IN.gov - Skip Navigation

Note: This message is displayed if (1) your browser is not standards-compliant or (2) you have you disabled CSS. Read our Policies for more information.

Amber Alert
Amber Alert - TEST
  • password_reset_widget
  • custom_app_dev_widget
  • PC_Refresh
  • service_rates_widget
  • itp_widget

Indiana Office of Technology

IOT > Security > CISO Blog CISO Blog

Subscribe for e-mail updates

Tad Stahl, the Chief Information Security Officer (CISO), will share thoughts on a regular basis on information security issues facing the State of Indiana workforce. The web software does not permit you to comment in typical blog fashion. Please send your questions and comments to
IOTCISO@iot.in.gov. Your comments and questions, along with the CISO’s response, will be manually appended to the blog. Only questions and comments from state government email addresses will be addressed.

Password Security

I’ve heard about the weaknesses of system access, specifically the use of passwords, since I began my career in IT.  That was longer ago than I care to admit.  Since then I’ve seen a lot of changes in technology (storage is cheap, wireless is fast) and in myself (lost a bunch of hair, added pounds and wrinkles).  Yet the issues around passwords have stayed pretty much the same.  You’d have thought by now, when we can store HD movies on a device carried on a key chain, where we can do just about anything from a smart phone, we’d have something better.   DVDs replaced VHS tapes, mp3 players made obsolete cassette players and password use should now be a chapter in the technology history books.  But no!  Instead, passwords seem to have all the staying power of taxes.  Key cards, fingerprint readers, retinal scanners, and other technologies have shown value and future promise.  However, none seems a viable candidate to mothball the use of passwords over the coming years.

So we’re stuck with passwords for a while longer.  There are worse things.  Properly used, passwords do a pretty good job.  The problem is managing all of them.  Between job duties and personal life, you could easily have 20 different passwords to deal with.  One thing for sure, if you do a little bit of looking you’ll find no shortage of guidance. And you’ll find no shortage of hypocrites.  By that I mean people that don’t follow their own password guidance because it’s too much hassle.  You will find recommendations to keep them all in your head while others say it’s okay to write them down.  Some will say to use a password managing application; others argue that to do so is to put all your eggs in one basket.   Here’s my crack at guidance and I’ll try to keep it simple.  It’s the approach I take.

Should I have a different password for each account?  Yes and No.  I’d prefer you not use the password you use for your job here at the State for any other account.  I’d apply that same guidance to any account you have dealing with confidential information (e.g. – work, banks, investments, etc.).  That way if a password is compromised the damage from the compromise will be limited.  If you have accounts for trivial matters where there is no confidential data, simplify your life and reuse the same password (e.g. – recipes, crafts, hobby forums, etc.).  If it gets compromised there is little damage to be done.

Do I really need to change my password frequently?  Just like the answer above, let the importance of the information you’re protecting drive the frequency of password changes.  We require a change every 90 days.  On anything important I wouldn’t go more than 6 months without a change.  If it is not important, ride that password as long as you can.

Should the passwords be long and complicated?  The longer they are typically the more secure they are.  Diversity is also important.  Use upper and lower case, numbers, and special characters.  You want to stay away from standard dictionary words, addresses, words spelled backwards, or personal information (birthday, anniversary, etc.).  You can substitute or misspell creatively and still have something easy to remember that is very secure (e.g. Indy@n@P@cker$, Sm!L3:=P:=), $pelInBCh@np).

We have seen plenty of schemes designed to capture login credentials.  On a weekly basis you’ll read about a company that was hacked and ID’s and passwords were posted online (recently LinkedIn and Yahoo).  The threat is real but one you can reasonably address with a little creativity and discipline.

An Old Rule Changes

It took me a while to get to a point in my career where I used a computer.  I didn’t need one to assist my meteoric rise to management in a corn detasseling unit during college.  Nor was it needed as I failed miserably selling insurance (failed in the style department as well with my plaid and pastel colored sport coats). When I got my first job with a corporate computer it was a new experience.  My high school graduating class had 63 students and I grew up in places where you didn’t lock your doors at night.  Suddenly, I was subjected to a background check complete with fingerprints and required to sign a computer use agreement.  The agreement was filled with ominous sounding language.  As I read the things I would do and the things I would not, I was leery and concerned.  This wasn’t the small town stuff I was accustomed to.  I had no intentions of doing wrong but I worried about an accidental mistake that would cost me the much needed job. 
That was a long time ago.  As time passed and I gained experience I realized my concerns were naive.  Over time, I actually gained an appreciation for the guidance provided in the user agreement.  Today, instead of ominous language it now seems common sense.  Many of the rules I agreed to abide by back then remain in user agreements today.  Among them:

• Never share my account ID or password. 
• Never use someone else’s account. 
• Change your password every 30 days.  (Changed to 90 days with some apps today.)
• Never write down your password.

