3 Infosec Challenges States FaceMS-ISAC Founders Will Pelgrin Identifies the Latest Threats
Pelgrin should know. He spent more than a decade as the top IT security officer for the New York State and has been chief executive officer of the Center for Internet Security since last summer.
In the second part of an interview with GovInfoSecurity.com's Eric Chabrow (transcript below), Pelgrin says he has identified nine challenges, but focused on three he feels are the most crucial:
- Mobile devices, which requires security officials to think differently about how to safeguard data than they did in the late 1990s. "If I continued on the path that I had then ... I would have been absolutely on the wrong page in 2011."
- Insider threats, which tend to involve more carelessness than maliciousness. "Individuals may do something accidently, not intentionally; however, the consequence would be the same if it were intentional."
Old infrastructure, which in the current fiscal climate is perceived as being more cost effective than refreshing the technology. "I'm a fiscal conservative by nature, but when it is unsupported ... you're vulnerable. Unsupported means just that: they will no longer provide updates or patches to the system, and we're running way too many of those throughout government."
Pelgrin discusses the expanded mission of the Center for Internet Security, a not-for-profit that provides IT security benchmarks, in part one of the interview (see Will Pelgrin: The CISO-Plus).
Simultaneous with his appointment as CEO , the center acquired the U.S. Cyber Challenge (view video Searching for the Good Hacker), which develops programs to encourage young people to consider IT security careers, and the Multistate Information Sharing and Analysis Center, a 50-state consortium he founded that collects information on cyberthreats to government and critical infrastructure IT and shares that data among the states and local governments.
While New York's director of cybersecurity and critical infrastructure coordination, Pelgrin headed the New York State Public/Private Sector Cybersecurity Workgroup, a group of officials representing federal, state and local governments, academia and business, that ensured cyber readiness in the state. He also served as a member on the Commission on Cybersecurity for the 44th Presidency, which recommended cybersecurity policy in 2008 to the incoming president.
The Mobile Threat
ERIC CHABROW: What are the IT security challenges facing state and local governments?
WILL PELGRIN: I will give you just a couple, but I have a top nine list just to let you know. But let me just highlight I think a couple that are absolutely at the top of the list, and let me start with mobile devices. These are not in rank order.
I am big proponent of new technologies to make our lives easier, more efficient, more effective both from a cost perspective and a deliverable perspective as well, productivity perspective. However, with those devices comes certain challenges meaning where, and this goes to my concept of how do I measure success.
When I started this back in'97, when I start looking at security in the government perspective, if I continued on the path that I had then as to how I was protecting the state relative to information, I would have been absolutely on the wrong page in 2011. And as we all know the perimeter is no longer there. My concept back then was protect the perimeter because all the data was on one side and I needed to build the walls to make sure that nobody could get in and take things that were not appropriate.
As the mobile devices started to be deployed and we're talking smart phones as well as thumb drives, we're talking about everything that allows us to do what we do now on a 7x24 basis, means that my protection is you. It means that the protection is the data and the data is now resident constantly with you.
The concern that I have - I have thumb drivers, I have multiple mobile devices - is that we make sure that the culture is changed to ensure that we have protected them to the best ability that we have, meaning that they are encrypted, that they have passwords and that they have timeouts on those.
When I give talks, I tell people, if you have a great password but you don't have a timeout, meaning that your system will lock down on you after 10, 15, 20, 30 whatever number of minutes, take your password off because it's not good because it doesn't do anything if your system is always live. Mobile devices and we've seen a lot of different incidents that come through those devices. The cultural will change, that is: how do we protect them and how do we not take our mobile devices and stick them into every machine out there and then bring them back into our network with the sad consequence of potentially corrupting your network?
The Accidental Inside Job
The next is insiders. I'll say insiders, from an intentional perspective but I think, more importantly, even from an accidental perspective. The majority of state and local government individuals may do something accidentally and not intentionally. However, the consequence would be the same as if it was intentional. Phishing attacks have become so well drafted, from a grammar perspective, that even the best professionals in cybersecurity would fall prey to some of those phishing attacks just because of the nature and how they are occurring.
So education and awareness is absolutely essential, but in addition to that we need to do a better job of educating from the highest level, meaning the executive straight through to the user level of who has what information? What information do they have? When do they have that information? And, where can they have that information? Meaning, we have to classify our information and then build appropriate protections and controls associated with that. Symantec estimates that over 600 million e-mail messages are sent containing unencrypted, confidential data. This should not be occurring at this point in time. You know if there is something that is confidential, you should never send that in clear text and yet it is happening way too often.
The last one is, and you know again I'm hesitating only because there are a number that are facing the governments, but let me use old infrastructure because I think that deals with the fiscal climate.
When we look at old infrastructure and we think we are being cost effective by holding on to some of that for a greater period of time because the fiscal climate is imposing certain more restrictions that we can't refresh that technology as often as we would like. And, I'm fine with that stretching; I'm a fiscal conservative by nature. But when it is unsupported, old infrastructure, you are vulnerable. Unsupported means just that, that they will no longer provide updates or patches to that system, and we are running too many of those throughout, I won't even limit it to government.
Understanding what environment, and some of it is because we don't know what our environment looks like. Understanding that, having a really critical inventory of that, making decisions about where that infrastructure is in your environment and making sure that it can have minimally the basic protections that are necessarily to give you at least a fighting chance to prevent an infection.
Taking Inventory of the Situation
CHABROW: Is there a way to estimate the percentage what percentage is old infrastructure?
PELGRIN: No I really can't. Part of the issue is understanding what that inventory is, but I can tell you we all private or public sector have some pieces of that that should be looked at from the perspective, "Okay, where is it in our lifecycle?" And, that lifecycle needs to not only be from a functionality perspective, which I think is less important to me, but more from a security perspective of when that lifecycle really needs to kick in.
It will always be more costly to respond and recover to an event then it would be to prevent and detect that event up front. Spending a little money up front to ensure that your infrastructure is at least at the basic level where it can be patched and it can have updates is essential is because the cost later on is sometimes very hard to measure because there is both fiscal and beyond fiscal cost to breeches.
CHABROW: Are there situations in many organizations whether in the government or not, that they don't know what is their inventory of the IT?
PELGRIN: Some entities have a very good handle of what their inventory is within their overall environment. Others may be so distributed that a complete picture of what that may look like is more difficult. I can tell you even when you know what your infrastructure looks like, I think that we have to go beyond and understand what is enabled within those systems.
What you may think is not even present within your system, may have been there as part of an overall configuration and, sadly, may have been enabled. We had one situation that I can recall where we were deciding at the multi-state level as to whether or not to issue an advisory because the system that was vulnerable was one that really wasn't prevalent within government. We were debating it and we decided to look within my office alone. We had a tool that allowed us to inventory things on the fly as well as what was running on our system. That was, unbeknownst to us, an embedded system that was enabled that should never have been enabled. So hence we put out an advisory to all and stated in that advisory that you may not even know that this is even enabled within your system so you need to look to make sure that occurs.
While I think that we're getting better at it, I think that we all can do a better job because that infrastructure seems to change frequently to ensure that we understand the consequence by adding a new router, or by adding a new system or application, and not notifying those that are in the security arena because it is as critical as those that are in the IT arena.