A targeted phishing campaign began Jan. 9 and, of the thousands of employees who were contacted, nine provided their user credentials, which gave hackers full access to their email accounts, messages and attachments. Once the hack was detected, the Enterprise Security Office reset account passwords and remote access was cut off. In addition to the 645,000 identities affected, the cyberattack also compromised about 2 million emails.
DHS spokesman Jake Sunderland said on June 24 that his department initiated a “think twice” notice, which was added to all incoming emails from outside the agency to alert staff to be on their guard.
“The banner warning staff to think twice before engaging with external emails is a change we made internally, upon the advice of one of our vendor partners that was sharing industry best practices, Sunderland said in an email to Government Technology. “DHS also uses third-party spam filtering software to block and hold spam and suspicious emails.”
After the phishing hack, DHS hired ID Experts, a company specializing in data breach services and identity protection. Sunderland said the company analyzed affected systems and issued identity theft monitoring and recovery services to impacted residents.
“Please understand that for the sake of security, we cannot share every single action taken to mitigate the risk of future breaches,” he said. “What I can say is that the department works closely with the state Enterprise Security Office and our technology services vendors to continually improve security processes and practices.”
The Oregon Office of the State Chief Information Officer, headed by CIO Terrance Woods, hired Chief Information Security Officer Gary Johnson, who assumed office July 1. Johnson leads the Enterprise Security Office, which works closely with agencies to implement cybersecurity measures.
“Not all sophisticated phishing attacks can be stopped by technical controls. Detection and response for these attacks require human judgment by the recipient and security operations,” Johnson told Government Technology. “Both can be trained to some extent, but the use of social engineering and spear phishing has created more targeted attacks. People will still be the most vulnerable risk to any organization and will be for the foreseeable future, but with the right kind of education and training they can also serve as the first line of defense.”
Sunderland agreed that education is the best sentinel against cyberthreats in the future. A goal of his department is to ensure staff understands that cybersecurity goes beyond preventive measures and encompasses safe ways to share data and information.
“Educating our staff in security and privacy best practices and to be on their guard is important,” he said. “How to use electronic systems security. How to think twice before clicking on a link or opening an attachment. Teaching people that it is not a good idea to pick a thumb drive up off of a coffee shop table and plug it into their computer.”
Sunderland said all DHS employees are required to take annual security and privacy awareness training, a practice in use before the January breach. He added that security updates and patching are continually updated, and vendor security assessments are routinely performed. DHS uses the latest software to proactively identify and prevent targeted cyberattacks.
“There are a lot of bad actors in the digital world who are working very hard to outsmart or spoof digital security measures,” Sunderland said. “As the security industry evolves to combat them, so too do the bad actors evolve to find new ways around the latest security tactics.”