It is this last bullet that is the point of my blog.  I have come to conclude that it’s more secure for me to write my passwords down than relying on my memory.  This was not an easy conclusion to reach.  Since that first user agreement keeping passwords locked in my noggin was an unquestioned requirement.  Though I’ve determined it’s time to change I don’t want you to think I’m going completely crazy with it.  There are no sticky notes on my monitor. 
My change in thinking comes from my own circumstances and experience.  Today I have passwords for:

1. Work, network access
2. Work, laptop access
3. Work, Internet filter reporting
4. Work and personal, cell phone
5. Home, several on-line retailers – Amazon, e-Bay, etc.
6. Home, Internet mail
7. Home, on-line payment/credit cards
8. Home, banking
9. Home, personal interests and hobbies – several

Actually, that’s just a partial list.  The point is, like everyone else, there’s a lot more to keep track of today than in the past.

Having more to keep track of is not a good thing for me.  If I recall correctly, at one time, I had a pretty good memory.  Now I struggle to remember what I ate for breakfast if it didn’t stain my shirt.  In fairness, even with the memory of time’s past it would be difficult to keep so many different passwords straight.  Today, I have no chance.  So to keep my passwords straight, without writing them down as had been drilled into my head, means two things.  I frequently used the same password for multiple accounts and I rarely change them. 

Unfortunately, with the prevalence of malware today, I’ve determined that approach puts my personal information at greater risk than necessary.  I try to protect my information but the malware developers are very good.  They produce evasive software and their social engineering tactics get better all the time.  I really don’t use the Internet a whole lot beyond tracking news and sports but my wife, kids, in-laws, nieces, nephews and others that use our computers visit all kinds of sites.  In spite of anti-virus software and other protective measures it’s reasonable to conclude I’ve had malware on a computer at some point in time.   If so, there is a chance they may have captured the password I use to access my favorite Fondue recipe site.  It’s not that I care if they use that password to learn preparation techniques for delicious morsels dipped in oil, chocolate and cheese.  But it could be a problem if they were enterprising enough to try that password along with my email address on some other sites. 

So, I’m now using a different password for each account.  To keep them straight I’m writing them down.  Actually, I don’t write them out precisely.  I have a little system that camouflages them (leave out something here, add something there, shuffle the order a bit).  I keep the list in my wallet right by my credit card.  If I lose my wallet, right after I cancel my credit card, I will change my passwords (not because I’m afraid they’ll be compromised but because I likely won’t remember them all).  I plan to change my passwords at least as often as I reset my clocks, hopefully more often.

Change is hard but I think my information is at less risk as a result.  I did say less, not eliminated.  I sleep just a bit better know that if one password is compromised it would affect only that account.

Changing Problem Same Solution

Most workers in state government and other places of business show up daily to put in an honest day’s work.  I think we can all identify someone we’ve run across in our career that did not.  Back in the good old days when we didn’t have technology at our desk you might find time abused by stretching lunches a little long, more or longer smoke breaks, non-business telephone calls or maybe excessive time around the water cooler.  As technology advanced more opportunities for time wasting became available.  Playing computer games and surfing the net offered new and tempting diversions from work. 

With each new wave of time abuse come cries from management for assistance.  IT is usually called upon to help.  Time tracking systems have been put in place, computer activities can be limited or blocked, activity logs can be researched to find or confirm problems, etc. 

Where am I going with all this?  Well, I had to smile the other day when I was asked a question from a manager “what are we going to do to monitor individuals using their personal cell phones while on the job?”  I smiled because I have a new smart phone and its capabilities are amazing.  The device is really beyond me and it would be better used in the hands of my kids.  It has a big, clear screen and a powerful processor.  When I get the 4G signal they are turning up in downtown Indy the speed is amazing.  Phone usage and texting can already be too great a temptation for some workforce members.  The increasing capabilities of personal phones could result in additional headaches when web surfing is as fast as from a desktop, when movies can be downloaded in minutes, etc.  As I told that manager, I can’t think of a thing we can do technically, at least in our environment, to stop it. 

