cybersecurity | Idaho Business Review

Strong cybersecurity strategy not a luxury for small business

Jim Risch

After several difficult months plagued by coronavirus, small business owners across the country are preparing for the day they can finally and permanently reopen their doors.

The pandemic has seriously impacted the health of businesses everywhere, and for most employers, getting back to business cannot come soon enough. But while businesses across the country prepare to welcome back their customers, hackers and cyber criminals are actively infiltrating and exploiting small business databases.

Cyberattacks have skyrocketed worldwide as criminals capitalize on the confusion and anxiety surrounding the coronavirus pandemic. In a recent press release, the Federal Bureau of Investigation characterized the number of online schemes to swindle both businesses and individuals out of money and personal data as “truly breathtaking.”

As the U.S. economy reopens, small business are particularly vulnerable to renewed and increasingly sophisticated cyberattacks. In fact, an estimated 43% of all cyberattacks involve small business victims. Unlike government agencies and large corporations, many small firms don’t believe they are attractive or high-profile enough to be targeted by cyber criminals, and subsequently neglect investing in the cyber protections needed to prevent unauthorized breaches. Hackers know this well and have perfected the practice of accessing, stealing and selling private and proprietary information stored in small businesses’ data systems.

The long-term consequences of falling victim to a cyberattack can be severe for small businesses seeking to regain their footing after the economic fallout of the COVID-19 pandemic. In 2019, a single data breach cost businesses an average of $200,000, and studies show that 60% of small business victims go out of business within six months of experiencing such a breach.

It has perhaps never been more important to develop and implement a strong cybersecurity strategy, and small businesses should take quick and decisive action. Recently, the Cybersecurity and Infrastructure Security Agency, or CISA, published chapters one and two of a six-part series designed to provide business leaders with recommendations and guidance for strengthening and cultivating a culture of “cyber readiness” across their organizations.

Earlier this year, I introduced the bipartisan SECURE Small Business Act to help small business owners access information on data protection best practices and enable them to band together to purchase cybersecurity products at lower prices. By prioritizing cyber strategy and investment, small business owners can foster organization-wide cultures of vigilance and risk-mitigation while instituting policies and procedures to keep data secure. Small businesses should also assess how dependent they are on information technology and the safeguards they have in place to keep their data secure.

After months of lockdown, small businesses now have a unique opportunity to shore up their cyber defenses and protect their employees, customers, and livelihoods from cyberattacks. A strong cybersecurity strategy is no longer a luxury — it is a necessity. And small businesses should adapt to the new cyber landscape as we prepare for the post-COVID era.

Sen. Jim Risch serves as chairman of the Senate Foreign Relations Committee and is a member and former chairman of the Senate Committee on Small Business and Entrepreneurship.

Idaho Secretary of State bolsters voting security with Idaho firm

photo of ada county elections office — Voting machines, such as these in Ada County, are kept under lock and key until called upon for election days. Photo by Sharon Fisher

In an attempt to improve election security, the Idaho Secretary of State’s office is using software from a Boise company, PlexTrac.

“The PlexTrac platform will allow the Idaho SOS cybersecurity team to collaborate effectively across all counties for reporting and tracking of security-related issues,” the company said in a statement.

Security is of particular concern this election season because, in addition to electing a President, members of Congress and the entire Idaho Legislature, the COVID-19 coronavirus is making it difficult to hold elections in the customary way. Idaho’s primary elections are being held by mail only, and a number of states, including Michigan, have already said they will mail absentee ballots to all voters for the fall. Idaho officials have not said how they will conduct fall voting.

Election security

Foster Cronyn, deputy secretary of state, noted that the Idaho elections systems are considered ‘critical infrastructure’ by the federal and the state government.

“As such, we take the safekeeping of these systems and the voter registration data they contain very seriously,” he said in an email message. “To bolster security, the Secretary of State’s office has implemented several tools that monitor and report on our technical and non-technical security position. PlexTrac consolidates this information into an organized, actionable report for our analysts.”

PlexTrac’s Idaho location offers an additional advantage by providing local customer service, Cronyn said, “which has been extremely valuable in setting the system up for maximum efficiency.”

Until now, the PlexTrac software has primarily been implemented in the corporate environment, Cronyn said.

“However, the company’s leadership, some of whom are ex-military, wanted to directly benefit the people of Idaho,” he said. “Providing their product to the Secretary’s office allows them that opportunity to give back.”

PlexTrac offered the software to the Secretary of State’s office at a deep discount, Cronyn said. Help America Vote Act federal grant funds also were critical.

“This service is being provided for under $10,000 annually, with no state-appropriated taxpayer funds being expended,” Cronyn said

The software is being used in this year’s primary election and all the ones following, he said.

Increasing security

The acquisition of the software is just one of several moves that the Secretary of State’s office, headed by former Speaker of the House Lawerence Denney, has made in recent years to improve security in the office.

