Friday, October 18, 2019

Cybersecurity? Do We Do That in Mississippi?

State Auditor Shad White issued the following statement. 


Several state agencies, boards, commissions, and universities are failing to adhere to state cyber security laws, leaving Mississippians’ personal data vulnerable to hackers. According to survey results published in a report from the Office of State Auditor Shad White, many state entities are operating like state and federal cyber security laws do not apply to them.



As required by state law, the Auditor’s office sent a cyber security survey to 125 state agencies, boards, commissions, and universities. Only 71 state entities responded to the survey, and several respondents did not complete it. This leaves the status of cyber security in more than 50 state entities completely unknown.



Among the government offices that replied to the survey, the report shows at least 11 do not have adequate written procedures to prevent or recover from a cyber attack. Another 22 respondents have not executed a third-party risk assessment. Having a third party test the vulnerability of an agency’s server is a requirement under state law. Further, 38% of all respondents indicate sensitive information like health information, tax data, and student information is not being encrypted to protect it from hackers.



In short, the survey found over half of all respondents are less than 75% compliant with state cyber security laws.



“This survey represents some excellent but alarming work by the data services division in the auditor’s office,” said Auditor Shad White. “October is cyber security awareness month, and we should start this month by acknowledging the very real weaknesses in our state government system. I personally have seen screenshots of other states’ private data on the dark web, and we do not need Mississippians’ personal information leaking out in the same way. The time to act to prevent hacking is now.”

Kingfish note: Apparently our state Solons missed out on what happened to Atlanta and Baltimore last year.   Mr. White said: 

Agencies are supposed to have someone test their system—try to hack it, in other words—to find weaknesses. And state law requires that all government institutions have a third party perform a security assessment at least once every three years. By not having these essential assessments, almost a third of the respondents have acknowledged they are vulnerable to hacking and out of compliance with state law.

Finally, 38% of the agencies said they are not encrypting sensitive information. Encrypting information when stored or transmitted is critical to prevent unauthorized access. By failing to encrypt, these agencies have potentially left health data, tax data, and other personally identifiable information at high risk of hacking.
Ouch. 

Now as for something that has nothing whatsoever to do with this post, here is a funny tidbit.  It is no secret that the State Auditor is investigating MBN.  Well, one of the things investigated is the Director's alleged propensity to use state vehicles for family trips to out of state destinations in sunny locales.  Well, the Director pulled up to MBN one day, while the auditors were there, in his big-ass state-issued truck pulling a personal trailer loaded with personal items.  Oops.






25 comments:

Anonymous said...

Responding to your headline - no, the state has yet to mandate an enterprise framework or benchmark for securing the state's data and IT infrastructure. In many cases, state employees have remote access to some of the state's most sensitive information making data exfiltration and system contamination relatively easy. And, there have been a few ransomware and data theft incidents in the state, but they go largely unreported, and/or misunderstood.

The Governor could show some real leadership and issue an executive order which creates a state data center/mart, mandates adoption of a statewide standard, and gives ITS the authority to conduct penetration testing and assessment of BC and DR capabilities. Following a nasty ransomware incident, another Southern state is adopting an enterprise cloud for all of its data and many of its business processes - better speed and recoverability, less expense, easier scalability, and far better security controls than thousands of out-of-date servers scattered across the state.

Anonymous said...

hey commenter #1 (e.g. state ITS employee) - get back to work and off the internet.

Anonymous said...

10:09
I guess now we know for certain that the Executive Director (or a kiss-ass) of ITS reads Jackson Jambalaya.

Anonymous said...

Years ago, a company out of Texas hacked into UMMC's main frame and used part of it to conduct their business. When the hospital discovered it, they deleted everything, only to find 6 months later that the company returned and was again poaching off of UMMC's main frame. Since then, the hospital allegedly has installed one of the best, most secure hospital computer systems available on the market. UMMC also "lost" a laptop several years ago that was full of confidential data, resulting in substantial penalties for the hospital.

Any government entity that uses laptops and allows employees to take them home or on trips is taking a huge risk.

Anonymous said...

I suspect state officials/employees will continue to ignore the law unless they receive consequences for doing so.

MS Banker said...