There is a solution.  It’s really the only one that has worked all along.  That is to set expectations for workers to be productive.  Along with these expectations management must be effective.  Ultimately the responsibility of the manager is to ensure his or her employees are working and productive.  It is the role of management to address the lack of productivity due to employees using personal devices, surfing the Internet or basic non-productivity.  With new temptations and distractions available from personal devices good management, perhaps without any assistance from technical solutions, will ensure workforce productivity.

Something smells Phishy

There are a couple of universities where students and faculty have gotten creative to battle a major information security threat.  They rented or made fish costumes and wore them around campus to raise student awareness about the dangers of “phishing” messages.  Though I have no intentions of wearing a fish costume around the Government Center I do applaud their effort. 

Even without the costume, I’m confident state employees are doing a better job of recognizing spam and phishing messages than they have in the past.  But now is no time to rest.  We must remain vigilant.  True, a lot of phishing messages are easy to spot.  But don’t let your guard down for a second.  Those in the Phishing business have upped their game.  Their products are now more personalized, free of spelling and grammar mistakes, more realistic, and very creative.  Their objective is to download malware to your PC or to trick you into giving them your personal information and they are successful at both. 

This is prime Phishing season.  Be alert for the phony IRS messages that are common this type of year.  Also watch for April Fools' Day jokes and stunts.  Another popular tactic is to prey upon interest in significant events such as those occurring in the Middle East or the natural disasters that have impacted Australia and New Zealand.  If there is a lure available, they’ll use it. 

On Policy, iPads and Other Tablets Specifically

One of the challenges for CISOs is to take complicated information security issues, boil them down, and set effective rules for proceeding.  When establishing policy, I’ve learned that there are few issues where defining secure from insecure is as easy as distinguishing black from white.  Instead, you typically find yourself neck deep in various shades of gray trying to balance needed security with requests for functionality, freedom, and convenience. We then draw a line where we deem appropriate and call one side black, the other white. 

Before finalizing the policy, we socialize our position to agency business and IT leaders as well as the workforce.  Frequently, this process yields disagreement on the placement of our line.  When this happens we explain the factors considered and the rationale behind our decision.  There’s not usually an exchange of hugs but most of the time this process satisfies our critics.  On occasion, if merited, we’ll change the location of the line.

With that in mind, I expect there may be some disagreement with the policy we’ve established for tablet usage.  For the moment “tablet” really means iPad.  Before sharing our policy let me say that I am “wowed” by tablet technology.  I’m impressed enough to guess that in 3 to 5 years the dominant computing platform will look a lot more like the iPad than the laptops and desktops of today.  It is incredibly slick. 

With that said, our policy prohibits the use of iPads for state business except for MS Exchange synchronization.  In other words, you can use it the same way you would your smart phone.  Whether purchased by an agency or individually owned, tablets are not to connect to the State network or store State information (outside of email/calendar info).  Given the factors in play this was one of the easier lines to draw, about as black and white as it gets.  Consider that tablets are not supported by IOT (demand does not justify the significant expense) thus there is no standardized virus protection, encryption, or security patching mechanisms.  Without these in place we simply cannot allow them to connect to our network or store State information.  And without those capabilities, there’s not much business reason to have one.  But I don’t think you’ll have to wait too long before you’ll see this policy change.

Summer Update

Things have been a little hectic and I apologize for not having the chance to touch base for a few months.  It’s good to be busy.  As I look around State government it is obvious that a lot of you are in the same boat.  When time is at a premium we often look for innovative ways to cover more ground.  As you do so, I ask that you not take shortcuts when it comes to information security.  Make sure to abide by the IRUA and other security policies within the Information Security Framework.  There are some clever, albeit ill intentioned, spammers applying their trade.  Don’t allow yourself to be baited by their phishing emails.  Finally, remember to take the proper precautions whenever you encounter confidential citizen information.   

Security Questions from the Team

I asked my team members to submit questions to me that they thought might be of interest or value to others.  For the most part, the questions they submitted were pretty good.  A couple used the opportunity to show that perhaps stand-up comedy was their true calling.  And, I confess that in some cases. I couldn’t tell whether they were serious or not.  You be the judge. 

