State Auditor Shad White issued the following statement.
Several state agencies, boards, commissions, and universities are failing to adhere to state cyber security laws, leaving Mississippians’ personal data vulnerable to hackers. According to survey results published in a report from the Office of State Auditor Shad White, many state entities are operating like state and federal cyber security laws do not apply to them.
As required by state law, the Auditor’s office sent a cyber security survey to 125 state agencies, boards, commissions, and universities. Only 71 state entities responded to the survey, and several respondents did not complete it. This leaves the status of cyber security in more than 50 state entities completely unknown.
Among the government offices that replied to the survey, the report shows at least 11 do not have adequate written procedures to prevent or recover from a cyber attack. Another 22 respondents have not executed a third-party risk assessment. Having a third party test the vulnerability of an agency’s server is a requirement under state law. Further, 38% of all respondents indicate sensitive information like health information, tax data, and student information is not being encrypted to protect it from hackers.
In short, the survey found over half of all respondents are less than 75% compliant with state cyber security laws.
“This survey represents some excellent but alarming work by the data services division in the auditor’s office,” said Auditor Shad White. “October is cyber security awareness month, and we should start this month by acknowledging the very real weaknesses in our state government system. I personally have seen screenshots of other states’ private data on the dark web, and we do not need Mississippians’ personal information leaking out in the same way. The time to act to prevent hacking is now.”
Kingfish note: Apparently our state Solons missed out on what happened to Atlanta and Baltimore last year. Mr. White said:
Ouch.
Agencies are supposed to have someone test their system—try to hack it, in other words—to find weaknesses. And state law requires that all government institutions have a third party perform a security assessment at least once every three years. By not having these essential assessments, almost a third of the respondents have acknowledged they are vulnerable to hacking and out of compliance with state law.Finally, 38% of the agencies said they are not encrypting sensitive information. Encrypting information when stored or transmitted is critical to prevent unauthorized access. By failing to encrypt, these agencies have potentially left health data, tax data, and other personally identifiable information at high risk of hacking.
Now as for something that has nothing whatsoever to do with this post, here is a funny tidbit. It is no secret that the State Auditor is investigating MBN. Well, one of the things investigated is the Director's alleged propensity to use state vehicles for family trips to out of state destinations in sunny locales. Well, the Director pulled up to MBN one day, while the auditors were there, in his big-ass state-issued truck pulling a personal trailer loaded with personal items. Oops.
25 comments:
Responding to your headline - no, the state has yet to mandate an enterprise framework or benchmark for securing the state's data and IT infrastructure. In many cases, state employees have remote access to some of the state's most sensitive information making data exfiltration and system contamination relatively easy. And, there have been a few ransomware and data theft incidents in the state, but they go largely unreported, and/or misunderstood.
The Governor could show some real leadership and issue an executive order which creates a state data center/mart, mandates adoption of a statewide standard, and gives ITS the authority to conduct penetration testing and assessment of BC and DR capabilities. Following a nasty ransomware incident, another Southern state is adopting an enterprise cloud for all of its data and many of its business processes - better speed and recoverability, less expense, easier scalability, and far better security controls than thousands of out-of-date servers scattered across the state.
hey commenter #1 (e.g. state ITS employee) - get back to work and off the internet.
10:09
I guess now we know for certain that the Executive Director (or a kiss-ass) of ITS reads Jackson Jambalaya.
Years ago, a company out of Texas hacked into UMMC's main frame and used part of it to conduct their business. When the hospital discovered it, they deleted everything, only to find 6 months later that the company returned and was again poaching off of UMMC's main frame. Since then, the hospital allegedly has installed one of the best, most secure hospital computer systems available on the market. UMMC also "lost" a laptop several years ago that was full of confidential data, resulting in substantial penalties for the hospital.
Any government entity that uses laptops and allows employees to take them home or on trips is taking a huge risk.
I suspect state officials/employees will continue to ignore the law unless they receive consequences for doing so.
In response to 10:09AM
During my tenure at DOR we had annual compliance with Federal IRS data compliance rules. None of these were conducted by ITS as they were contracted out to a company the name escapes me. Every 2 years (IIRC) we had a pentester come out to the WorldCom building and do analysis of the network. I don't believe ITS is equipped with the personnel to perform proper pentesting itself. Let alone entice someone with the skillset with what ITS pays (even though it pays more than most government agencies). This is not to say that it couldn't be done, but as far as DOR goes it wouldn't be quite as easy as walking in with a USB stick.
The best cybersecurity on the planet can't stop the weakest link. Which is that most state employees only have the minimum requirement of a GED.
Real consequences are a racists move. They didn’t know.
@10:34, I don't work for ITS or the state; I'm a partner at a cybersecurity firm that the state probably couldn't afford or wouldn't listen to anyway. The state of Mississippi would be a very interesting project, but it would be close to impossible to break down all of the fiefdoms and get everybody to agree on a common security framework (thus the EO).
I'd love to sell the state a cloud government solution like we did in another state, with all essential government functions hosted in a secure environment. No downtime, better data analytics, increased speed, efficiency and scale, and killer security controlled at a central SOC. It isn't cheap, but it works and solves many of the problems people grip about when dealing with government.
"UMMC also "lost" a laptop several years ago that was full of confidential data, resulting in substantial penalties for the hospital."
I don't think that was a UMMC computer - I think it was a VA computer. Similar policies and penalties, though.