In response to 10:09AM

During my tenure at DOR we had annual compliance with Federal IRS data compliance rules. None of these were conducted by ITS as they were contracted out to a company the name escapes me. Every 2 years (IIRC) we had a pentester come out to the WorldCom building and do analysis of the network. I don't believe ITS is equipped with the personnel to perform proper pentesting itself. Let alone entice someone with the skillset with what ITS pays (even though it pays more than most government agencies). This is not to say that it couldn't be done, but as far as DOR goes it wouldn't be quite as easy as walking in with a USB stick.

Anonymous said...

The best cybersecurity on the planet can't stop the weakest link. Which is that most state employees only have the minimum requirement of a GED.

Anonymous said...

Real consequences are a racists move. They didn’t know.

Anonymous said...

@10:34, I don't work for ITS or the state; I'm a partner at a cybersecurity firm that the state probably couldn't afford or wouldn't listen to anyway. The state of Mississippi would be a very interesting project, but it would be close to impossible to break down all of the fiefdoms and get everybody to agree on a common security framework (thus the EO).

I'd love to sell the state a cloud government solution like we did in another state, with all essential government functions hosted in a secure environment. No downtime, better data analytics, increased speed, efficiency and scale, and killer security controlled at a central SOC. It isn't cheap, but it works and solves many of the problems people grip about when dealing with government.

Anonymous said...

"UMMC also "lost" a laptop several years ago that was full of confidential data, resulting in substantial penalties for the hospital."

I don't think that was a UMMC computer - I think it was a VA computer. Similar policies and penalties, though.

Anonymous said...

Why do we even have ITS if we have 50 agencies and counties that can't answer a questionnaire?

Anonymous said...

We had a chance to make equifax pay for it under our very good statute but all we got was coupons. The general sold us out

Anonymous said...

Per the legislation, ITS has oversight but no real funding or resources. Agencies are required under the ITS “Enterprise Security Policy,” to undergo full audits every three years and annual checkups. Without handing each agency’s infrastructure to ITS, the risk will remain high. Dr. Orgeron is a sharp guy, but he isn’t a miracle worker.

Re, the policy: https://statescoop.com/video/mississippi-cybersecurity-legislation-policy/

@2:38p - That breach fell under HIPAA and cost the state a cool $2.75 million. Not that anyone noticed.
Link: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ummc/index.html

Anonymous said...

@3:26
Your comment makes no sense, if you actually read the article. The survey was by the Auditor’s office, not ITS.

Anonymous said...

@1:59

What company do you work for? Seriously, if your product is that good I'm some agencies would like to hear your pitch.

Anonymous said...

"I suspect state officials/employees will continue to ignore the law unless they receive consequences for doing so. October 18, 2019 at 11:39 AM"

What 'law'? There is no law that requires agencies to respond to a 'questionnaire' from the Crown-Prince-Auditor. Methinks the young man was pushed around on the playground, regularly, in his elementary and middle-school years. Now (as in the case of Jackson's leadership) it's HIS turn.

Anonymous said...

@2:19
Shad and everyone concerned about state cybersecurity are 100% correct in their concerns. And it is a serious matter.

Ten years ago I did a short stint as a state employee. I was horrified to discover that a personnel supervisor, who didn't know the difference between rebooting and logging off, kept an Access 97 database full of every employee's PII/SSN and salaries on her desktop folder and shared it over the network to her subordinates.

She didn't have any shared folder restrictions set up. So anyone in the agency could connect and read it, had they the technical knowledge. My concerns were disregarded. They had done it that way for a decade and would continue.

As previously mentioned. That supervisor only had a GED, 15 years of state experience, and had been through the State Personnel Board Basic Supervisor Course. She didn't need no sass from some wh*teboy who just gradyated!

Anonymous said...

They probably don't even have a Carbonite account to do backups.

Anonymous said...

Cybersecurity would imply competence and accountability for the people's sake....not. ever. going. to. happen. in Mississippi leadership.

Anonymous said...

Yeah, sounds good! But as always no one wants to invest in updating our IT infrastructure and update the sh*t accordingly!? That's what happens when you have "fiscal conservatives" like Phil Bryant & Tate Reeves running our state government. Keep using outdated systems to protect our citizens information, and it'll cost us way more to get it fixed in the long run. 🙄

Anonymous said...

This certainly seems like a worry to me...but I can’t see how it can easily be resolved without bringing all of the disparate systems under one umbrella. Like many of the commenters have stated.... lack of standardization and the ability for non-qualified employees to run things willy-nilly is a disaster waiting to happen.

I also expect that once mass standardization was completed you would find that the efficiencies would lead to far lower staffing costs (I.e. less need for redundant jobs across agencies) which I’m sure is half of the reason something like this will never fly.

