In Utah, Fending Off More Than 20 Million Malicious Transmissions Is Just a ‘Light Day’

Kiseleva Vladislava / Shutterstock.com

 

Connecting state and local government leaders

For the state’s chief information security officer, protecting IT systems and sensitive information is “a game of risk management.”

Every day the state of Utah faces a bombardment of cyberattacks.

One way to measure them is by looking at “network packets,” a term that refers to small amounts of data sent over the Internet. The illicit packets blocked from the state’s computer systems on a light day might be just over 20 million. Utah’s chief information security officer, Tim Hastings, who has held that post for about two years, looks at the numbers each morning. On the worst day he’s seen, the number of packets totaled more than 4.5 billion.

“Some days are really, really heavy and some days you don’t see much at all,” he said. “But when I say ‘I don’t see much at all,’ that’s 23 million.” Automated tools stop most of the packets. But when the state experiences large or sophisticated attacks, staff members may have to step in to make sure hackers don’t find ways around those tools.

It can be hard to know how many people or groups are responsible for menacing the state’s computer systems, or where they are. One person, acting on their own, could send millions of packets from computers they’ve taken control of in countries all over the world.

“Probably if you put numbers behind it, as far as people trying to attack, or machines trying to attack, you’d at least have thousands per day,” Hastings said in a recent interview.

The motives behind the electronic assaults vary. Some people might be looking to steal data, others might have ideological reasons for wanting to embarrass a public official or crash an agency website. “We’ve got folks that constantly scan and probe anything they can to identify a vulnerability or a weakness that can be exploited,” Hastings said.

Utah is using a combination of technology and training to defend itself against the daily barrage of malicious packets, as well as other types of attacks designed to spoof employees into giving up information. The state’s work on cybersecurity offers a window into some of the challenges governments confront as they square off with increasingly resourceful online criminals.

A Critical Concern

The stakes involved in protecting a network against a big breach can be high.

Montana discovered in May 2014 that hackers had gained access to a server with health and human services records, these contained information for about 1.3 million people, including Social Security numbers. The prior year, a Washington state court system website was breached, compromising Social Security numbers for up to 160,000 people. And Utah had its own problems in 2012 when hackers downloaded personal information for as many as 780,000 people off a Medicaid server.

At a National Association of Chief Information Officers conference in April, Montana’s chief information officer, Ron Baldwin, described the 2014 attack as “humbling.” The work required just to notify people that their records had been accessed was a heavy lift. At one point the state was mailing out about 200,000 letters per day as part of that process.

A NASCIO report published in 2014, in conjunction with Deloitte & Touche LLP, found that while about 60 percent of state officials were “very” or “extremely” confident that their state was prepared to fend off external cyber threats, only about 24 percent of chief information security officers felt the same way.

Stuart Davis is Ohio’s chief information officer and the president of the association. He said in a statement issued earlier this year: “Cybersecurity is a critical concern and priority for state CIOs.”

No Silver Bullets

Cyberattacks, and the cybersecurity measures states use, are constantly evolving.

“I think the security world is moving away from silver bullet-type defense strategies,” Hastings said. “That mentality was there 10, 15 years ago.” These days, he sees cybersecurity as “a game of risk management.” This means building up layers of protection around the most sensitive data and people in an organization to lower the chances of a successful attack.

Asked to provide an example of sensitive information, Hastings pointed to human resources records. “You’ve got every employee and their salary, and their Social Security number and their home address,” he said. “In some cases you have health data as well.”

“You can paint a very detailed picture of what that person looks like and steal their identity if you get HR records,” he added.

To protect these records, Hastings said an organization might use monitoring tools that issue alerts whenever they are accessed from an IP address outside of its network. An IP address is the string of numbers that identifies a specific computer on the Internet. A further precaution would be to allow no outside IP address access to the records at all, not even for staff.

