From mobile devices to software: The top threats to local governments’ information security (with related video)

Editors’s note: Here are the views of Jerry Irvine, an expert on IT security in government. GPN posed a variety of questions to Irvine, including the following.

GPN: What is the biggest computer-based security risk facing America’s cities and local governments today?

Jerry Irvine: Mobile Devices are the biggest computer-based information security risk to government agencies today. Being able to remotely access your servers has so many benefits for agencies, but these benefits come with increased risks, like being hacked due to a lost tablet. Also, basic legacy security applications, like antivirus and malware protection, do not even exist for the majority of mobile devices that are currently in use, and common security practices such as acceptable use policies and password protection are ignored by the average users.

GPN: How can a local government respond to the growing demand for bring your own device (BYOD) policies?

JI: To minimize the potential for loss, agencies need to develop BYOD policies defining requirements access to their internal computer systems such as e-mail. The policy should include the ability for the organization to install a Mobile Device Management solution, or MDM, that will allow the city to monitor location and usage of the device, as well as to delete or wipe the device in case of loss, theft or termination of employment. Some MDM solutions also provide malicious application detection and removal, as well as encryption within the device to reduce the potential for data to be stolen. While MDM solutions for the most part are still in their infancy, they can provide a basic level of security and control and should be implemented.

GPN: What are the biggest software risks?

JI: E-mail and text are the biggest software risk. Scammers, spammers, phishers, and smishers are constantly baiting us with realistically designed requests for personally identifiable information in order to steal our identity, intellectual property or assets. Viruses and malicious applications are sent by both e-mail and texts more than any other means of transmission, infecting our systems and compromising our data.

Protection from e-mail and text-based threats, as with all security risks, begins with end-user training. Users must learn not to click on, open or allow unprotected preview pane access to e-mails and texts.  Simply viewing an e-mail can infect a device, capture data, and or transmit information to unauthorized users. Additionally, organizations need to implement network-based antivirus, anti-spam and antimalware devices.

These devices can be configured to scan 100 percent of all email going in and out of the network. Some solutions today can also be configured to scan organization-based texts. Finally, enterprise-level antivirus (also known as end point security) solutions need to be implemented, maintained and monitored. Only through a layered approach can these risks be minimized at all.     

GPN: What are some other risks that may not be considered?

JI: Legacy management control devices — Many cities and local government facilities maintain their own water and power plants. These facilities, just like manufacturing companies, require programmable logic controllers and Supervisor Control and Data Acquisition Devices to manage, support and control the workings of the utility facilities. These low-end computer devices were designed to enable internal access and control to allow for ease of management as well as reporting on the machinery within the facilities.

Over the years, the devices have remained extremely low tech, due in some part to keeping costs down, but also to keep system overhead and requirements to a minimal. As a result, these devices have little malware protection and few security features that might protect them from malicious use. In the past, this lack of protection was not a real issue because the devices were segmented from external network or public access.

That is not always the case today. Many cities and local government organizations have connected these devices to internal networks that have Internet access as well as access to other critical internal systems and applications. This connectivity provides malicious users with access directly to these unsecured devices, increasing the risk of denial of service, damage to equipment, power and water outages, etc.  Additionally, because these devices have minimal security features, they may be compromised to gain access to other internal mission critical solutions.

To mitigate the risk, networks containing these devices should be segmented and secured from access from other internal networks and systems as well as from the Internet. If remote access is required, secure Virtual Private Network (VPN) access should be configured and limited only to authorized personnel.

GPN: Thank you, Jerry Irvine.

Jerry Irvine is CIO of Prescient Solutions. The company is a Chicago-based IT outsourcer that provides CIO-level advisory support and on-site IT services to small, mid-sized and global organizations and government entities. The company has been in business for more than 15 years. Jerry Irvine is also a member of the National Cyber Security Task Partnership. The Washington-based organization is a public-private partnership that was established to develop shared strategies and programs to secure and enhance America’s information infrastructure.

In the video, CIO Jerry Irvine talks about Prescient Shared Services, a cloud-based IT services model. Irvine also talks about Prescient being selected as a finalist in the 2013 American Technology Awards competition.