The department rolled out new voter registration software earlier this year that offered improved authentication, including the ability to require multifactor authentication, or a requirement to present more than one way to sign into a system, such as both a password and a software token on a smartphone.

The process began when the department issued the request for proposal for the software in June 2018. At the same time, the department got an additional $3.2 million from HAVA when it was ascertained that some funds still remained in the federal account.

The new voter registration software also meant that county voting offices would be required to have at least one PC running Windows 10 to communicate with that application.

In addition, in January 2019, the office conducted a cybersecurity simulation attended by county clerks from all over the state to determine how they would respond to a cybersecurity incident. That year, the Secretary of State’s office also hired a dedicated cybersecurity staffer, as well as a communications staffer, initially also paid for by HAVA funds.

PlexTrac, which was recently named by Tech Tribune to its list of the 10 Best Startups in Idaho, was the first company to receive funding from StageDotO, a Seattle-based investment company that moved its headquarters to Boise last summer. The company created a $50 million investment fund specifically to invest in Idaho startups, starting with $1 million for PlexTrac, which at the time was located in Eagle.

University of Idaho promised $2.5 million for cybersecurity

photo of cybersecurity lab — The University of Idaho is partnering with Schweitzer Engineering Laboratories on a $2.5 million cybersecurity program. Photo courtesy of SEL

Schweitzer Engineering Laboratories (SEL) and the University of Idaho are partnering on a program to fund cybersecurity education that will help train future workers in the field.

SEL and U of I have entered into a rolling five-year agreement, with a commitment of $500,000 per year for those five years. The $500,000 is a mixture of gift funds and commitments for research projects — a total of $1 million in gifts and $1.5 million in research contracts.

“We decided to lay out a long-term strategic roadmap of partnering with excellent research and marry them with critical industry needs that we see,” said David Whitehead, chief executive officer at SEL, which is headquartered in Pullman, Washington, but also has a Boise office.

The University of Idaho also just got approval to offer a bachelor of science degree in cybersecurity, as well as the master’s level program it is working on with Boise State University and Idaho State University.

Cybersecurity is critical to the electric power system, as well as to other infrastructure systems such as water, wastewater, petrochemical and chemical for which SEL makes control systems, Whitehead said.

SEL has been partnering with the U of I on research topics for three decades, he said.

“The core of our products is what they refer to as protective relays, which monitor currents and voltages,” he explained. “If we detect a problem, we isolate the damaged part and send out commands to redirect power.”

photo of david whitehead — David Whitehead

For example, if the lights blink at your house when someone hits a power pole, that’s typically an SEL device detecting a fault, opening the circuit, and closing it back down again to clear the problem, Whitehead said.

Increasingly, though, there’s been a concern about the vulnerability of such systems, either to natural causes or hackers.

“There are frequently cybersecurity breaches, and we take it very seriously,” Whitehead said.

Whack-a-mole

That’s where the University of Idaho comes in. The institution has been working on cybersecurity research projects for years with the help of industry partners like SEL, using six-month and 12-month contracts, said Larry Stauffer, dean of the U of I College of Engineering. But the university wanted to think bigger.

photo of larry stauffer — Larry Stauffer

“When it comes to cybersecurity, they’re frustrated with the ‘whack-a-mole’ approach everyone gets into,” Stauffer said. “You come up with a solution, and the bad guys come up with another approach. We thought we’d put this big audacious goal out there and figure out how to make industrial control systems cybersecure so we don’t get into that situation. We know we’ll never get there, but it’s a good goal to focus on.”

But to do that, the school needed more than six- and 12-month contracts.

“We needed to have a stable relationship,” Stauffer said. “With that stable partnership, we can recruit post-docs and graduate students who may take two or three years.”

Students may shift back and forth between being funded by gifts and funded by research contracts, depending on where they are in their studies and what projects are available, he said.

Degree programs

The bachelor of science degree in cybersecurity, as well as the master’s level program, will generate trained graduates who can go on to work for companies like SEL.

“We get access to collaborate with some really smart professors,” Whitehead said.

And the students as well.

“Hopefully they’ll be working with us and come and work for us when they graduate,” he said.

There’s not currently a defined bachelor’s-level cybersecurity program, he said.

“Kids learn about computer security and operations,” he said. “When we hire them on, we work with them specifically on cybersecurity needs. This will give them a head start being that further ahead in cybersecurity.”

“We’re pretty confident we have a high-quality offering, and I have zero concern about job prospects,” Stauffer said. “They’re going into a really high-need field. You’re going to see more and more programs coming, but we’ll be one of the first.”

University cybersecurity program gets industry input

photo of cybersecurity curriculum — Industry participants suggested topics for a cybersecurity curriculum in Idaho universities. Photo by Sharon Fisher

Work is progressing on a cybersecurity education curriculum at Boise State University, where the department recently held a meeting of potential employers to determine what they would need.

