2017 NSAA IT Conference in Tacoma

WA18We are excited to announce that for the first time in the history of the National State Auditor’s Association (NSAA) IT Conference, Washington is the host state!  This year’s conference takes place October 3rd through 6th at the beautiful and modern Hotel Murano in Tacoma.

If you are a state or local government IT auditor (internal or external), this conference is for you. It will provide participants with valuable IT audit training at an affordable price. Plus, there will be ample opportunities to network with other IT auditors from across the country. Don’t worry if you haven’t yet had much experience in IT auditing–the trainings are designed to span the spectrum of experience.

Be sure to check out NSAA’s website for more information, like a draft agenda when it becomes available. You can also check out the event page on Facebook!

 

School district alert for phishing email attack

During the week of January 9, 2017, malicious hackers conducted phishing attacks from multiple school district employees’ email accounts.

What happened? 

Hackers gained unauthorized access to work-related email accounts belonging to employees of multiple school districts, presumably by having the login name and password of the email account.

The hackers used the employees’ email accounts to send phishing emails to people with whom the employee had previous email contact. The message included instructions to click on a link to open a website. The website directs the email recipient to enter account credentials (email address / user name / password / phone number).

The hackers are also monitoring the victims’ email accounts and are responding to replies from recipients of the phishing email confirming the original request to click on the website link. In some cases, the hackers used the employees’ email signature to make the message appear more authentic. Continue reading

#CyberAware: Creating a strong password

businessman pressing cyber security button on virtual screensPasswords are an everyday part of life whether you’re logging into your work, bank or social media accounts.  You should do everything you can to protect your passwords and use different passwords for different accounts as described in an earlier tip regarding “password reuse.” More importantly, knowing what makes a weak and strong password can reduce the chance a hacker or unauthorized user can guess or crack your password.  At the State Auditor’s Office, our IT department requires a minimum of ten characters that includes at least one upper and lower case letter, a number, a special character. Also, no reuse of previous passwords. Continue reading

Survey shows states are concerned about cyber security, and making progress

Hacking Bypass Security

The National Association of State Chief Information Officers (NASCIO) conducts an annual survey of state Chief Information Officers to learn about the top policy and technology issues state governments face. State Chief Information Officers (CIOs) have ranked cyber security as the top priority on every survey since 2014. At the State Auditor’s Office, we are also concerned about cyber security. To help state agencies and local governments protect their IT systems and data, we conduct IT security performance audits designed to assess opportunities for improvement. We plan to continue these audits to strengthen the security posture of our state and local governments.

In 2016, the Deloitte-NASCIO cyber security study was completed. This study surveyed states’ Chief Information Security Officers (CISOs) for their perspectives and insights cyber security issues. Interestingly, some of what the state CISOs reported in the survey aligned with what state agencies reported to our Office during our IT security performance audits. Specifically, they named adequate resources, including funding and staffing for IT security, as a significant challenge. However, the study’s results indicate CISOs and CIOs are having a strong, positive impact on cyber security, which is encouraging.

“Vishing” can pose a threat

What is “Vishing”?

“Vishing” uses techniques that are essentially similar to phishing, the act of acquiring sensitive information via electronic communication while posing as a trusted entity. A vishing attack takes place over the telephone, using call spoofing, and tricks a user into disclosing personal information such as credit card numbers or a three digit security code.

Recent vishing attacks use an automated robo-caller stating that the victim’s security software was breached and requests them to call a number. Calling the number will connect the victim to a human who will attempt to access the victim’s workstation via Citrix remote access. Once they have access to your computer, they can do the following: Continue reading