Teams of workers within Idaho Information Technology Services (ITS) have been molding the open source program Vocabulary for Event Recording and Incident Sharing (VERIS) for the past year and a half. To guide them, IT staff have been following 10 best practices outlined in detail by the National Institute of Standards and Technology (NIST). Besides the manhours spent on the project, no additional budget requests were made to the Legislature to fund the drop-down-menu-style system dubbed the State of Idaho Incident Response Program.
Diego Curt, ITS’ chief compliance officer, said the reporting program is almost ready to launch statewide at no cost to state agencies, counties or cities. The program runs on WebEOC, which was previously bought by the Office of Emergency Management to communicate and coordinate resources during a disaster, Curt said. WebEOC is already in use across the state.
“The program started out with one thing in mind: We wanted to find the most fiscally responsible program we could ever do, and the only way you can do that is by first reviewing all open source material to see if something fits,” he said. “The second thing you’ve got to do is research your own government to find out what we’ve already purchased that we can use.”
The program asks the reporting party four questions: Who was the actor and were they external, internal or a partner? What asset was attacked, such as a server, router or endpoint? What were they after? What action did they take? Curt said an example would be if a person clicked on a link inside of a phishing email causing malware to be installed on a server.
The mitigation of phishing is a top priority for Idaho, said ITS Administrator Jeff Weak. Phishing is the practice of sending emails that appear to be from a reputable source but hide malware links or try to convince users to reveal personal or system information.
“Phishing, in general, that’s our biggest threat because we can stop a lot of the payload of most malware coming through. We have multiple layers of detection going through our email system so it will strip out virtually anything that looks out of place,” Weak said. “Where that gets tricky is in hyperlinks and things of that nature that look natural to an email or if it’s embedded into another link inside of a Word document, for example.”
Idaho is currently in its second year of mandated cybersecurity training for state employees, he said. The learning modules, provided by KnowBe4, include a phishing course. One goal is to educate personnel on differentiating emails that make it past current cyberdefenses and into their inboxes.
“This year we picked four courses that made up our overall campaign and that’s just to improve cyberhygiene for all of our users.” Weak said. “… all these different things that we need to be aware of as users of government computers.”
Phishing is just one aspect of what the new incident reporting program is capable of, Curt said. The system is designed to log any and all potential threats.
The program is a part of Gov. Brad Little’s statewide modernization effort, Curt said. Previously, breaches in cybersecurity were reported in a narrative style with varying word counts, which couldn’t be categorized into quantifiable data, he said.
“We’re beefing up our system so we can understand what’s going on better,” Curt said. “… We’re anticipating we’re going to have to train and get people switching mindsets. Before, it was like a loose ship because you could report any way you wanted to. Now we’re getting more structure in the reporting so we can get more intelligent about it.”
The Idaho Technology Authority recently approved the rollout of the product, which is available to state agencies for testing, and local governments can opt-in, too, he said. The adaptable system will be refined during the test phase, but the user-friendly system is operational now.
“We’re using it within our executive branch agencies as the mechanism to report cyberincidents,” Weak said. “It’s online now and it’s going to mature shortly. We’re kind of in the infancy stage of this.”
Establishing training for the program should be completed by the end of June with a statewide rollout goal of late July, Curt said.
“We first have to finish developing our training program and that training program is a part of the turnkey solution that we’re offering counties [and cities] saying, ‘Hey don’t reinvent the wheel. Just do this, here’s your training program, here’s your tools, and call us when you need us or need help,’” he said.