Either way... seems hard to blame ITS when it apparently doesn’t have 100% of the control over the processes and infrastructure.

Oct. 18 @11:39 a.m. said...

Oct. 19 @2:19 a.m., To answer your question, that law is called the Enterprise Security Program. It states as follows:

"Each state agency’s executive director or agency head shall: . . . Ensure that internal assessments of the security program are conducted. The results of the internal assessments . . . must be available to the Office of the State Auditor in performing auditing duties;"

Miss. Code Ann. § 25-53-201(3)(i).

When a statute uses the words "shall" and "must," it means that it is not optional. The failure to do it is a violation of the law.

Anonymous said...

Aside from the far too common " buck passing" by the legislature to pass laws without any way to implement those laws, 1:59 pm is absolutely correct.
The "fiefdoms" of state agencies, institutions, local and county governments that operate as a law unto themselves not only makes co-ordination and efficiency (fiscal and human) impossible, but allows corruption to flourish.
It is no accident that Reeves wants to give Junior and Community Colleges a million dollars to train Mississippians for technical jobs that don't exist. They are seen as a good source of voter support and it is believed by politicians that a JCC President can deliver the votes of all his employees and students and graduates. And, the JCC Presidents will try as they will get to decide how those funds are spent and who gets those funds. I'm sure there will need to be many Trustee meetings and faculty meetings at nice resorts to make a plan.

Anonymous said...

10:46 - The argument, as I understand it, is not whether security makes sense or whether the law prescribes certain methodology and mandates....The argument here is over Chad's hurt feelings because some agencies chose to ignore his requirement that they fill out a survey. Again, there is no law requiring ANYbody to do that.

If Mr. White wants to snag their asses, he can do it with an audit, not by whining that they ignored his questionnaire, which he seems to think was a subpoena of sorts.

Anonymous said...

11:41, 1:59 here - I work for the number one ranked provider of cybersecurity services in the world. We already looked into approaching Mississippi for its cybersecurity needs and found that organizationally, it wasn't mature enough to make constructive use of our services, and there also didn't appear to be enough budget or political will to mature the current state. That said, Dr. O is a recognized leader in the field and Mississippi is lucky to have him, but he is in an awful position - all of the responsibility, and none of the authority. With no mandate, budget, or enforcement authority he can only make recommendations, and not implement meaningful policy.

Unfortunately, it will take a significant ransomware incident or large-scale, multi-agency, lateral data breach to force the state's hand - think Baltimore on a statewide, catastrophic level.

Suscribe to latest on JJ.

Recent Comments

Search Jackson Jambalaya

Subscribe to JJ's Youtube channel

Archives

Trollfest '09

Trollfest '07 was such a success that Jackson Jambalaya will once again host Trollfest '09. Catch this great event which will leave NE Jackson & Fondren in flames. Othor Cain and his band, The Black Power Structure headline the night while Sonjay Poontang returns for an encore performance. Former Frank Melton bodyguard Marcus Wright makes his premier appearance at Trollfest singing "I'm a Sweet Transvestite" from "The Rocky Horror Picture Show." Kamikaze will sing his new hit, “How I sold out to da Man.” Robbie Bell again performs: “Mamas, don't let your babies grow up to be Bells” and “Any friend of Ed Peters is a friend of mine”. After the show, Ms. Bell will autograph copies of her mug shot photos. In a salute to “Dancing with the Stars”, Ms. Bell and Hinds County District Attorney Robert Smith will dance the Wango Tango.

Wrestling returns, except this time it will be a Battle Royal with Othor Cain, Ben Allen, Kim Wade, Haley Fisackerly, Alan Lange, and “Big Cat” Donna Ladd all in the ring at the same time. The Battle Royal will be in a steel cage, no time limit, no referee, and the losers must leave town. Marshand Crisler will be the honorary referee (as it gives him a title without actually having to do anything).


Meet KIM Waaaaaade at the Entergy Tent. For five pesos, Kim will sell you a chance to win a deed to a crack house on Ridgeway Street stuffed in the Howard Industries pinata. Don't worry if the pinata is beaten to shreds, as Mr. Wade has Jose, Emmanuel, and Carlos, all illegal immigrants, available as replacements for the it. Upon leaving the Entergy tent, fig leaves will be available in case Entergy literally takes everything you have as part of its Trollfest ticket price adjustment charge.