“The purpose is to work with industry to identify content topics,” said Sin Ming Loo, professor of electrical and computer engineering in the Department of Engineering at Boise State University, in an email message. “This way, we develop the most useful and applicable content for students.”

‘Teaching zookeeping with stuffed animals’

The meeting was held on Dec. 13 in the Interactive Learning Center on the Boise State campus. Participating companies included Optiv, HP, Ada County Highway District, Idaho Power, Idaho National Laboratory, Bastion Solutions, Idaho State University, the Department of Homeland Security, Ada County, Tech Help, Albertsons and Blue Cross of Idaho.

Attendees took part in a “sticky note” exercise where they wrote items on sticky notes that they felt should be included in the program, and then discussed and categorized the items. For example, one attendee opined that cybersecurity training could only go so far, because cybersecurity people had to have an aptitude for it, and that couldn’t be trained.

Attendees also recommended that the program include a variety of hardware on which to train students.

“You can’t teach zookeeping with stuffed animals,” said one attendee.

They also recommended that students in the program actually conduct a form of cybersecurity exercise known as a “penetration test,” rather than simply reading about how to do it.

It is also important for the curriculum to include cloud computing, which is not covered by some existing cybersecurity training programs, attendees said.

Curriculum at multiple levels

The curriculum stars with a four-class “cybersecurity for all” certificate. The program is intended to train people in cybersecurity without requiring them to get a computer science or education degree first.

“Calculus can’t be a prerequisite to anything,” JoAnn Lighty, dean of Boise State’s College of Engineering, told the group.

Later programs include a workforce training certificate program for professionals, with the possibility of also teaching high school students; four cyber- and physical security certificates for undergraduate students in science, math and engineering majors; a cybersecurity minor; a master’s degree in cybersecurity and a doctoral program in computing or engineering with a cybersecurity emphasis.

The first two certificate programs would be taught online-only to make them more flexible for students. The workforce training certificate program received a grant of more than $800,000 in November from the Idaho Workforce Development Council, which is intended to provide funding for the 36-month startup period, during which 200 students are expected to participate. The program is expected to launch for the fall term, with classes scheduled to come online starting in August, Loo said.

“Our current formal consortium partnerships include Boise School District’s Dennis Technical Education Center IT and Cybersecurity programs,” Loo said in an email message.

Graduates can continue with a career technical education program at the College of Western Idaho or pursue a degree at Boise State, he said.

The curriculum is also expected to include people skills such as how best to work with staff to deal with potential cybersecurity issues. For example, instead of criticizing people for falling for a phishing scheme, staff could be rewarded for reporting potential security flaws.

In fact, Loo suggested using the seminal Dale Carnegie book “How to Win Friends and Influence People,” to teach cybersecurity students in the program to look people in the eye rather than stare at the floor.

During his State of the State address on Jan. 6, Gov. Brad Little proposed spending $1 million on cybersecurity education among Boise State, Idaho State University and University of Idaho.

“This increased level of collaboration across Idaho’s higher education institutions will offer Idahoans a path to earn a degree in a high-demand profession by partnering with Idaho employers, including the Idaho National Laboratory,” he said.

Cybersecurity 2020: Phishing, ransomware and ‘things’

photo of cybersecurity trial — Government employees took part in training earlier this year to learn how to deal with a cybersecurity attack. Photo by Sharon Fisher

Editor’s note: This is the fourth in a four-part series on business preparedness for the 2020s.

When it comes to cybersecurity, everything old is new again: Hackers are still using fake email addresses to deliver 2014-era malware. Why? Because it works.

“The new trends, unfortunately, aren’t terribly new,” said Clark Harshbarger, special agent for the Federal Bureau of Investigation in Boise.

Businesses shouldn’t assume that they’re only a target if they have intellectual property, said Paul Furtado, senior director analyst for midsize enterprise security at Gartner Inc. “There’s no IP to making a washer,” he said. “But if you don’t have good cybersecurity, and I can extract customer or employee data, that’s information I can sell on the dark web pretty quickly.”

A full set of personal data — name, address, Social Security number, bank account information and email address — can go for $30 to $100, Furtado said.

Government a target

In particular, governments are a target, increasingly for “ransomware,” where a hacker garbles data and demands payment to ungarble it. Cities and other jurisdictions, including some in Idaho, have been hit, as well as businesses.

“A good portion of businesses have paid because it’s easier to restore the system and purge vulnerabilities than to start afresh,” Harshbarger said.

photo of jeff weak — Jeff Weak. Photo by Sharon Fisher

“Ransomware is probably the No. 1 issue in government right now,” said Jeff Weak, chief administrator for the Idaho Office of Information Technology Services.

Attacks are giving government agencies practice in dealing with cybersecurity incidents, said Lance Wyatt, chief information security officer.

“Now we have a template and know what the attack vectors look like and how to declare a state of emergency to help mitigate it,” he said.

