Photo courtesy of the Washington Army National Guard
In early July, our Senior IT Security Specialist Sunia (Lulu) Laulile (pictured)participated in the International Collegiate Cyber Defense Invitational at Highline College in Des Moines, Washington. In this exercise, Lulu’s team attacked the systems the students were defending. You can read more about this event on the Washington Army National Guard’s blog.
Our Office has a whole team of highly capable and talented cybersecurity experts like Lulu whose job it is to ensure sensitive public data held by other Washington state governments is secure. We issue reports aimed at helping governments improve their security posture in an era of ever-increasing cyber threat. Read our most recent cybersecurity report on our website.
Did you know that the State Auditor offers free, in-depth evaluations of local government’s cybersecurity systems? In an article published today, the Pew Charitable Trust details the cutting-edge role the Washington State Auditor has in ensuring the IT system security of local governments around the state. This service helps protect local governments and their residents’ sensitive data from increasingly sophisticated hacking attempts. Want to learn more about how the Office of the Washington State Auditor is a leader in cyber security work? Check out the City of Mill Creek’s IT security performance audit here.
We are excited to announce that for the first time in the history of the National State Auditor’s Association (NSAA) IT Conference, Washington is the host state! This year’s conference takes place October 3rd through 6th at the beautiful and modern Hotel Murano in Tacoma.
If you are a state or local government IT auditor (internal or external), this conference is for you. It will provide participants with valuable IT audit training at an affordable price. Plus, there will be ample opportunities to network with other IT auditors from across the country. Don’t worry if you haven’t yet had much experience in IT auditing–the trainings are designed to span the spectrum of experience.
Be sure to check out NSAA’s website for more information, like a draft agenda when it becomes available. You can also check out the event page on Facebook!
During the week of January 9, 2017, malicious hackers conducted phishing attacks from multiple school district employees’ email accounts.
Hackers gained unauthorized access to work-related email accounts belonging to employees of multiple school districts, presumably by having the login name and password of the email account.
The hackers used the employees’ email accounts to send phishing emails to people with whom the employee had previous email contact. The message included instructions to click on a link to open a website. The website directs the email recipient to enter account credentials (email address / user name / password / phone number).
The hackers are also monitoring the victims’ email accounts and are responding to replies from recipients of the phishing email confirming the original request to click on the website link. In some cases, the hackers used the employees’ email signature to make the message appear more authentic. Continue reading
Passwords are an everyday part of life whether you’re logging into your work, bank or social media accounts. You should do everything you can to protect your passwords and use different passwords for different accounts as described in an earlier tip regarding “password reuse.” More importantly, knowing what makes a weak and strong password can reduce the chance a hacker or unauthorized user can guess or crack your password. At the State Auditor’s Office, our IT department requires a minimum of ten characters that includes at least one upper and lower case letter, a number, a special character. Also, no reuse of previous passwords. Continue reading
The National Association of State Chief Information Officers (NASCIO) conducts an annual survey of state Chief Information Officers to learn about the top policy and technology issues state governments face. State Chief Information Officers (CIOs) have ranked cyber security as the top priority on every survey since 2014. At the State Auditor’s Office, we are also concerned about cyber security. To help state agencies and local governments protect their IT systems and data, we conduct IT security performance audits designed to assess opportunities for improvement. We plan to continue these audits to strengthen the security posture of our state and local governments.
In 2016, the Deloitte-NASCIO cyber security study was completed. This study surveyed states’ Chief Information Security Officers (CISOs) for their perspectives and insights cyber security issues. Interestingly, some of what the state CISOs reported in the survey aligned with what state agencies reported to our Office during our IT security performance audits. Specifically, they named adequate resources, including funding and staffing for IT security, as a significant challenge. However, the study’s results indicate CISOs and CIOs are having a strong, positive impact on cyber security, which is encouraging.
Have you ever used the same password for your work PC as your home banking account or private email? Do you sometimes open email attachments before checking that the message is from someone you know and trust? Maybe you need to be #CyberAware! Continue reading
Gov. Jay Inslee is recognizing October as Cyber Security Awareness Month, a designation that comes on the heels of a summit between Maj. Gen. Bret Daugherty and Guard leaders from other states to help bolster the nation’s cybersecurity presence. Continue reading
What is “Vishing”?
“Vishing” uses techniques that are essentially similar to phishing, the act of acquiring sensitive information via electronic communication while posing as a trusted entity. A vishing attack takes place over the telephone, using call spoofing, and tricks a user into disclosing personal information such as credit card numbers or a three digit security code.
Recent vishing attacks use an automated robo-caller stating that the victim’s security software was breached and requests them to call a number. Calling the number will connect the victim to a human who will attempt to access the victim’s workstation via Citrix remote access. Once they have access to your computer, they can do the following: Continue reading