Why do employees have access to the Internet?
The Internet is a useful tool for many workforce members.  Appropriate use of the Internet can enhance the job we do for the citizens.  Though there is a standard set of prohibited sites (done by categories), we often see agency’s restrict Internet access further based on their business environment.  The majority of state workers use the Internet conscientiously.  Occasionally there are discipline issues.  Most commonly these are for using the Internet inappropriately (too much non-business surfing, unsuitable or offensive content).

What does CISO stand for?
Chief Information Security Officer

What do I need to do to my home computer to safely log in to my desktop at work?
The state needs every device connecting to its network to be secure.  You should have up to date virus protection and your PC should be current with application and operating system security patches.  Then, you need to subscribe to one of IOT’s 2 remote connectivity solutions – VPN, Citrix.  No other means of connecting, without an exception requiring both IOT and agency approval, is permitted.

What are you allowed to monitor as far as computer usage and what constitutes my right to privacy? The State can monitor any activity conducted with state provided resources (workstations, Internet activities, email, etc.).  Workforce members have no right to privacy and should be very clear in that understanding.

How did you get such a great team to work for you?
My team is a humble, modest bunch but each day I’m glad to have them.  They work hard and have accomplished many good things on behalf of state citizens. 

Stand Tall, Don’t Install

October is Cyber Security Awareness month!

As I was prepping some security awareness materials I came across an article that had some common sense advice worth reinforcing.  That advice:  Don’t install software that won’t be used.  IOT ensures this happens on work PCs by providing a standard configuration and limiting our ability to install software.  Home PCs can be a very different story.  The PCs we buy are often loaded with many “free” software programs.  We also purchase or download more software along the way.
Each software program installed requires ongoing care and feeding.  If we fail to stay abreast of weaknesses, neglect to install security updates, or configure the software insecurely we end up with a system more vulnerable than we want or realize.  In the end we’re better off bypassing opportunities to install software we won’t use and uninstalling those we don’t.  Doing so results in a more secure system and chances are good that your system performance will improve.

Dolphins and Sharks

Over spring break I had a bonding experience via a shared kayak with my 12 year-old son.  Paddling in the Gulf of Mexico we saw a pair of dolphins gliding through the water near us.  We charted a course to get a better view.  Actually, I set the course while my son fought it with every evasive maneuver he could imagine and muster.  I chuckled and chided believing I understood the reasons for his response.  Even though dolphins are typically not aggressive they are large and we were in their domain.  So I had no intention of getting too close.  In spite of his fighting to the contrary, we did gain a great view of them swimming by.  As we continued on our journey dolphins became a common site.  I believed that my youngster’s initial fear had subsided and that he had found a comfort level with the kayak, the sea, and the dolphins.  I was very wrong!  Spotting a lone dolphin thrashing walls of water right and left with his tail, presumably showing off for a female, I headed that way with gusto.  As we approached, I noticed my son’s back stiffen.  He sat up straight.  Then, once again, he implemented his full force back paddle maneuver.  I was puzzled by the resistance until, still a good distance from the thrashing tail; he shrieked “It’s a shaaaaaaaaaark!”  Now I knew full well it wasn’t a shark.  But the deafening decibels and conviction of his cry made me pause to take a second look to be sure (as it did every other boater and beach comber on the Gulf coast).   I tried to contain myself but attempting to stifle laughter only served to increase the severity of the resulting cramps.

I laughed a little too hard.  I can relate to the uncertainty that ran through my son’s head that day.  Information security forces you to consider worst case scenarios and I’m seeing some fins of my own.  For example, I wonder just how much more risk the Internet can pose and remain viable.  Our state workforce already knows far more than they’d like to about WORMs, Viruses, Trojans, and other forms of malware.  But we are now seeing infections come from legitimate websites.  Malware, historically targeting a single weakness, is now able to probe a PC and exploit weaknesses found from a lengthy list of possibilities.  In short, it seems here lately like the bad guys are advancing faster than the good guys.  It forces us to reconsider the risks involved and the alternatives available in the form of additional technical and administrative controls.  Unfortunately, technical solutions can be expensive and the policy options I’m considering would surely involve additional constraints.  I’ve had this feeling before and know better than to panic.  But I can feel my back stiffening, I’m considering back paddling to change the course, and I’m fighting off the urge to yell “It’s a shaaaaaaaaaark!”  I had this coming.

Race into Security

I spent the weekend out at hallowed grounds of the Indianapolis Motor Speedway (IMS).  What a great place!  As a result, working up ideas for this month’s blog was tougher than normal.  Thoughts of this year’s running of the Greatest Spectacle in Racing proved tough competition for malware, complex passwords, and the other security issues that generally race the hearts of my loyal readership. 