Hastings said that he would even go so far as to consider what’s called “multifactor authentication” for highly sensitive records. This means a person would need more than one credential to access a system. For instance, along with their password they might also have to use a fob-like key device, in order to unlock the information that’s being protected.

The Weakest Link

But even shielding data and networks with the best electronic armour might not be enough. Hastings explains: “People are always your weakest link in the security world.”

“Tools will execute on what you give them,” he added. “But people are still susceptible to a bleeding heart, or wanting to be helpful.”

Utah has worked for several years to strengthen the human element in their security regime with annual training to educate people about cyber threats. Hastings also takes some additional measures. “We have our own, what we call, security drills,” he said.

The drills involve Hastings sending his own phony phishing emails. Phishing is a well-known tactic cybercriminals use to try to steal information or money.

The classic version of this scam consists of misspelled promises of cash in exchange for help transferring offshore wealth into your country. The only catch is that the person making the request needs your bank account number. But, like any other part of the technology sector, phishing has advanced, and has moved well beyond its ham-handed early years.

Governments and other organizations now need to be on the look out for “spear phishing,” malicious emails that appear to come from trusted sources. These often contain proper grammar and formatting, perhaps a corporate logo, and even a legit-looking email address.

For example, an email might seem like it’s from a company that a government agency does business with. Or maybe the sender appears to be from inside the an organization, like someone from the human resources or IT department.

With spear phishing emails, government employees might get duped into entering usernames or passwords that can lead to breaches. “If it looks official, they might say, OK, I’ll click on that and update my information,” Hastings said. Less than 5 percent of respondents tend to fall for the schemes in his drills. The point of the exercises, he stressed, is not to make anyone look foolish, they’re meant to help people learn and to tighten security.

“I want to track the number of people that fall for it so that I can give a statistic,” he said. “Then I always follow it up with, ‘hey, guys, I sent this out, and here’s the 18 ways you could have spotted this was not real.’” He added: “It’s another resource of more interactive training.”

Going forward, Hastings suspects cyber criminals will use increasingly sophisticated techniques to target government employees. “Anything with social engineering,” he said. “Phishing, spear phishing, even calling people on the phone, sending them phishing texts.”

Not All Attacks Aim to Make a Profit

But governments deal not only with attackers that are trying to make off with information and money, but also those that are trying to make a point. “Hacktivists,” as they’re sometimes called, can also be a threat.

A common technique for hacktivists is what’s called a denial of service attack. This type of attack is what happened the day when the 4.5 billion packets of information inundated Utah’s computers, according to Hastings. The point of the fusilade wasn’t to breach data, it was to overwhelm the targeted computer systems, so that the services they provide became unavailable for legitimate users.

When law enforcement officers in the city of Saratoga Springs, south of Salt Lake City, shot a 22-year-old black man named Darrien Hunt last year, it set off a string of hacktivist-related incidents. “They continue to attack that local police department and the state,” Hastings said.

Why Not Fight Back?

When it comes to cybersecurity, Utah is more-or-less always playing defense. The state’s Department of Technology Services does have the option to work with law enforcement agencies, or the Defense Department, which can conduct counterattacks. But, according to Hastings, offensive moves are rare and the state does not carry them out.

“I could very easily launch a denial-of-service attack back at them so that they couldn’t execute their attack, but what I don’t know is that a kid sitting in a basement in Europe somewhere, or is that a part of the Mafia or the mob, or is it a part of a nation state,” he said.

Depending on the attacker, Hastings noted, by hitting back he could put himself, or the state at risk. “That’s a very dangerous route to go,” he said.

So for Utah, cybersecurity remains a largely defensive enterprise. One that is focused, for the time being at least, on reducing the chances of a successful attack or data breach to an acceptable level. “There’s always going to be a risk that a breach will get through,” Hastings acknowledged. “But I want to make sure that we’ve got a documented and calculated strategy for making sure that is at a low risk level. And that’s where we are now.”

Editor's Note: The headline on this story has been clarified to be more precise.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.