Government Technology - April 2008 - (Page 29)

User training is a vital component for improving IT security, particularly as threats become more sophisticated and deceptive. But more than half of GT survey respondents hadn’t participated in security training within the past two years. “IF YOU’RE A FRONT-LINE PERSON, MY CONCERN WOULD BE, ARE YOU AWARE OF POTENTIAL ATTACKS? ARE YOU AWARE THAT DOING SOMETHING LIKE VISITING A SOCIAL NETWORKING WEB SITE MIGHT BE A RISK?” Dan Lohrmann, chief information security officer, Michigan “It doesn’t bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn’t have a clue as to what was going on in their own enterprises,” the CIO magazine article stated. The magazine attributed some of the problem to a concentration on technology — firewalls, intrusion detection, etc. — instead of risk analysis and intelligence gathering. Will Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), said results from the Government Technology survey indicate a wide disparity in security sophistication among respondents. Organizations such as the CSCIC office are working to improve knowledge of security issues among government workers by issuing regular alerts on security threats, holding training exercises and other activities. “One thing we have tried to do here in New York is provide situational awareness. There’s so much noise out there, there’s so much happening, that the average user may not know every single time there was a virus — but we distribute our advisories as widely as possible,” Pelgrin said. “Our advisories go to all the ISOs in the state, they go to all the CIOs in the state, and they go to a good portion of the agency commissioners — as well as the private sector and other states across the country.” Pelgrin also makes growing use of graphics and visualization tools to make security threats more understandable to a general audience. For instance, his office is producing a graph showing the security vulnerabilities of various computer operating systems. It’s also tracking cyber-security events geographically and mapping them to Google Earth to produce 3-D representations of the volume, sources and targets of cyber-attacks. “The intent is more than just eye candy,” he said. “The reason I’ve been so active in putting a graphical face to this is so we can show what we’re doing. Then CISOs and ISOs have data to go back to their commissioners and budget people and say, ‘This is what we’re handling on a day-to-day basis.’” On a broader level, Pelgrin’s office coordinates the Multi-State Information Sharing and Analysis Center, a voluntary organization that gathers information about security threats and shares it among state and local governments nationwide. All 50 states currently participate in the center’s activities. Inside Out? Government Technology readers departed sharply from conventional security wisdom in their perception of the source of cyber-attacks. Respondents overwhelmingly (72 percent) identified external hackers as their biggest security threat. Just 20 percent of respondents said internal staff posed the biggest threat, and 8 percent chose internal contractors. Those responses come at a time when growing attention is focused on internal security breaches. A 2007 NASCIO issue brief urged state CIOs to take action against insider security threats, contending that internal threats can be just as serious as external attacks, if not more so. How Do You Compare? Our survey numbers contrasted dramatically with those of CIO magazine’s global security survey. Nearly 70 percent of CIO survey respondents ranked employees and former employees as their biggest security worry, versus 41 percent for hackers. Lohrmann, who estimates the number of internal and external threats as about even, said some of the discrepancy may be due to the blurring line between internal and external attacks. He pointed to increasingly common attacks that entice users to click on an e-mailed link and enter personal information. Known as “phishing,” the technique often asks users to enter their passwords and other critical data on bogus online banking and auction sites. “You have a link sent to you, so that’s an external attack,” said Lohrmann. “But if you’ve A comparison of the GT reader poll results to those of CIO magazine’s 2007 global information security survey — which polled 7,200 respondents in various industries worldwide — shows both similarities and differences. This chart shows the results of both surveys in key areas. Response Have a CISO or similar position Have a security policy Internal attack is greatest threat External attack is greatest threat Don’t know number of security incidents GT survey 59% 80% 20% 72% 37% CIO global security survey 60% 57% 69% 41% 40% 29 http://www.govtech.com

Table of Contents Feed for the Digital Edition of Government Technology - April 2008

Government Technology - April 2008 Contents Point of View Big Picture The Last Mile On the Scene Four Questions for... Freeze Frame How Safe Is Your Data? Easy Street Gadget Overload Indiana Overhaul First Person: A Better Bill Data Defense Strength in Numbers Public Storage Products Two Cents Spectrum Personal Computing signal:noise

Government Technology - April 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.