Donna Ladd of The Jackson Free Press will give several classes on learning how to write. Smearing, writing without factchecking, and reporting only one side of a story will be covered. A donation to pay their taxes will be accepted and she will be signing copies of their former federal tax liens. Ms. Ladd will give a dramatic reading of her two award-winning essays (They received The Jackson Free Press "Best Of" awards.) "Why everything is always about me" and "Why I cover murders better than anyone else in Jackson".

In the spirit of helping those who are less fortunate, Trollfest '09 adopts a cause for which a portion of the proceeds and donations will be donated: Keeping Frank Melton in his home. The “Keep Frank Melton From Being Homeless” booth will sell chances for five dollars to pin the tail on the jackass. John Reeves has graciously volunteered to be the jackass for this honorable excursion into saving Frank's ass. What's an ass between two friends after all? If Mr. Reeves is unable to um, perform, Speaker Billy McCoy has also volunteered as when the word “jackass” was mentioned he immediately ran as fast as he could to sign up.


In order to help clean up the legal profession, Adam Kilgore of the Mississippi Bar will be giving away free, round-trip plane tickets to the North Pole where they keep their bar complaint forms (which are NOT available online). If you don't want to go to the North Pole, you can enjoy Brant Brantley's (of the Mississippi Commission on Judicial Performance) free guided tours of the quicksand field over by High Street where all complaints against judges disappear. If for some reason you are unable to control yourself, never fear; Judge Houston Patton will operate his jail where no lawyers are needed or allowed as you just sit there for minutes... hours.... months...years until he decides he is tired of you sitting in his jail. Do not think Judge Patton is a bad judge however as he plans to serve free Mad Dog 20/20 to all inmates.

Trollfest '09 is a pet-friendly event as well. Feel free to bring your dog with you and do not worry if your pet gets hungry, as employees of the Jackson Zoo will be on hand to provide some of their animals as food when it gets to be feeding time for your little loved one.

Relax at the Fox News Tent. Since there are only three blonde reporters in Jackson (being blonde is a requirement for working at Fox News), Megan and Kathryn from WAPT and Wendy from WLBT will be on loan to Fox. To gain admittance to the VIP section, bring either your Republican Party ID card or a Rebel Flag. Bringing both and a torn-up Obama yard sign will entitle you to free drinks served by Megan, Wendy, and Kathryn. Get your tickets now. Since this is an event for trolls, no ID is required. Just bring the hate. Bring the family, Trollfest '09 is for EVERYONE!!!

This is definitely a Beaver production.


Note: Security provided by INS.

Trollfest '07

Jackson Jambalaya is the home of Trollfest '07. Catch this great event which promises to leave NE Jackson & Fondren in flames. Sonjay Poontang and his band headline the night with a special steel cage, no time limit "loser must leave town" bout between Alan Lange and "Big Cat"Donna Ladd following afterwards. Kamikaze will perform his new song F*** Bush, he's still a _____. Did I mention there was no referee? Dr. Heddy Matthias and Lori Gregory will face off in the undercard dueling with dangling participles and other um, devices. Robbie Bell will perform Her two latest songs: My Best Friends are in the Media and Mama's, Don't Let Your Babies Grow up to be George Bell. Sid Salter of The Clarion-Ledger will host "Pin the Tail on the Trial Lawyer", sponsored by State Farm.

There will be a hugging booth where in exchange for your young son, Frank Melton will give you a loooong hug. Trollfest will have a dunking booth where Muhammed the terrorist will curse you to Allah as you try to hit a target that will drop him into a vat of pig grease. However, in the true spirit of Separate But Equal, Don Imus and someone from NE Jackson will also sit in the dunking booth for an equal amount of time. Tom Head will give a reading for two hours on why he can't figure out who the hell he is. Cliff Cargill will give lessons with his .80 caliber desert eagle, using Frank Melton photos as targets. Tackleberry will be on hand for an autograph session. KIM Waaaaaade will be passing out free titles and deeds to crackhouses formerly owned by The Wood Street Players.

If you get tired come relax at the Fox News Tent. To gain admittance to the VIP section, bring either your Republican Party ID card or a Rebel Flag. Bringing both will entitle you to free drinks.Get your tickets now. Since this is an event for trolls, no ID is required, just bring the hate. Bring the family, Trollfest '07 is for EVERYONE!!!

This is definitely a Beaver production.

Note: Security provided by INS
.