It occurred to me that driving improvements in information security is not that different from a race team at the Speedway trying to win the 500.  For any team to succeed you need great sponsors.  We are fortunate to have Gerry Weaver, CIO, the Governor’s Office, and agency leadership supporting our efforts.  Without them, we don’t even get to the track, let alone qualify.  Of course you have to have a pit crew.  The IOT Security team works hard to keep our information security car on track.  Sure, Gharst and Bradley sometimes leave a wheel loose just to watch me struggle but all in all it’s a solid crew.  Then there’s IOT technical support.  Brian Arrowood and his team work to secure servers, desktops and network equipment much like engineers fine-tune a race car to get more speed.  This group has brought us a long way in a short time.  We’re good enough now that we no longer find improvements in 10 mph chunks.  Instead it’s a .5 mph here, .5 mph there, incrementally improving our way toward our goal of achieving the pole speed.  For spotters we have agency IT leaders and security staff helping us navigate and identifying trouble.  We don’t get through Turn 1 without them.  Finally, we have the state workforce behind us.  Occasionally we get some grumbling about a policy or security measure but for the most part our workers are supportive and conscientious. 

Just like a race team, it takes all parts working together to be successful.  If any component breaks down it can mean failure.  It’s a long race and we’re far from victory but we are moving up nicely. 

How bad is it at home?

As I stated in my response to one of the questions below, we battle malware here at the state every day.  On our side are some pretty good tools, excellent technical support, and improved user awareness.  Even so, fighting off malware threats can still be a struggle.  Someone asked me the other day just how bad I thought the malware problem was in the home environment.  I’m afraid if I gave my honest assessment I’d make Chicken Little seem like the calm, cool, voice of reason.  Suffice to say I think it is bad.

To compete with malware you need a hardened operating system that is appropriately patched, current and capable malware protection, and alert and aware users.  I think it is safe to say we would find the majority of homes are missing at least one of the things.  For example, I shudder to think of the percentage of home PCs that don’t apply security patches for the operating system and other key software.  I fear another significant percentage go to be without adequate anti-virus protection.

Finally, let’s consider the typical home user environment.  For state workers we filter email and the Internet and clearly identify acceptable use guidelines.  It’s just a hunch but let me head out on a limb and guess that the limitations we put on use here (you may not like them but they greatly enhance security) are not applied at home.  In addition, if it’s anything like my house, you have an impulsive youth or two driving the mouse.  I try to teach my kids about SPAM, Phishing, and the dangers of certain web sites.  But if I can’t get through to them about keeping their rooms clean just how much they are absorbing when I discuss the pitfalls of the Internet?  I know for a fact I could warn my daughter of a virus capable of destroying our hard drive, causing the monitor to burst into flames, and shooting electrical shocks through her body via the keyboard.  But you wrap that baby up in a picture of the Jonas Brothers and you might as well call the fire department.

The point is the home environment is rarely offered the same layers of defense as are found at the office.  So in this case, I don’t like the odds for the home team.

Two Good Questions

Well, my plea worked.  I received 4 questions and I am grateful for all of them.  However, 2 really weren’t security related and were forwarded to the appropriate expert for answers.  The other 2, as well as my answers, are below.

OK, Tad,I will bite on your offer.  Working in IDHS, I read many notices everyday of new Storm botnet morphing Valentine’s malware and other botnets, Conficker computer worm and other worms, viruses, etc., yet I seldom see anything about them from IOT.  Does that mean that we do not have issues with them?  If so, why and why do many companies and other government agencies have huge issues?

Best regards,
Concerned in IDHS

Dear Concerned,

You ask a terrific question and I’m not just saying that because it is the blog’s first.  We battle malware every day.  About the time I think we’re getting a leg up on the problem we’ll experience a setback.   IOT’s support teams do a terrific job of providing layered protection (anti-virus protection, patches, firewalls, email filters, Internet filters, etc.).  Due to their efforts the virus problems we experience are usually limited in number and scope.  We take proactive measures to keep the network and state users as safe as possible from such exposures.  We do this by utilizing sources of information which provide us insight into upcoming and ongoing exploits and take measures to head-off exploitation attempts.  Ultimately, however, the key to our success rests with our users.  If our users recognize email scams and navigate only to trusted websites, our risk is greatly reduced.  An alert and conscientious workforce serves as our most effective line of defense.

