Safe at home: South Carolina rethinks government network security
Editor’s note: Julian Weinberger of NCP engineering discusses the importance of network security in government in the commentary below. Weinberger is an international system engineer at the firm. NCP’s U.S. office is located in Mountain View, Calif. The company offers technology in universal communication and security. It provides users with secure communications through its full remote access product portfolio.
Over the last two years, the South Carolina Department of Revenue has spent $21 million to build an impenetrable network security infrastructure that should be the model for all state agencies – it features a newly upgraded security system and is even “test hacked” periodically to check for vulnerabilities.
Yet, while the agency has been rightly praised for making these upgrades, it’s also received a flood of criticism for how it got to this point – nearly 6 million South Carolinians first had to become victims of a 2012 cyberattack on the department before it took these important steps.
The reason local and state governments are so often vulnerable to cyberattacks isn’t surprising – the costs of enhancing a network security infrastructure are either onerous or outright prohibitive for cash-strapped agencies. It usually takes a high-profile breach, like the one in South Carolina, to attract the attention and funding needed to proactively thwart future attacks.
As other local government agencies follow the lead of the South Carolina Department of Revenue, the best approach for network administrators is to build a redundant, multi-layered network security infrastructure, including interconnected intrusion prevention systems (IPSs), firewalls, encryption functions and VPNs.
And, on top of this defense-in-depth approach ought to be an access control plan, to keep information only in the hands of those who need to see it. Network administrators can choose one of four types of access control, by limiting access based on the user (Discretionary Access Control), role (Role-Based Access Control) or a set of conditional rules (Rule-Based Access Control). Or, network administrators could create a multilevel structure of sensitivity labels, applied to both the user and the file (Mandatory Access Control).
How can better access control help to prevent another attack on the Department of Revenue, similar to the one that happened two years ago? In that attack, hackers obtained employee login and password information through a phishing scheme. That allowed the hacker to access the agency’s databases and steal personal information.
In the future, a more robust access control structure will better protect Department of Revenue files from prying eyes and prevent access by hackers who fail to meet certain conditional access requirements. For example, creating a rule with conditions that includes a select group with access during certain hours of the day or days of the week.