Elections security quick wins checklist

by Picture of Philippe Langlois Philippe Langlois

Twitter Facebook

With the election only weeks away, election officials may feel like any cybersecurity activity would be impossible to accomplish in time. In this post, Security Engineer Philippe Langlois outlines quick wins that elections officials can implement in time to make a difference, no matter how close we are to Election Day.

By now, cybersecurity isn’t a foreign concept to anyone working in the elections sector, especially as there’s been a welcome increase in resources, guidance, and new participants. Unfortunately, the deluge of advice from well-intended people isn’t necessarily easy for everyone to abide by while trying to get the final pieces ready for a big election. In a small effort to help elections officials get ready for the election, I’ve created a simple, pre-election, cybersecurity checklist to help prioritize some quick wins.

Review user logins for suspicious activity

While it might not seem like the most technologically advance thing to do, using stolen credentials is one of the most common ways bad guys breach organizations according to the research conducted by Verizon for their Data Breach Investigations Report. By keeping a close eye on weird logins like during off-hours or from unexpected locations you might be able to catch one of those wayward compromised accounts. The nice thing is that the ability to detect and alert on potentially compromised accounts has become more accessible and easier to implement on many platforms, so it never hurts to look to see if it’s something that can you activate.

  1. Look for any old user accounts;
  2. Look for unusual logins (do your users commonly login from outside the US?); and,
  3. Look for any weird forwarding rules (bad guys like to use this to keep tabs on their targets without them knowing).

Review your perimeter

When not using a front door house key left under the welcome mat (compromised credentials) criminals will often jiggle windows and see if any side door or anything was potentially left open for them to sneak in. On the internet, this is more or less the same way, except they can shake every window and door on every house nonstop from anywhere in the world. While some of this prodding is benign, it’s also a common tactic for bad guys to find and exploit vulnerabilities or misconfigurations, so it’s important that you know which of your systems are facing the internet and that these exposed servers and services are secured so not to leave criminals with an easy way into your network.

The good news is that there are several resources (many free) that can help you identify these exposures, such as Shodan and Censys. These platforms work like Google in that they crawl the internet and index it for you to search, however instead of crawling websites, it crawls IP addresses, allowing anyone to know what devices are on the internet. To use a tool like this, all you would need to know is your external IP address, which you can get from just Googling “what’s my IP address” and use that as a starting point. Some of the favorite types of targets hackers look for are:

  1. Remote desktops: While these systems can be securely deployed, most often adversaries are looking for weak credentials and will spend days after days trying millions of different password username credentials. Once they’re in they can quickly use that new access to pivot (move) around the environment and expand the scope of the compromise.
  2. Unpatched VPN servers: As warned about by DHS, bad guys are using known vulnerabilities to compromise VPNs servers resulting in them getting access to the various user account, which they can then leverage to sneak into the environment and cause further damages. Make sure that key systems facing the internet like VPNs are at least regularly patched.
  3. Exposed services: Services like databases, management interfaces like telnet, and network share service like SMB can expose your organization to a high amount of unintended risks, as these types of services can bruteforced or exploited to gain access to data that you may not have intended to share.
  4. Control systems: Sometimes, some devices are moved onto the internet, which had never been designed for that purpose and that can pose a risk to the organization. Industrial control systems, like the technology that control industrial processes (including things like HVAC) might have a web interface, but it doesn’t mean it was ever meant to be online and my not have been developed with security in mind. The combination of weak credentials or potential vulnerabilities sometimes make these targets for attackers looking to cause some disruption.

The election world can move fast, but this quick sanity check will help catch any changes made while trying to get the systems up have inadvertently exposed something to the internet.

Have some tested and offline backups

Backups are one of these practices, much like flossing, that we all know we should do more often, but often fall below in priorities to other more pressing things, like not flossing. However, just like flossing, it is a key practice for your cyber hygiene—and having recent and complete backups will allow you to quickly recover your systems and get back to business if necessary.

While having backups is key, they should be occasionally tested to assure that they’re working as intended and aren’t just blank disks you’re moving around. It’s also worthwhile to have an offline copy of your back up data, bad guys have also figured out the importance of backups, especially when it comes to ransomware type of attacks where they want to make your data unrecoverable. To ensure that their attacks are more effective, they’ll also seek out the backups located on the network and encrypt/delete them. Having an offline version of your backup data will help add that additional layer of security that at least you’ll have a copy of the data that they couldn’t reach.

It takes a village

As my little league coach probably said at one point, “Teamwork makes the dream work,” and in the world of elections this will certainly ring true for many of us. While the odds may appear to insurmountable, remember that you’re not alone in this effort and many organizations have sprung up to assist with securing your election. Before the actual election it might be a useful exercise to review your existing contact lists and make sure you have the updated information for the different stakeholders out there. Here’s just some contacts may want to consider having in your back pocket:

  1. State and federal election partners;
  2. Law enforcement (local, state, and federal);
  3. Information sharing groups like the MS- and EI-ISAC;
  4. Hosting provider and/or managed security provider (if you have them); and,
  5. Nearby local governments (it never hurts to know what’s happening at your neighbors’).

While it may sometimes feel like the challenges we face in our elections are insurmountable, we have made tremendous strides since 2016. There’s still work that needs to be done, but through a commitment to collaboration by all stakeholders, we can continue to build on that progress—and build trust in our electoral processes.

Current page