Every organization, including ours, is susceptible to a “huge” issue.  It only takes a break down in one layer of protection to give malware the foot in the door it needs to wreak havoc. 

Tad

Security is important.  Like the air we breathe, it surrounds us, and sustains us; like air, once impaired, the impact is enormous.  To comply with state requirements and ensure that any operator of a state vehicle has a current, valid license, we maintain a copy of all current drivers’ licenses of state employees, on site, and send a copy to Indianapolis.
 
I was recently informed that I should not scan and send a copy of a DL via state email, as it could pose a threat of identity theft.  So, in the future, I will not scan and email a DL, but rather send a paper copy in a sealed envelope, via an employee-courier, to Indianapolis.  It just seems like a more cumbersome process.

Sincerely,
Conscientious Emailer

Dear Conscientious,

Thank you for a very good and important question.  I could fill pages answering it as there are many related tangents worthy of discussion.  I’ll try to keep it brief and limit it to a couple thoughts.  First, you are correct, security is important.  As such, appropriate security often requires processes that are more cumbersome than those that are insecure.  As state employees, it is our responsibility to do all we can to protect the identities of our citizens even if it demands more time and effort to do so.  This includes our fellow employees. 

The best way to protect personal information is not to gather it.  If you don’t have someone’s social security number (SSN) or other personal information you can’t lose it.  Obviously, in our line of work, we are frequently legally bound to collect it.  However, agencies should consider every possible alternative available to collecting and storing personal information.  A major problem with personal information is the way it grows.  One instance turns into 2 copies, then 3, then 5, and so on.  And with each instance, the likelihood of compromise grows dramatically.

Let’s talk about email.  The problem with emailing personal information is the frequency of error and loss of control. It is fairly common to see messages addressed incorrectly.  If that happens, unauthorized individuals may have access to personal information they should not.  Once you hit the send key, you’ve lost control of the information you sent.  The recipient, either purposefully or in error, may forward or distribute the email inappropriately.  It can also easily be read in transit by someone sniffing traffic at any point along the network on which the email travels.  By default, email is not encrypted and is therefore easy to read.

Finally, mailing personal information, either in paper or digital form, is not recommended.  Mail is often lost and passes through many hands to get to its destination.  Redaction and encryption offer additional safeguards, but secure electronic delivery options are readily and affordable available.

Tad

It’s Response Time

Now I will confess that when I started this blog I knew that I would not be competing with ESPN or the Indianapolis Star for hits.  Information security is not a leisure time reading subject for most folks and I’m not going to lure many through my imagination and writing skills.  So my expectations were low. 

With this edition, we are celebrating my 10th entry.  I’ve never bothered to look up the statistics on hits to the page, but I do know that a few people read the blog.  For example, I know my team does (they know there will be a pop quiz in the staff meeting).  I’ve also given the URL to my wife and kids (they love to talk about it over supper).  And sometimes, on those rare, rewarding occasions, someone unexpectedly will, out of the blue, let me know that they read the blog.  Forget the fact that they don’t say it was interesting or thought provoking or of benefit in some way.  That’s not important.  We’re building momentum here one small step at a time.

Now it’s time for the next step.  I hate to impose on my loyal readership, but I’m going to ask a favor.  I have an email address at the top of the blog page that is practically begging for your comments, questions, or concerns.  To date, I’ve not had a single one.  Your assistance can make this blog more interesting and beneficial.  My only requirement is that we keep it on the topic of information security.   I will then post your question or comment (protecting your anonymity) along with my reply.  

Happy Holidays

What a great but busy time of the year.  The holidays add to already booked work and personal schedules.  Usually it’s all good but I have to admit that there are few things more stressful for me than trying to buy my wife a gift.  I really should skip the anxiety because it doesn’t really matter.  Even my best effort gets returned.  However, I gauge my success in terms of how long it takes her to reach that conclusion.  A bad year is when she doesn’t even finish taking the wrapping paper off (known here forward as the year of the vacuum and the year of the Chia pet).  A good year is when she will at least try it on before asking for the receipt.


