Government Technology

Special Report: Cybersecurity Handbook for Cities and Counties

December 10, 2012 By

Pelgrin said security measures must be as automatic as putting on seat belts. Drivers don’t necessarily wear seat belts because they think they may be in an accident, nor do they buckle up because they fear a traffic ticket. They do it because it’s become a routine part of driving. Securing computers and systems should become just as routine.

So what are some other onion layers? A helpful analogy is to think of how you secure your home. You lock the doors and windows at night, set an alarm if you’re gone, put valuables in a safe, tell your children not to invite people over when you’re not there and buy homeowner’s insurance. If you live in a high-crime neighborhood, you might have a dog and bar the windows and doors.

With the Internet, however, there are no safe neighborhoods — your “house” is accessible from anywhere in the world. And since cities and counties provide access to the public for information and transactions, you must be prepared to sort the traffic and attempt to keep out the bad guys even with high traffic volume.

Use Strong Passwords

The first element of strong security is a strong password — as boring as that may sound. You have a key to the front door of your house; computers and computer systems use passwords. Weak passwords are like simple door locks that can be sprung with a paper clip. Short, simple words — for example, your dog’s name “Scotty” — make weak passwords. Cybercrooks can break these in a few seconds. For starters, a good password is at least eight characters long. Using upper- and lowercase letters also increases the time required to crack it. Adding a number or two strengthens your defenses even more, and adding a punctuation mark or other symbol gets you into “strong password” territory that could take years for a hacker to crack. Use tools like Microsoft’s password strength checker to make sure you’re on the right track.


Multi-State Information Sharing and Analysis Center cybersecurity guides for nontechnical managers. 

SANS 20 Critical Security Controls

SANS advice on protecting mobile devices: PINs, passwords, pattern locks, encryption, backups, remote wiping, and what to do if your device is lost or stolen.

White House Guide to bring your own device (how to safely integrate personal mobile devices into your network).

McGraw-Hill basic security training, concepts, definitions, two-minute drill and a self-test.

A four-page nontechnical acceptable use template developed by MS-ISAC and LeRoy, N.Y.

This webpage contains many different types of security policy templates from the SANS Institute.

NIST Computer Security Incident Handling Guide

NIST Risk Assessments Guide

The Open Web Application Security Project live CD: testing tools for website security

Metasploit penetration testing tools

Trustwave perimeter scanning for vulnerability and PCI compliance

Strong passwords are complex — but how do you remember them? Writing them on a sticky note attached to the screen or under the keyboard means anybody with physical access to your computer can get into your data. But experts have come up with a few tricks to jog your memory. Start with a phrase, for example, that commemorates a family activity: “We camped at Humbug Mountain in 2010.” Your password could be the first letters of that phrase: “WcaHMi2010.” Microsoft’s checker rates this password as “medium” strength.

To strengthen it, trade some letters or numbers for symbols. For example, trade the “a” for an ampersand (&), the “i” for a colon (:) and swap the two zeros for letter Os. That gives you: “Wc&HM:2O1O”. Microsoft’s checker says that’s a “strong” password, and it’s much easier to remember than a randomly generated strong password. So you’ve beefed up your front door and installed a deadbolt.

Change Passwords Often

Pelgrin said using the same password for your home computer and work systems is like using the same key for your house, car, office and storage facility. If someone makes a copy of that one key, they have access to everything. Typically, if hackers crack one password, they will try that password on any other systems (e.g., social networks and mobile devices) that you use. “Keep your city or county login password strong and don’t use it anywhere else,” Pelgrin said. And, even though it’s inconvenient, passwords should be changed regularly.

Use a Password Manager

If you have too many passwords to remember, try using a password manager, which stores multiple passwords in an “online safe” where users only need one password for access. “They let you randomly generate strong passwords for all your accounts and store them securely,” said Joanne McNabb, chief of California’s Privacy Protection Office, in a newspaper article. McNabb said there are a number of free password managers including: KeePass (for Windows, OS X, Linux, Android and iOS), Password Safe (Windows) and Keychain (Mac).

Biometrics Can Help

In some cases, biometric devices that require a fingerprint, retina scan or facial recognition can provide secure access without a password. For instance, staff members at the Sacramento, Calif., City Clerk’s Office are piloting fingerprint readers for their mobile devices.

Use Mobile Device Passwords

Americans lose $7 million in mobile devices every day. Yet Pelgrin said he’s astounded at how many people don’t use a sign-on password for their smartphones. Simply setting a four-digit passcode will keep a thief out of smartphone users’ personal information, bank accounts, contact lists, etc., and after a certain number of wrong attempts at cracking the password, the phone will freeze everything or erase all data.

Firewalls: “Who are you and what do you want?”

Using strong passwords isn’t the only security measure to take, but it’s a good start. The next layer of the “onion defense” is a firewall. If someone knocks on your front door, you would certainly find out who they are and what they want before inviting them in. A firewall does that for a computer. It analyzes traffic coming from the Internet, for example, that’s going into the computer system and allows some traffic to enter and stops other traffic based on operating rules designed to protect the system from attacks. Most firewalls offer a choice of “on” or “off.” To have this layer of protection, make sure your firewall is on. If the firewall stops a connection you want, then add an exception in the firewall settings.

| More


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Redefining Citizen Engagement in a Mobile-First World
Today’s consumers are embracing the ease and convenience of anytime, anywhere access to the Internet from their mobile devices. In order for government and public sector organizations to fully engage with their citizens and provide similar service quality as their consumer counterparts, the time is now to shift to mobile citizen engagement. Learn more
McAfee Enterprise Security Manager and Threat Intelligence Exchange
As a part of the Intel® Security product offering, McAfee® Enterprise Security Manager and McAfee Threat Intelligence Exchange work together to provide organizations with exactly what they need to fight advanced threats. You get the situational awareness, actionable intelligence, and instantaneous speed to immediately identify, respond to, and proactively neutralize threats in just milliseconds.
Better security. Better government.
Powering security at all levels of government with simpler, more connected IT.
View All

Featured Papers