By TIM SMITH -- The Greenville News
A month after state officials learned of a massive data breach at the Department of Revenue, officials are still discussing what security measures to take to protect all of the state's computer systems.
A proposal to implement short-term security fixes for computer systems across state government is still being worked on and has not yet been ordered, Gov. Nikki Haley told GreenvilleOnline.com. She said the initial proposal of 11 security measures circulated by state Inspector General Patrick Maley will soon be added to.
Some national cyber security experts told GreenvilleOnline.com the list could be improved but long-term solutions are more critical.
And those solutions could involve significant costs to taxpayers, said the experts.
They were interviewed by GreenvilleOnline.com after Maley circulated a proposal to state agencies for a series of recommended steps to protect their computer systems from the types of attacks that were used on Revenue Department computers in September, exposing 3.6 million Social Security numbers, 387,000 mostly encrypted credit or debit card numbers and information for 657,000 businesses, as well as checking account numbers and other personal information.
The governor said in an interview that steps in addition to the 11 listed by Maley will be announced soon and any comments by experts about the initial recommendations are "premature."
ldquo;What the inspector general is doing is going into every agency and seeing what their vulnerabilities are," she said. "He is not, in any way, advised anything yet. What he is saying is, 'These are the things we are looking for. This is what we want to see.'"
The draft document asks agencies to immediately implement the security steps. Maley has said state government has about 100 agencies, boards, commissions, colleges and universities with computers, many of which have their own system executives and security policies.
Maley, a former FBI agent, spent this summer reviewing cyber security at Haley's cabinet agencies as a result of a data breach at the state's Medicaid and Medicare agency in April and concluded in September that the Revenue Department had "sound information security practices."
The proposed security steps were sent by GreenvilleOnline.com to various cyber security firms and universities or schools teaching cyber security
The list was drafted by the state Division of Information Technology, according to state documents, and includes steps ranging from disabling direct access to the Internet for all internal computer servers, to disabling all credential caching.
ldquo;After 30 years in the FBI, I don't get over-excited unless someone is shooting at me but, in my opinion, this is a crisis situation for information technology in state government," Maley said in an email to agencies' chief information officers on the day Haley publicly disclosed the hacking.
Among those who reviewed Maley's list was Tom Kellerman, vice president of cyber security for Trend Micro, an international computer security firm. He's served as a commissioner on a presidential commission on cyber security and serves on the board of the National cyber Security Alliance, the International cyber Security Protection Alliance, and the National Board of Information Security Examiners Panel for Penetration Testing.
"I think there are some gaps in their strategy," he said. "First and foremost, they should conduct a penetration test. A penetration test is an ethical hack. They should conduct a penetration test not only to understand a viable attack better, but they should also do it from the perspective of the database that was compromised to see where else the adversary could have moved laterally within the system and deposited back doors."
Back doors are computer entry points that may only be known to the hacker.
Kellerman said the stressing of the use of passwords in the list "is ridiculous given that they have suffered a breach at this level."
"They should move to two-factor authentication, which has always been a standard," he said. "It blows my mind after a breach like this why they are still using passwords."
Kellerman also recommended the agencies use, if they aren't already, file-integrity monitoring to know if any of the files have been manipulated. Lastly, he said, the agencies should be using DLP, or data loss protection, a technology for monitoring the movement of sensitive data and blocking its move to areas that are not approved.
The state Division of Information Technology offers a free system-monitoring service that notifies agencies if sensors pick up unusual activity within the system. It is then up to agencies once alerted to decide what to do.
But the Revenue Department chose a private service instead, officials say, because it was compliant with the standards required by major credit card companies. The Revenue Department began using the free state service on Oct. 20.
Valerie King teaches cyber security at the University of Maryland University Center, which has been designated as a National Center for Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security.
"I think it is a good start and for a short-term fix, it will work," she said of the 11 steps for agencies. "There are a few things that should also be addressed immediately or clarified."
She said the anti-virus recommendations were "confusing."
"Are they saying that no changes are permitted?" she asked. "That is not a best practice. Best practices for anti-virus are: (a) ensure that anti-virus software is installed and up to date on all machines (desktop and server); (b) ensure that anti-virus definitions are up to date and are updated automatically; (c) ensure that anti-virus software is running continuously (can't be turned off by users)."
She also added to the list with other items she said are industry best practices:
• Ensure that host-based firewalls are installed, properly configured and running on all desktop computers;
• Require strong passwords that are changed on a regular basis (90 days is usually sufficient, she said);
• Scan all computers weekly (or daily) for unauthorized software;
• Disable and block peer-to-peer file sharing, instant messaging, Skype, VoIP unless authorized client software is used;
• Disable and block sharing of files and folders on desktop computers (turn off file shares);
• Turn off and disable remote desktop sharing and remote assistance, which she said may need to be tweaked because there are valid situations when it is needed.
"But to me, the bigger issue is what are they going to do in the long run?" she asked. "I hope they initiated an investigation into this, both the incident and about their systems."
Robert Rodriguez agrees with the need for long-term solutions. Rodriguez served more than 22 years as a special agent with the U.S. Secret Service. He is the founder of the Security Innovation Network, whose mission is to advance innovation and enable global collaboration between the public and private sectors to defeat cyber security threats.
He asked whether South Carolina's government and its Legislature are committed to spending the money necessary to protect the state's computer systems.
"If they're not going to do that, they are really wasting their time," he said. "It's easy for them to Monday-night quarterback. But if they're not going to give them the leadership and the infrastructure support and the financial support, the manpower, they are in trouble. That's the real question."
Rodriguez said the fixes are "absolutely going to cost money and I wonder if they have the budget to do this."
"You've got to walk the talk," he said. "They are going to have to hire more people. They are going to have to hire contractors. They are going to have to buy technology. And that costs money. And they need to make it a priority. They are an example right now of a major state breach."
Haley told GreenvilleOnline.com Thursday that she wants to bring in a private consultant to help the state develop a cyber security plan for all of state government. She said she expects such a plan will involve additional costs and believes the Legislature will spend the money necessary.
Rodriquez said the state's officials have to commit to protecting the information.
"It's almost like states, governments and businesses, they're just hoping it doesn't happen to them and it happens to the other guy," Rodriguez said. "It's about risk and how they prioritize risk relative to cyber security. It all comes down to one word, trust. In the state's case, it's a little different because citizens are part of the system, so they have to give that personal data up. But they have to have confidence that the state is going to protect that data."