Fake email, or “phishing,” is on the rise, as is the more targeted “spear phishing,” Weak said. Because an agency’s information is available to the public, a hacker can look up the org chart for the agency for names to add verisimilitude to the message, he said.

“Our counter to that is we do a lot of web filtering and user education,” Weak said.

For example, he teaches staff to look at headers and hover over names to make sure they resolve to the correct domain and sender. “Anything that looks out of the ordinary, with urgency, give it a suspicious look and look at it a lot more carefully,” he said.

Phishing attacks are also using artificial intelligence (AI), Furtado said. For example, when people post on social media where they’re going on vacation, AI can find out where they stayed and whom they visited, and create a phishing campaign based on that data, he said.

The state also has to deal with “cryptojackers,” people who infiltrate systems to use resources for mining cryptocurrency, Weak said.

“We block most extensions that could be executed to leverage that type of behavior,” he said, adding that they also check log files. “If there’s something that looks out of whack, we know we might have a problem.”

Internet of Things

Another cybersecurity trend is the Internet of Things (IoT), smart devices that can be used as an attack vector.

“Vendors are all in a rush to be the first to market,” Furtado said. “The drive to be the first to market usually will trump that security piece.”

For example, one smart light bulb manufacturer stored user names and password unencrypted, so hackers could retrieve that information from burned-out bulbs, he said.

Any vulnerable IoT device can open up access to the corporate network.

“All those devices are great, and give you a competitive edge, but they have to be secured,” Weak said. “Everything connected to the internet has to be secured and is exploitable.”

So for 2020, what should you do?

“The single biggest thing companies can do to protect themselves is enable two-factor authentication,” said Harshbarger of the process of using a second authentication method such as a text, email or a phone call in addition to a password. “It’s less convenient, but you’re almost 100% less susceptible to email-based attacks because you can validate that you are the owner of the account.”

Boise State gets grant for cybersecurity certificate

photo of transmission lines — The cybersecurity of physical devices, such as the electrical grid, is increasingly a concern. File photo.

Boise State University has received more than $800,000 from the Idaho Workforce Development Council to help jump-start its cybersecurity certificate.

The university first started talking about the 12-credit certificate – a two-semester online program that does not require a computer science or engineering degree – about a year ago. The standard tuition rate is $350 per credit.

Idaho doesn’t have any other schools that offer a similar program, said Sin Ming Loo, a professor in the Department of Electrical and Computer Engineering in Boise State’s College of Engineering. It includes both hands-on training and theory, he said.

“Unlike a four-year degree program, this is truly training to get the skillset for the job,” he said.

Graduates of the program would receive a CompTIA Security+ certificate, “a basic certification that will get them a lot of jobs,” Loo said.

The grant is for the 36-month startup period for the certificate, and amounts to $833,958. Over the course of the funding period, 200 students are projected to participate, Boise State said in a statement.

Starting out, Boise State expects to see about 35 students per seven-week course, said Peter Risse, associate dean of extended studies.

Partnering with Boise State on the certificate program is the Idaho National Laboratory, the Idaho Air National Guard and Simplot. Because the program is online, students can do class work at any time, and it is suitable for students in rural Idaho as well, Loo said.

“Boise State’s approach to online is highly interactive,” Risse said. “It’s asynchronous, so it’s available anytime. That’s critical for our military audience and companies that run around the clock where they have shift work.”

Students can interact by emailing the teacher, asking questions on the class forum or setting up a videoconferencing call during the teacher’s “virtual office hours,” he said.

Program graduates can continue on to Boise State’s Bachelor of Applied Science and Engineering Plus pathways, with the credits earned for the certificate applied toward the degree, Risse said.

Idaho National Laboratory opens new computing, cybersecurity buildings

photo of c3 — The lobby of the Collaborative Computing Center had its ribbon cutting on Oct. 14. Photo by Sharon Fisher

IDAHO FALLS – Idaho National Laboratory (INL) formally opened two new buildings that are intended to give students and researchers across the state access to supercomputing and cybersecurity resources.

Officialas celebrated the Collaborative Computing Center (C3) and Cybercore Integration Center (CIC) at a ribbon cutting held on Oct. 14.

Idaho has a better idea of the resource it has with INL and is making better use of it, said David Hill, former deputy director, who is now on the Idaho State Board of Education.

Attendees included a large contingent of Idaho legislators, who were in the neighborhood as part of the 2019 Idaho Legislative Tour, sponsored by the Greater Idaho Falls Chamber of Commerce. About 50 legislators – more than a third – are reportedly participating in the tour.

The Legislature approved funding for the buildings, which don’t use any state funds but require appropriation authority, on March 28, 2017, said Mark Peters, INL director.

Collaboration, not competition

Peters emphasized the collaborative nature of the project, which will provide educational facilities for all of the Idaho state schools to train their students in cybersecurity, computer science and computational science. The biggest impact is not the buildings themselves, but the partnership with universities that will keep students from having to leave the state to study and get jobs in these fields, he said.

