Govs Urge Action to Thwart Cyberattacks, Computer Hacking

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pewstates.org/projects/stateline/headlines/govs-urge-action-to-thwart-cyberattacks-computer-hacking-85899507787

Prominent on the website of South Carolina Gov. Nikki R. Haley is a banner
and button that says: “S.C. Dept. of Revenue Cyberattack: Cyberattack Info.”

South Carolina learned firsthand the havoc a hacker can have on state-owned
computer systems when last October approximately 3.8 million Social
Security numbers, 387,000 credit and debit card numbers and 657,000
business tax filings were exposed in a security breach at the state
Department of Revenue.

This is the type of cyberattack governors are gearing up to prevent. “Every
day, states are exposed to phishing scams, malware, denial-of-service
attacks, and other common tactics employed by cyberattackers,” according to
a call-to-action paper released Thursday by the National Governors
Association.

Michigan Gov. Rick Snyder, a Republican, was in Washington to launch the
NGA bipartisan effort, led also by Maryland Gov. Martin O’Malley, a
Democrat.

“As governors, we are directly responsible for ensuring the security of a
wide array of state-owned assets and personally identifiable information
such as tax records, driver’s licenses and birth records,” Snyder said in
astatement. “We also play a critical role in ensuring that private-sector
assets within our states are secure,” the former president of Gateway
computers said.

As Stateline has reported, Michigan has been a leader on this front,
enlisting the help of everyone from the major utility companies to the
state police to launch a multi-pronged pre-emptive strike. Cyberattacks on
the state of Michigan’s computer systems have increased to about 500,000 a
day, The Detroit News reported.

In its six-page paper, NGA urges governors to look at what their peers are
doing. The report highlights:

- Michigan requires security awareness training for all state employees,
and launched with universities and the private sector a state-of-the-art
Michigan Cyber Range research center.
- Maryland leverages the cybersecurity capabilities of the Warfare Squadron
to support its cybersecurity assessments, including having state agencies
participate in Internet training exercises that simulate cyberattacks.
- Minnesota’s chief information security officer works closely with the
governor, a Technology Advisory Committee, and other agency leaders.
- California Cybersecurity Task Force is a new state-led collaboration
between state and private-sector IT officials.
- Delaware state employees conduct cybersecurity presentations for
elementary school students and host video and poster contests to reinforce
the importance of Internet safety practices.

A 2012 survey of state chief information security officers found that only
24 percent were “very confident” that their state assets are protected
against external threats, while only 32 percent said their staff have the
required cybersecurity competency.

Those findings were part of a 2012 report about cybersecurity from Deloitte
and the National Association of State Chief Information Officers that also
estimated that government agencies had lost more than 94 million citizen
records since 2009. The average cost per lost or breached record is $194.

While NGA’s paper doesn’t specifically mention the South Carolina case, it
notes, “Several recent attacks reveal that states which fail to put in
place a strong governance structure are at a distinct disadvantage.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.