Hackers put more heat on security staffs
Hackers put more heat on security staffs
- By Jason Miller
- Aug 29, 2001
Over a few days in June, nine state Web sites fell victim to attacks by a hacker group called World of Hell.
The hackers pasted graffiti on sites operated by the Texas lottery and Georgia's Transportation Department Web pages, the Virginia and Vermont state home pages and the New Mexico Retiree Health Care Authority, among others. They placed the World of Hell logo and a message about getting rid of Microsoft Windows NT and using Unix on each of the sites.
World of Hell's cybervandalism was more annoying than harmful, but it did illustrate the severe and evolving security threat to state sites.
As states increasingly adopt electronic government, information technology agencies are scram-bling to catch up with the growing cybervandalism threat, officials said.
A recent audit of Maryland's judicial information system illustrates the problem. Auditors with the Legislative Services Department found inadequate security in several areas, including how often passwords were changed, how the system's firewall was administered and how closely mainframe access was monitored.Obvious weaknesses
Even though the judicial system's computers have never been hacked into, the audit showed the system's many weaknesses. And Maryland is not alone in trying to stay ahead of the security curve, according to Larry Kettlewell, senior executive security policy officer for the Kansas Administration Department.
Kettlewell sees security issues looming as large as the year 2000 date rollover.
'The biggest problem seems to be with all the emphasis states are placing on e-government and e-commerce, we have to be a lot more open with our systems,' he said. 'It is a little more difficult to configure a network to make it open enough for people to use,but secure enough so hackers can't break into them.'
Kettlewell is not alone in his view. Chris Dixon, digital government issues coordinator for the National Association of State Chief Information Officers, said his organization recently put together a security and liability team to look at security issues.
'In Kansas, we have done several things over the last couple of months to increase communications such as passing around pings from IP addresses that may be unusual,' he said. Pings are signals that can be used to find open ports in a Web host, highlighting a potential security weakness.
Most of the major incidents have arisen because agencies do not keep software patches up to date, Kettlewell said. Part of the problem is patches come out so often that states do not have the resources to regularly install the newest versions, Kettlewell said.
'We are trying to collaborate on information of that nature between agencies,' Kettlewell said. 'We also are asking vendors to push it down to us so we don't have to look for it.'
Kettlewell also pointed to state employees opening e-mail attachments from unknown addresses and IT managers not forcing frequent password changes.
'Most states are catching up to the knowledge level on how to reconfigure their networks to make them more secure,' Kettlewell said. 'It also comes down to educating the user on policies and procedures.'
Dixon agreed with Kettlewell in that states slowly are getting better at securing their systems. He said there is a state trend to house main servers in one location. Dixon listed Pennsylvania as one state moving to a central server site. Dixon added that implementing redundant systems would increase security.
In the case of the Maryland judicial system, lowering the risks and improving security required several such steps.
Phil Braxton, director of judicial information systems for the Administrative Office of the Maryland Courts, said procedures will be improved so employees must change passwords at least every 90 days. He also hired a senior IT specialist to monitor the system's firewall log more closely and assure that system changes are recorded before servers are rebooted.
Braxton added that he also installed File-Aid software from Compuware Corp. of Farmington Hills, Mich., which tracks changes to mainframe application programs.More IT duties
The Judicial Branch also may expand the responsibilities of its full-time IT security officer, Braxton said.
Although hackers don't target state sites as frequently as they do federal sites, security risks will continue to be a problem as long as states continue to struggle with keeping security tight.
'All states are going through a learning curve when it comes to security,' Kettlewell said. 'The steepness, obviously, is different for each state, but it is an absolute necessity to understand how to make your systems secure.'