The presidents of both the University of Idaho and Idaho State University concurred, with Idaho State’s Kevin Satterlee saying that ISU wasn’t competing with other Idaho universities, but collaborating. Off-site computer users, such as students and faculty at Idaho’s universities and colleges, have remote access to the high-performance computing systems in the C3 through the Idaho Regional Optical Network (IRON), INL said in a press release.

Home for new supercomputer

photo of eric whiting — Eric Whiting. Photo by Sharon Fisher

By December, C3 is scheduled to receive its new supercomputer, named Sawtooth, to add to its existing supercomputers, Falcon and Lemhi. Sawtooth, which will cost around $19 million and come from Hewlett Packard Enterprise, will be installed in the new building, a process expected to take two to three months, said Eric Whiting, Divison Director, Advanced Scientific Computing. Following that, both Falcon, from the former Silicon Graphics, and Lemhi, from Dell Technologies, will be moved, which will take about two weeks each, he said.

For an idea of Sawtooth’s power, it can multiply 1,000 15-digit numbers a trillion times per second, Whiting said. The computer will have 121 terabytes of memory.

A new building was required to house Sawtooth because the existing computing building doesn’t have enough power, Whiting said. It uses 1.5 megawatts (MW) of power on its own, while the existing building has only 500,000 MW. C3 has 4 MW, with the capacity to be expanded to 8.5 MW – in time for the INL’s next supercomputer, which is expected around 2023, he said.

Funding and construction

Like the nearby Center for Advanced Energy Studies (CAES), which opened in 2009, CIC and C3 are owned by the state and leased to INL. The education board will own the buildings and sublease them to Battelle Energy Alliance, the INL contractor, for $6.12 million a year. The 15-year lease is designed to make the annual payments on the expected $75 million to $80 million bond for the $85 million project.

The project came in ahead of schedule and under budget, said V.L. “Bud” Tracey, chairman of the Idaho State Building Authority, though he didn’t provide specifics.

Both buildings are two stories, with 66,000 square feet at the C3 and 79,000 square feet at Cybercore. About 85% of the Cybercore building is high security, with some offices available for workers who haven’t yet received security clearances.

ESI Construction of Meridian and J.E. Dunn Construction of Kansas City were the construction manager/general contractor. Flad Architects of Madison, Wisconsin, was the architect. The buildings broke ground on April 11, 2018 after the Idaho State Board of Education approved the $1 million land purchase and executed the Battelle lease on March 8, 2018.

Local governments learn about cybersecurity protection

More than 350 people, ranging from the governor to students, recently attended a free cybersecurity training that emphasized the shared efforts of the public and private sectors.

The Fifth Annual Idaho Cybersecurity Interdependencies Summit, held on April 29, was sponsored by the Idaho Office of Emergency Management, in partnership with the Pacific Northwest Economic Region’s Center for Regional Disaster Resilience. Many, though not all, of the participants represented various state and local governments, though a number of businesses attended as well.

Local governments – such as a recent incident in the Sugar-Salem School District – are increasingly the target of cyber attacks such as ransomware, where an organization’s data becomes encrypted and the organization is told it has to pay money to get access to the data again. This risk isn’t going away, and will continue to grow due to the profit incentive, said Doug Depeppe, board president of the Cyber Resilience Institute.

Losing access or control over critical systems can have a direct impact on employees and their communities, said Mike Hamilton, president and founder of CI Security.

Part of the day-long event included a mock court case, intended to demonstrate to participants how difficult it was to prove employee involvement in a hack, although studies have indicated that hacks are much more likely to be perpetrated by insiders than by shadowy outside hackers.

Participants included attorneys from several of Idaho’s leading law firms, as well as Clark Harshbarger of the Federal Bureau of Investigation to lend verisimilitude to the proceedings.

Attendees received a list of takeaways after the exercise. These included developing a written cyberincident response plan, as well as cybersecurity policies and procedures, then training employees on them; knowing how to forensically secure evidence and data of a hack; and acquiring cyberliability insurance, either through an organization or by self-insuring, and knowing the notification obligations to the insurer to invoke coverage.

photo of wayne austad — Wayne Austad. Photo by Sharon Fisher.

Attendees also heard from Wayne Austad, director of the CYBERCORE Integration Center at Idaho National Laboratory, which focuses on critical infrastructure control systems, as opposed to cybersecurity systems intended to protect information, such as banking or personal health records.

“Catastrophic physical damage is possible through cyber means,” Austad warned.

In the future, organizations and vendors will likely begin using artificial intelligence to begin filling in the gaps in security, Austad said. Nonetheless, “the machine learning people will not save you,” he said.

Representatives from Microsoft and Hewlett-Packard also described the role of vendors in cybersecurity. When state and local governments experience a data breach, their third call is often to Microsoft – after the Office of Emergency Management and the FBI – because organizations typically have Microsoft’s Active Directory product, which contains information about users and their ability to gain access to the organization’s computing resources, said Dean Iacovelli, of Microsoft’s cloud computing protection group.