 On the other hand, I’m the easiest person in the world when it comes to gifts.  Here are some suggestions for those looking to do something a little special for their friend in security:

  1. A cure for malware.  This problem bites us all the time.  I’m tired of writing about it and you’re tired of reading my writing.  I just hope you’re tired of reading my writing because it’s about malware.
  2. The end of SPAM.  What a wonderful world it would be. 
  3. State of Indiana system owners protecting their systems with personal vengeance.  It makes me smile to think of them in a blood stained butchers apron, cleaver in hand, and remnants of security threats laying in fine pieces on the floor.
  4. Secure operating systems and software.  It seems there’s always some vulnerability now days that has to be patched immediately.
  5. A 1963, Riverside red, split window Chevrolet Corvette coupe.  It wouldn’t help our security but I’d still like it.

Thanks to all state employees for helping us improve information security this year.  There’s much more to do and I look forward to working with you next year.  Happy Holidays!

Take care of your personal information at home

Halloween has passed but if you want to read something frightening, type “sinowal” into your favorite search engine’s news search.  You will see a number of articles and read plenty about a piece of malware that has been collecting bank account information for more than 3 years.  More than 500,000 accounts are known to be compromised and most security experts believe this is just the tip of the iceberg.  And this is only one example of many that threaten your family’s personal information residing on a home PC.
At work most PCs are protected with the following:

• Firewalls protecting the network from outsiders
• Virus software installed setup to update automatically to the latest version
• Security patches applied as soon as possible
• Email and Internet filtering
• IDs and passwords limiting access to your computer
• Limited rights on a computer
• Security awareness information keeping the state workforce aware of threats

Even with these defenses in place, we struggle mightily to keep malware like “sinowal” at bay.  Imagine the increased risk in your home.  Not only are some of these protections listed above unavailable but you may also have users more susceptible to email and Internet threats. 

We always appreciate your diligence in securing citizen information at work.  But for your own protection make sure your home computer is appropriately fortified, that your family is aware of potential dangers, and that bank accounts, social security numbers, and credit card numbers are stored and used securely.

October is Cyber Security Awareness Month

It seems appropriate that the scariest month of the year is also cyber security awareness month.  Treating the little ghouls and goblins raiding the candy basket is much more fun than denying the menacing tricksters that would like to raid our network.  Cyber security awareness month gives us a chance to reinforce the message that “security is everyone’s job.”  You can help by making sure you do your part to ward off five end user threats we worry about.

  1. Malware downloads:  As good as you’ve gotten at recognizing spam, and most of you by now are experts, a few weak links remain.  Some Spam messages are just too tempting for a few to turn away from.  So they click on an email link or open an email attachment and become infected with malware.  Don’t be fooled or foolish, just delete them!
  2. Missing security updates:  A PC or laptop frequently turned off or not connected to a network may miss a virus protection or security patch update.  This leaves the machine vulnerable to threats.  Take a moment to manually update your virus protection software and hit the Windows Update icon to ensure the latest security patches are loaded.
  3. Creating copies of personal information:  You can’t lose personal information if you don’t have it.  So when you run a query or create a new spreadsheet or database, do so without including constituent’s social security numbers.  If you have a database or spreadsheet containing personal information, see if you can’t get the job done without it.  That way, if your information is lost, there is no threat of identity theft or financial harm to taxpayers.
  4. Sharing IDs and passwords:  We’ve seen great improvement in this area.  There are secure ways of sharing information without sharing passwords.  Call the Help Desk if you need assistance.  You can’t afford to take a shortcut because anything happening under your ID is your responsibility.  Your ID and password should not be shared. 
  5. Web Surfing:  The primary security concern is the visitation to sites where malicious software may be downloaded.  You should stick to surfing only well known, reputable sites.  Unfortunately we also are asked to produce Internet activity reports when someone is thought to be wasting time or visiting inappropriate sites.  It’s not worth the risk.

What should we do with someone that downloads malware by clicking on a SPAM message?

I asked around and here’s a few ideas:

  1.  Require them to wear a “Hooked by SPAM” t-shirt to work for a week (fish hook piercing through the lip as a fashion accessory under consideration).
  2. Have them face a “paintball firing squad” at noon on Friday between the North and South buildings.  Blindfold optional, public welcome.
  3. Force them to sit through a half day “SPAM Recognition and Avoidance” training session, taught by me, with lunch catered by one of the local hospitals.  The second half of the day they will be forced to watch NFL preseason football games.

While the proposed punishments above are written in jest, infections from malware (virus, WORM, Trojan Horse, rootkit, etc.) are no laughing matter.  It is enough of a problem that we must seriously consider implementing security measures we’d rather not have to (e.g. – limiting Internet access, prohibiting use of personal web based email accounts).  Disciplinary action may also be deemed appropriate for some errors in judgment.

