Government Technology

    Digital Communities
    Industry Members

  • Click sponsor logos for whitepapers, case studies, and best practices.
  • McAfee

At Issue: 6 Things You Can Do to Defend Against Cyberattacks



Buggy Code?

September 5, 2012 By

Gen. Keith B. Alexander, head of the United States Cyber Command, warned recently that between 2009 and 2011, cyberattacks on American infrastructure has increased seventeen-fold. Attacks on critical infrastructure such as water, electricity, communication and computer networks are escalating, and would have serious consequences if successful. That puts a heavy burden on cities and counties to protect their systems, especially with reduced budgets, few staff and fewer jurisdictions having chief information security officers.

Attacks are a problem around the globe. A just-released 2012 Norton Cybercrime Report, for example, said that 1.5 million people fall victim to cybercrime daily, at a cost of $110 billion annually. Two-thirds of adults online have been the victim of cybercrime at some time, and nearly half of them have fallen victim to malware, viruses, hacking, scams fraud and theft in the past year.

For those dreaming of a silver bullet to solve the problem, Steven Bellovin, Columbia University professor of computer science, said a few years ago that "the odds on anyone ... finding a magic solution to the computer security problems are exactly zero. Most of the problems we have are due to buggy code, and there's no single cause or solution to that. In fact, I seriously doubt if there is any true solution; buggy code is the oldest unsolved problem in computer science, and I expect it to remain that way."

So in the absence of a panacea for this infuriating, expensive and seemingly intractable problem, what can cities and counties do to protect themselves — especially if their IT departments have been slashed, with not a chief information security officer in sight?

There is no single way to avoid getting sick, and likewise no single way to avoid all cyberattacks. But there are numerous strategies to reduce one’s chances for trouble. Will Pelgrin, CEO of the Center for Internet Security, likens it to layers of an onion, and there are simple steps anyone can take to reduce the likelihood of a successful attack on computers, data and systems. Here are two very basic steps you can take. You’ve no doubt heard them before, but that’s because they are fundamental to security:

1. Use Strong Passwords and Firewalls: Passwords are inconvenient, especially strong ones, as they are hard to remember. But like the keys to the front door, passwords allow entry to systems and data. You can check the strength of your password here. Pelgrin said not to use the same password for your home computer or home system that you use at work. It would be like using the same key for your house, car, office and storage facility. If someone makes a copy of that one key, they have access to everything. If hackers get into one system, they can try that password on any other systems (social networks, mobile devices, etc.) that you use. “Keep your city or county password strong and don’t use it anywhere else,” and change passwords regularly, said Pelgrin,.

The next layer of the defensive onion is a firewall. Many people don’t know what they are for, and don’t activate them. If someone knocks at your front door, you would most likely find out who they are and what their business is before inviting them in. A firewall does that for your computer. It analyzes traffic coming from the Internet, for example, that’s going into your computer system. The firewall allows some traffic and stops others based on operating rules designed to protect your computer or system from attacks. Most firewalls offer a choice of “on” or “off.” To have this layer of protection, make sure your firewall is on.

2. Use Anti-Virus Software and Keep it Updated: Viruses are so named because they make copies of themselves, and infect computer systems by traveling from computer to computer over the Internet or wirelessly. They can erase, change or steal information — even hijack your computer and allow someone else to use it. Your protection against biological viruses are immunizations and isolation; your protection against digital viruses is anti-virus software and behavioral measures such as not opening suspicious email. Anti-virus software should always be installed and kept updated, said Pelgrin.

Pelgrin recommended the Australian government's security mitigation strategies, which include the following items:

3. Applications: Patch applications such as PDF viewer, Microsoft Office and Java within two days of threat notification.

4. Operating System: Use the latest operating system version and patch within two days for vulnerabilities.

5. Access: Restrict the number of users with administrative access privileges to those who actually need access.

6. Whitelist: Whitelist applications to help prevent malicious software and other unapproved programs from running, e.g. by using Microsoft Software Restriction Policies or AppLocker.

Risk will never be eliminated, said Pelgrin, but a jurisdiction can reduce exposure significantly with a few simple actions.The last  four items above, he said, by themselves would prevent 85 percent of all cyberattacks.


| More

Comments

Laura Fucci    |    Commented September 10, 2012

The issue is so large, it is difficult to know where to start. I don't know if we'll ever reach 100% protection, but perhaps we can take a page from the book of our friends 'down under' on how to simplify this. Check out their page at: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm. They list 35 mitigation strategies for cyber intrusions. By implementing the top four strategies, they eliminated 80% of the intrusions responded to in 2010. It is a good start.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Digital Cities & Counties Survey: Best Practices Quick Reference Guide
This Best Practices Quick Reference Guide is a compilation of examples from the 2013 Digital Cities and Counties Surveys showcasing the innovative ways local governments are using technological tools to respond to the needs of their communities. It is our hope that by calling attention to just a few examples from cities and counties of all sizes, we will encourage further collaboration and spark additional creativity in local government service delivery.
Wireless Reporting Takes Pain (& Wait) out of Voting
In Michigan and Minnesota counties, wireless voting via the AT&T network has brought speed, efficiency and accuracy to elections - another illustration of how mobility and machine-to-machine (M2M) technology help governments to bring superior services and communication to constituents.
Why Would a City Proclaim Their Data “Open by Default?”
The City of Palo Alto, California, a 2013 Center for Digital Government Digital City Survey winner, has officially proclaimed “open” to be the default setting for all city data. Are they courageous or crazy?
View All