Microsoft itself spends $1 billion a year, with 3,500 employees, on cybersecurity, Iacovelli said. “Hackers need to be lucky once, and you need to be lucky forever,” he said. “This is an inherent resources problem.”

Similarly, Lindsey Hearst, print security advisor for HP, spoke about printer security, particularly the problem of hackers breaking into a poorly protected printer and using it as a vector to attack the network. In addition, printers can present a compliance problem, she said, noting that health care companies are typically only 50% compliant with the Health Insurance Portability and Accountability Act requirements associated with printers.

For example, organizations don’t always properly set their port settings and passwords from the defaults, which can create vulnerabilities, Hearst said. In addition, organizations need to update the firmware of their printers regularly to ensure that vulnerabilities are protected, she said. And when buying new printers, organizations should be sure to buy printers that have the capability of learning how to deal with future vulnerabilities as well as current ones, she said.

Beware of fear-based cybersecurity sales tactics

photo of shawn scott — “Beware of anyone using fear to sell you a product,” Shawn Scott, CEO of Badger Infosec, told attendees at a Trailhead seminar. Photo by Sharon Fisher.

Buying intrusion detection software and third-party antivirus software aren’t necessarily the way to go to improve your company’s cybersecurity.

That’s according to Shawn Scott, CEO of Badger Infosec, who spoke recently on cybersecurity at Trailhead, the coworking space in downtown Boise.

“Beware of anyone using fear to sell you a product,” Scott said.

Purchasing an intrusion detection system also means paying for an employee to tune it, as well as to monitor it, Scott said. Without that additional investment, the software itself isn’t particularly useful, he said.

Similarly, Scott recommended that companies use built-in tools, such as Microsoft Windows Defender, rather than third-party tools because they are free. In general, he recommended that organizations make use of tools they already have, such as the built-in encryption bundled with many systems, and ensure that system hardware and software are updated regularly.

Another advantage of encryption — aside from protecting the data itself — is that if data is stolen but encrypted, it doesn’t count as a breach, Scott noted.

Scott also recommended that companies classify data, because not all data requires the same level of protection. For example, certain data is required to be protected in regulated industries, like personally identifiable information such as Social Security numbers. Other industries, such as health care, have requirements for protecting data such as health information, while financial institutions are required to protect financial information.

Companies should define special classes of data, have a policy for how to mark it, and define ways for it to be shared and transferred, Scott said. Setting up more stringent protections on just the most important data requires less work, and having special protections on sensitive data also makes it easier to prosecute hackers should it be stolen, he said.

Scott does recommend “password vaults” such as LastPass, rather than expecting users to create — and remember – long, complex passwords. In addition, he recommended that organizations implement multi-factor authentication, which uses an additional device such as a cellphone or a hardware token as well as a password, to increase security.

More important than any hardware or software, though, is user training, Scott said. Users are the primary vector for adversary attacks because, unlike hardware and software, they can’t be patched, only trained. He recommended regular, in-person training.

“Click-through, computer-based training and recorded videos once a year don’t cut it,” he said.

It’s also important for organizations to create and publicize policies around appropriate computer use, because it is unreasonable to expect users to follow rules they don’t know, Scott said. Companies also can’t expect users to know what’s common sense. Examples of such policies would include not using home computers on the corporate network, and using secure file transfer when exchanging data, he said.

Companies also need to perform regular backups, preferably more than one, in multiple locations, Scott said. His recommendation was 3-2-1: three copies of all data, two of them on-site but using different types of media and one not on a network, plus one copy offsite, he said.

Scott also recommended companies use configuration management to ensure employees are all using only approved hardware and software, there are no unauthorized devices on the network, and devices are regularly patched and updated to protect against bugs and other security flaws. Patches are important because most attacks are through known vulnerabilities, he said. In addition, network and device privileges should be limited to keep unauthorized people from making changes to their configuration.

Attacks on small businesses nationwide have been increasing over the past decade, with 67 percent of small- to medium-sized businesses reporting an attack, and 58 percent reporting a breach in the past year, Scott said. In particular, businesses such as accounting firms that hold private data for multiple companies have been targeted.

Secretary of State enhances voting cybersecurity

photo of cybersecurity simulation — Voting staff from all over the state took part in a cybersecurity simulation hosted by the Secretary of State’s office. Photo by Sharon Fisher.

In an effort to improve voting security, the Secretary of State’s office recently conducted a cybersecurity simulation with Idaho voting officials statewide and is hiring a cybersecurity staffer.

The training was paid for through a $3.2 million windfall the department unexpectedly received last summer, out of the final distribution of funding from the 2004 Help America Vote Act (HAVA). In addition, in Jan. 2017, elections were designated by the federal government as “critical infrastructure,” including the physical facilities housing voting and tabulation as well as the technology used to manage elections, which makes other funding available, said Phil McGrane, Ada County clerk.