It is clear that SPAM senders understand human psychology and play on it effectively.  This makes your job tougher, but good decisions regarding SPAM are essential.  A bad decision can result in significant damage.  Our guidance on SPAM remains the same.  Be very cautious with emails from unknown sources or with an unexpected subject.  Delete when in doubt and never click on a link in an email unless you are completely positive.  Also be sure to store information, especially personal information, on network drives (not local drives). 

Note:  Remember to watch for sensational or intriguing hooks.  SPAMMERs probably could have caught a few fish this past weekend with emails regarding Gustav or New Orleans’ levees.  In the coming weeks subjects such as Obama, McCain, Biden, and Palin might serve as bait.

Password Changes

Over the coming months the state will be strengthening its password management scheme to enhance our overall security position.  All state users will be required to use complex passwords (many are already there).  A complex password, by our definition, is comprised of at least eight (8) characters and contains three of the following four categories:
• Upper case letters
• Lower case letters
• Numbers
• Special characters (&, ^, %)

I know there will be a slight learning curve, but you can handle it (and don’t even think about writing it down on a sticky note and putting it on your monitor).  We’ve set up a web page to help you prepare -http://www.in.gov/iot/2328.htm#Password. Here you will find tips and tricks as well as the importance of complex passwords for state security.   I also recommend you extend this practice to the passwords you use away from work. 

CISO Thoughts

My thoughts and best wishes go out to those suffering from the flooding in southern and central Indiana. Words cannot begin to describe the range of emotions inspired by the video footage and photos. It was just unbelievable.

In the midst of the tragedy there were things that make you proud to be a Hoosier. First and foremost was the character demonstrated by those affected. I didn’t see many playing victims. Fear and shock quickly gave way to a determined attitude to clean-up and rebuild in spite of the long, grueling effort it will entail. And then there were the countless heroic stories of emergency personnel and good neighbors. When most of the news is dominated by stories of bad deeds it was nice to see the good deeds of people recognized.

We’ll talk about information security next time. Maybe disaster recovery would be an appropriate and timely topic.

Threatening SPAM

The state has begun receiving SPAM containing threats of physical harm. Though it is a little shocking to receive the first one, in the end it is just another mass mailing playing on fear. In this case physical danger is the target rather than a bad credit rating, closed bank account, etc. Unfortunately, I expect SPAMMERs to continue with this theme, escalate the threats, and make them seem more personal and realistic. IOT will work to block them with their filters but you can expect some to get through. When they do, give them no more attention than you would any other SPAM. Please report SPAM using the instructions found here.

Is Big Brother Watching Your Computer Activities?

The answer to the question above is “no.” IOT does not have a special force hunting for inappropriate user behavior. However, you should always keep in mind that State Ethic Rules prohibit the use of state assets for personal use except where allowed under agency De Minimus use policies. You should also know that anything you store or create on state time or with state provided technology is not considered private. Agencies can and do request access to employee information for a variety of reasons including extended absences and suspected inappropriate use. When agencies make such requests, IOT is usually able to assist.

I don’t believe the state has any more of a problem with improper behavior than do other organizations of similar size. But I would like to see the time IOT spends assisting agencies in this regard applied to more productive tasks. My guidance is to value your job and the respect of your co-workers by avoiding the temptation to misuse state resources. Re-read and abide by the Information Resources Use Agreement (IRUA). And if you question the appropriateness of an activity, talk it over with your manager rather than risking a wrong decision.

Handling Phishing Scams

I’m often asked why I don’t put out statewide warning emails on every “Phishing” scam making its way to the state government email system. Trust me, you really don’t want to hear from me that much. 99% of all email coming to the State is SPAM and a chunk of those are phishing messages. You would hear from me so often that you would soon treat my messages as SPAM.

It wouldn’t work anyway. My warnings would almost always come too late. The only effective defense is for you to recognize these messages as you receive them. Fortunately, you’ve become good at it. Sometimes it can be tough to recognize a phishing message. They seem to get more creative and authentic in appearance with each new scam. And we can expect scam artists to continue honing their craft. Regrettably they continue to work (information on phishing message characteristics).

I do look to get information to you when there is a new or a severe risk you might encounter. But our best defense is having you aware of threats and closely examining every message for validity.