a moment to manually update your virus protection software and hit the Windows Update icon to ensure the latest security patches are loaded.
  3. Creating copies of personal information:  You can’t lose personal information if you don’t have it.  So when you run a query or create a new spreadsheet or database, do so without including constituent’s social security numbers.  If you have a database or spreadsheet containing personal information, see if you can’t get the job done without it.  That way, if your information is lost, there is no threat of identity theft or financial harm to taxpayers.
  4. Sharing IDs and passwords:  We’ve seen great improvement in this area.  There are secure ways of sharing information without sharing passwords.  Call the Help Desk if you need assistance.  You can’t afford to take a shortcut because anything happening under your ID is your responsibility.  Your ID and password should not be shared. 
  5. Web Surfing:  The primary security concern is the visitation to sites where malicious software may be downloaded.  You should stick to surfing only well known, reputable sites.  Unfortunately we also are asked to produce Internet activity reports when someone is thought to be wasting time or visiting inappropriate sites.  It’s not worth the risk.

What should we do with someone that downloads malware by clicking on a SPAM message?

I asked around and here’s a few ideas:

  1.  Require them to wear a “Hooked by SPAM” t-shirt to work for a week (fish hook piercing through the lip as a fashion accessory under consideration).
  2. Have them face a “paintball firing squad” at noon on Friday between the North and South buildings.  Blindfold optional, public welcome.
  3. Force them to sit through a half day “SPAM Recognition and Avoidance” training session, taught by me, with lunch catered by one of the local hospitals.  The second half of the day they will be forced to watch NFL preseason football games.

While the proposed punishments above are written in jest, infections from malware (virus, WORM, Trojan Horse, rootkit, etc.) are no laughing matter.  It is enough of a problem that we must seriously consider implementing security measures we’d rather not have to (e.g. – limiting Internet access, prohibiting use of personal web based email accounts).  Disciplinary action may also be deemed appropriate for some errors in judgment.

It is clear that SPAM senders understand human psychology and play on it effectively.  This makes your job tougher, but good decisions regarding SPAM are essential.  A bad decision can result in significant damage.  Our guidance on SPAM remains the same.  Be very cautious with emails from unknown sources or with an unexpected subject.  Delete when in doubt and never click on a link in an email unless you are completely positive.  Also be sure to store information, especially personal information, on network drives (not local drives). 

Note:  Remember to watch for sensational or intriguing hooks.  SPAMMERs probably could have caught a few fish this past weekend with emails regarding Gustav or New Orleans’ levees.  In the coming weeks subjects such as Obama, McCain, Biden, and Palin might serve as bait.

Password Changes

Over the coming months the state will be strengthening its password management scheme to enhance our overall security position.  All state users will be required to use complex passwords (many are already there).  A complex password, by our definition, is comprised of at least eight (8) characters and contains three of the following four categories:
• Upper case letters
• Lower case letters
• Numbers
• Special characters (&, ^, %)

I know there will be a slight learning curve, but you can handle it (and don’t even think about writing it down on a sticky note and putting it on your monitor).  We’ve set up a web page to help you prepare -http://www.in.gov/iot/2328.htm#Password. Here you will find tips and tricks as well as the importance of complex passwords for state security.   I also recommend you extend this practice to the passwords you use away from work. 

CISO Thoughts

My thoughts and best wishes go out to those suffering from the flooding in southern and central Indiana. Words cannot begin to describe the range of emotions inspired by the video footage and photos. It was just unbelievable.

In the midst of the tragedy there were things that make you proud to be a Hoosier. First and foremost was the character demonstrated by those affected. I didn’t see many playing victims. Fear and shock quickly gave way to a determined attitude to clean-up and rebuild in spite of the long, grueling effort it will entail. And then there were the countless heroic stories of emergency personnel and good neighbors. When most of the news is dominated by stories of bad deeds it was nice to see the good deeds of people recognized.

We’ll talk about information security next time. Maybe disaster recovery would be an appropriate and timely topic.

Threatening SPAM

The state has begun receiving SPAM containing threats of physical harm. Though it is a little shocking to receive the first one, in the end it is just another mass mailing playing on fear. In this case physical danger is the target rather than a bad credit rating, closed bank account, etc. Unfortunately, I expect SPAMMERs to continue with this theme, escalate the threats, and make them seem more personal and realistic. IOT will work to block them with their filters but you can expect some to get through. When they do, give them no more attention than you would any other SPAM. Please report SPAM using the instructions found here.

Is Big Brother Watching Your Computer Activities?

The answer to the question above is “no.” IOT does not have a special force hunting for inappropriate user behavior. However, you should always keep in mind that State Ethic Rules prohibit the use of state assets for personal use except where allowed under agency De Minimis use policies. You should also know that anything you store or create on state time or with state provided technology is not considered private. Agencies can and do request access to employee information for a variety of reasons including extended absences and suspected inappropriate use. When agencies make such requests, IOT is usually able to assist.

I don’t believe the state has any more of a problem with improper behavior than do other organizations of similar size. But I would like to see the time IOT spends assisting agencies in this regard applied to more productive tasks. My guidance is to value your job and the respect of your co-workers by avoiding the temptation to misuse state resources. Re-read and abide by the Information Resources Use Agreement (IRUA). And if you question the appropriateness of an activity, talk it over with your manager rather than risking a wrong decision.

Handling Phishing Scams

I’m often asked why I don’t put out statewide warning emails on every “Phishing” scam making its way to the state government email system. Trust me, you really don’t want to hear from me that much. 99% of all email coming to the State is SPAM and a chunk of those are phishing messages. You would hear from me so often that you would soon treat my messages as SPAM.

It wouldn’t work anyway. My warnings would almost always come too late. The only effective defense is for you to recognize these messages as you receive them. Fortunately, you’ve become good at it. Sometimes it can be tough to recognize a phishing message. They seem to get more creative and authentic in appearance with each new scam. And we can expect scam artists to continue honing their craft. Regrettably they continue to work (information on phishing message characteristics).

I do look to get information to you when there is a new or a severe risk you might encounter. But our best defense is having you aware of threats and closely examining every message for validity.