The cybersecurity staffer, as well as a dedicated communications staffer, are also paid for out of those funds, though the department hopes to secure state funding to maintain the positions, said Chad Houck, deputy secretary of state.

Coincidentally, when the department learned of the money, Houck was attending a cybersecurity conference at Harvard University, where a similar simulation exercise played a key part. “When we found we had the funds to pull off one of these events, we set out on making it a reality,” in partnership with Boise State University’s computer science department, he said.

Phil McGrane, Ada County clerk, said he sent all ten of his staffers to the cybersecurity training. Photo by Sharon Fisher.

While visitors were not allowed to observe the exercise, attendees — who were randomly assigned to different roles — said it was valuable. “It was great for everyone to work in different roles to see how challenging this can be,” said McGrane, who said he sent all 10 of his staff.

Ada County did a cybersecurity “penetration test” after the 2016 Democratic National Committee hack, which helped lead to the county’s implementation of “food truck” mobile voting, he said.

“We were thrown a lot of problems that could potentially happen, leading up to Election Day and on Election Day,” said Julie Hancock, elections administrator for Bannock County. “Our job was to communicate, solve problems, and use the resources that are available to us. I didn’t realize we had so many resources.”

Julie Hancock said Bannock County doesn’t even have phone lines where it plugs in its voting machines. Photo by Sharon Fisher.

Bannock County has improved security in its system by using voting machines that can’t be hacked and that are hard-wired into the internet and located on walls that don’t have internet or telephone cabling in them, Hancock said.

So far, no attempts to compromise the voter registration database or the Secretary of State’s office have succeeded, Houck said. “There were several instances where we stopped attempts,” he said.

In addition, a May hack of the Idaho Legislature website might have been collateral damage of an attack actually targeting the Secretary of State’s website, as it happened just a couple of days before the primary, he said. “Log files showed the same group had gone after our site,” but the Secretary’s office had different mitigation strategies in place and different patches, he said.

The cybersecurity position is a full-time senior-level management position with the title cybersecurity policy analyst, which the department has been putting in its state budget request for a couple of years. It is budgeted at $97,900. Gov. Brad Little recommended the position in his budget, but the Legislature has not yet voted on it. The communications coordinator analyst, which was not recommended by the governor, is budgeted in the $75,000 to $80,000 range.

Currently, funding for the staffers for two years is coming out of federal HAVA money. “We put them on a year-to-year basis as we have funding available and authorization on the federal side,” Houck said. However, funding the positions on an ongoing basis out of the state budget would provide more stability, he said.

The two positions are correlated, Houck said. “The biggest threat surface is that of public opinion for our office,” such as public confidence in the system and the voting process overall, he said. “One of the ways to build that is with clear, consistent and open communication. That’s hard to do when you don’t have someone tasked with that role.”

Boise State to offer less-technical cybersecurity certificate

Boise State University is developing a cyber- and physical security certificate that isn’t predicated on people being computer scientists or engineers.

While the details aren’t finalized, the CPS2ALL certificate, intended for full-time and part-time degree-seeking students, can be earned online, on campus or both. It will consist of a series of 2-week, 4-week or 8-week courses and training modules that will let students earn badges in topics such as networking basics, threat modeling and understanding firewalls.

Boise State representatives discussed the program during a cybersecurity event on Nov. 30, where representatives from organizations such as Cisco and the Federal Bureau of Investigation spoke.

Several audience members commented that many cybersecurity professionals and programs are missing “soft skills,” ranging from communication and business awareness to understanding the various compliance requirements of industries such as financial services and health care. Presenters acknowledged that the interdisciplinary part of cybersecurity instruction needs to be built up. For example, the social sciences are a valuable source of information on human factors such as the user interface and how humans respond to falsified information, said presenter Wayne Austad, technical director for the Cyber Core Integration Center at Idaho National Laboratory.

Similarly, “phishing” emails – where a hacker sends an email message purporting to be a trusted sender but which then asks for passwords or installs malware – is still the biggest single cybersecurity vulnerability, said Clark Harshbarger, special agent for the Federal Bureau of Investigation in Boise.

“Most often, it’s an intervention of humans, not a technical innovation” that results in a successful attack, he said. “Relationships are as important, or more important, than the technical solutions.”

Boise State already offers cybersecurity training programs, but they are all heavily technical. For example, the university has just started offering a cybersecurity certificate intended for computer science students. It includes classes such as power systems analysis, digital hardware design and algebraic cryptology. So far, the program has 30 students, all taking its introductory class, said Sin Ming Loo, a professor in the department of electrical and computer engineering, who is spearheading the project.

In addition, the university is revising its cybersecurity minor, last offered in 2014, but which is also technical.