Why do we even have ITS if we have 50 agencies and counties that can't answer a questionnaire?
We had a chance to make equifax pay for it under our very good statute but all we got was coupons. The general sold us out
Per the legislation, ITS has oversight but no real funding or resources. Agencies are required under the ITS “Enterprise Security Policy,” to undergo full audits every three years and annual checkups. Without handing each agency’s infrastructure to ITS, the risk will remain high. Dr. Orgeron is a sharp guy, but he isn’t a miracle worker.
Re, the policy: https://statescoop.com/video/mississippi-cybersecurity-legislation-policy/
@2:38p - That breach fell under HIPAA and cost the state a cool $2.75 million. Not that anyone noticed.
Link: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ummc/index.html
@3:26
Your comment makes no sense, if you actually read the article. The survey was by the Auditor’s office, not ITS.
@1:59
What company do you work for? Seriously, if your product is that good I'm some agencies would like to hear your pitch.
"I suspect state officials/employees will continue to ignore the law unless they receive consequences for doing so. October 18, 2019 at 11:39 AM"
What 'law'? There is no law that requires agencies to respond to a 'questionnaire' from the Crown-Prince-Auditor. Methinks the young man was pushed around on the playground, regularly, in his elementary and middle-school years. Now (as in the case of Jackson's leadership) it's HIS turn.
@2:19
Shad and everyone concerned about state cybersecurity are 100% correct in their concerns. And it is a serious matter.
Ten years ago I did a short stint as a state employee. I was horrified to discover that a personnel supervisor, who didn't know the difference between rebooting and logging off, kept an Access 97 database full of every employee's PII/SSN and salaries on her desktop folder and shared it over the network to her subordinates.
She didn't have any shared folder restrictions set up. So anyone in the agency could connect and read it, had they the technical knowledge. My concerns were disregarded. They had done it that way for a decade and would continue.
As previously mentioned. That supervisor only had a GED, 15 years of state experience, and had been through the State Personnel Board Basic Supervisor Course. She didn't need no sass from some wh*teboy who just gradyated!
They probably don't even have a Carbonite account to do backups.
Cybersecurity would imply competence and accountability for the people's sake....not. ever. going. to. happen. in Mississippi leadership.
Yeah, sounds good! But as always no one wants to invest in updating our IT infrastructure and update the sh*t accordingly!? That's what happens when you have "fiscal conservatives" like Phil Bryant & Tate Reeves running our state government. Keep using outdated systems to protect our citizens information, and it'll cost us way more to get it fixed in the long run. 🙄
This certainly seems like a worry to me...but I can’t see how it can easily be resolved without bringing all of the disparate systems under one umbrella. Like many of the commenters have stated.... lack of standardization and the ability for non-qualified employees to run things willy-nilly is a disaster waiting to happen.
I also expect that once mass standardization was completed you would find that the efficiencies would lead to far lower staffing costs (I.e. less need for redundant jobs across agencies) which I’m sure is half of the reason something like this will never fly.
Either way... seems hard to blame ITS when it apparently doesn’t have 100% of the control over the processes and infrastructure.
Oct. 19 @2:19 a.m., To answer your question, that law is called the Enterprise Security Program. It states as follows:
"Each state agency’s executive director or agency head shall: . . . Ensure that internal assessments of the security program are conducted. The results of the internal assessments . . . must be available to the Office of the State Auditor in performing auditing duties;"
Miss. Code Ann. § 25-53-201(3)(i).
When a statute uses the words "shall" and "must," it means that it is not optional. The failure to do it is a violation of the law.
Aside from the far too common " buck passing" by the legislature to pass laws without any way to implement those laws, 1:59 pm is absolutely correct.
The "fiefdoms" of state agencies, institutions, local and county governments that operate as a law unto themselves not only makes co-ordination and efficiency (fiscal and human) impossible, but allows corruption to flourish.
It is no accident that Reeves wants to give Junior and Community Colleges a million dollars to train Mississippians for technical jobs that don't exist. They are seen as a good source of voter support and it is believed by politicians that a JCC President can deliver the votes of all his employees and students and graduates. And, the JCC Presidents will try as they will get to decide how those funds are spent and who gets those funds. I'm sure there will need to be many Trustee meetings and faculty meetings at nice resorts to make a plan.
10:46 - The argument, as I understand it, is not whether security makes sense or whether the law prescribes certain methodology and mandates....The argument here is over Chad's hurt feelings because some agencies chose to ignore his requirement that they fill out a survey. Again, there is no law requiring ANYbody to do that.
If Mr. White wants to snag their asses, he can do it with an audit, not by whining that they ignored his questionnaire, which he seems to think was a subpoena of sorts.
11:41, 1:59 here - I work for the number one ranked provider of cybersecurity services in the world. We already looked into approaching Mississippi for its cybersecurity needs and found that organizationally, it wasn't mature enough to make constructive use of our services, and there also didn't appear to be enough budget or political will to mature the current state. That said, Dr. O is a recognized leader in the field and Mississippi is lucky to have him, but he is in an awful position - all of the responsibility, and none of the authority. With no mandate, budget, or enforcement authority he can only make recommendations, and not implement meaningful policy.
Unfortunately, it will take a significant ransomware incident or large-scale, multi-agency, lateral data breach to force the state's hand - think Baltimore on a statewide, catastrophic level.
Post a Comment