An advantage of a certificate program, as opposed to a major or a minor, is that it’s much quicker to get a certificate program approved, Loo said.

As the world becomes more automated, there is increasing attention being paid to the security of this automation, which includes the physical security of the devices themselves as well as cybersecurity. Especially in older devices, as well as in manufacturing and industrial devices, control protocols may not have the level of security monitoring that computer and networking protocols have, Austad said.

Consequently, because sensors are becoming more prevalent, they are more often being used as a vector for attack. “If I can access your hardware, I own it,” Harshbarger said. “Did you hear that a high-roller database in a casino got broken into through a thermostat in a fish tank?” he said. “Isn’t that cool?”

The physical aspect consists of sensors that monitor physical components and actuators to manipulate them – the cyber-physical aspect links the cyber and physical worlds and uses embedded intelligence, while the cybersecurity aspect is purely through wired or wireless communication and doesn’t directly interact with physical devices, Loo said.

As part of the work to develop the less-technical certificate program, Boise State is also developing a hacking lab that will give students hands-on experience, particularly with physical devices such as the Internet of Things and industrial machinery. It could include virtual machines that can be reset after hacking sessions, wireless access points, actuators and sensors, programmable logic controllers, portable and smart devices and appliances, and industry control devices such as robots. In addition, the lab will include a virtual private network that will be available as a hacking target 24 hours a day, seven days a week.

Cybercriminals targeting accounting and tax professionals

photo of hands on keyboard — Increasingly, hackers looking for financial data are bypassing companies for their accounting and tax professionals. File photo.

Early 20^th-century bank robber Willie Sutton apocryphally said he robbed banks because that’s where the money was. Using that same logic, cybercriminals are bypassing individual companies, instead hacking accounting and tax professionals.

photo of mike lindstrom — Mike Lindstrom

“It is a big concern for us,” said Mike Lindstrom, partner with Eide Bailly LLP, a Boise-based accounting firm, and chair of the federal and state tax committee for the Idaho Society of CPAs.

Exactly what tax professionals do to protect themselves isn’t always easy to determine. “Talking about security is sensitive because no one wants to disclose details that could help the bad guys,” said Lisa Patterson, senior communications manager for the corporate office of H&R Block.

That said, organizations on both the state and federal level are working to raise awareness of the issue. For example, the week of Dec. 3-7 is National Tax Security Awareness Week.

“Tax professionals continue to be a target of cyber criminals because of the information they have,” said Renee Eymann, public information officer for the Idaho State Tax Commission, which, like many similar state organizations, partners with the federal Internal Revenue Service (IRS) to raise awareness of the issue. “Our agency is part of the Security Summit, a partnership between the IRS, state tax agencies and the tax community, including tax preparation firms, software developers, payroll and tax financial product processors, tax professional organizations and financial institutions.”

For each day of National Tax Security Awareness Week, the summit will focus on a single issue that poses a threat to individuals, businesses and tax professionals and provide tips for better protecting sensitive data from cybercriminals, Eymann said. In addition to being posted to the National Tax Security Awareness Week website, the IRS will send out information on Twitter from the account @IRStaxsecurity.

The Idaho State Tax Commission doesn’t track how many accounting and tax professionals have been hacked, Eymann said, but according to the 2018 Cost of a Data Breach Study, conducted annually by the Ponemon Institute, the financial services industry is the business sector with the highest frequency of data breaches. And financial services is second only to health care as the industry with the highest cost of data breaches, at $206 per capita.

Moreover, cybersecurity incidents can have higher repercussions in financial services compared with some other industries, according to the report. “Companies in certain industries are more vulnerable to churn when customers can easily take their business to another competitor,” the report noted. “Customers also have high expectations for the protection of their data in highly regulated industries, such as health care and financial services. When these organizations have a data breach, customers’ trust will decline and they will try to find a substitute.”

In addition to National Tax Security Awareness Week, the Security Summit also promotes events such as Tax Security 101, held over 10 weeks this summer, to alert accounting and tax professionals to cybersecurity issues such as using passwords, encrypting data, and detecting “phishing” attempts to break into a system by pretending to be a legitimate email message.

The Federal Trade Commission also requires all professional tax preparers to create and enact security plans to protect client data.

Ironically, the IRS itself has been the victim of several cybersecurity incidents. A May audit by the Treasury Inspector General for Tax Administration found that the IRS hasn’t accurately cataloged all the components of its highest value hardware and software systems, doesn’t have a clear count of who has privileged access to those systems, and likely isn’t patching software vulnerabilities on its highest value assets within the 30-day timeframe required for federal agencies.

Earlier this month, the IRS failed to add more than 11,000 compromised Social Security numbers to a list it uses to help protect taxpayers from identity theft. Consequently, 79 of those Social Security numbers were reportedly used to file phony tax returns in an effort to receive refunds during the 2016 and 2017 tax years.

Select Region or Brand

Upcoming Event

CONNECT

DIGITAL EDITIONS