Vote hacking is a legitimate concern, and election officials need to take it seriously.

Right alongside immigration, healthcare, and the minimum wage, cyber security has emerged as a major – and contentious – issue in this year’s presidential election. First, the Democratic National Convention’s email server was hacked, and thousands of embarrassing emails were published on WikiLeaks. Now, concerns about vote hacking have arisen in light of breaches of voter databases in Illinois and Arizona, which compromised the personal information of as many as 200,000 voters.

It’s important to note that these breaches involved state voter databases, not voting machines themselves, and there is no evidence to suggest that cyber criminals have ever managed to breach voting machines. However, between disturbing results from recent studies on voting machine cyber security, including one by Princeton researchers that found some machines to be less secure than iPhones, another study showing that nearly all Americans are “unsettled” about data breaches in general, and GOP candidate Donald Trump suggesting that the election could be “rigged” and encouraging his supporters to “monitor the polls,” American voters are understandably concerned as they prepare to go to the polls.

The notion that cyber criminals could influence the outcome of an election is a legitimate concern that must be addressed with proactive cyber security.

How safe are voting machines?

Unfortunately, not very. Many voting machines are very old, dating back to just after the infamous Bush-Gore race of 2000, when they were – ironically – embraced as an allegedly “safer” and “more accurate” alternative to paper votes. Those claims may have been true when the machines were first built, but voting machines run on computers, and computers need to be updated. Many voting machines never were. Thus, there are situations where voting machines still run antiquated, unsupported systems such as Windows 2000 and XP. Even worse, some machines provide no paper audit trail, which means that allegations of vote hacking can be neither proven nor disproven.

Some election officials argue that voting machines are generally not connected to the internet, thus enjoying “security through isolation.” But “security through isolation” is no match for a determined cyber criminal; the Stuxnet virus made its way into an air-gapped industrial control system at an Iranian nuclear plant through an infected thumb drive brought into the facility by a malicious insider.

Others who seek to downplay the possibility of vote hacking point to the logistics of manually installing malware; there are tens of thousands of voting machines across the U.S., and getting to every one of them would be nearly impossible. However, it would not be necessary to compromise every single voting machine in the country to alter the election results. Cyber criminals could focus on swing states, and then hone their targets even further to specific voting districts where the results are expected to be very close.

Vote hacking isn’t the only way to influence the election or call the results into question.

Hackers could also choose not to actually hack votes at all, and instead seek to cause enough havoc to discourage some Americans from voting and sow widespread doubt regarding the election results. Cyber criminals could, for example, delete or alter voter registration data, which would prevent some voters from being able to cast ballots. They could also launch Election Night DDoS attacks on polling places that use the internet to verify voter records or hack media feeds and prevent news networks from accessing exit poll information and election returns.

Election officials need to take proactive cyber security measures immediately.

A good first step to combat allegations of vote hacking are two bills recently introduced by Rep. Hank Johnson (D-Ga.), the Election Integrity Act of 2016 and the Election Infrastructure and Security Promotion Act of 2016. The first bill would address the cyber security vulnerabilities that make voting machines susceptible to vote hacking by prohibiting the machines from being connected to the internet and requiring regular audits, frequent software updates, and the ability to produce a paper audit trail. The second bill would designate voting machines as part of the nation’s critical infrastructure, which would put them under the authority of the Department of Homeland Security and put them in the same category as the U.S. power grid and water supply.

However, cyber security efforts cannot stop with voting machines; voter databases and polling places must be secured. Since election officials are not information security experts, the help of qualified cyber security experts should be sought to identify and patch vulnerabilities. In this volatile political climate, the integrity of our electoral system is a matter of national security. If American voters refuse to accept the legitimacy of November’s election results, irreparable damage could be done to our nation. Time is short, and election officials need to act immediately to secure voting machines, voter databases, and polling places, and reassure a nervous voting public.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems.

[bpscheduler_booking_form]

How quickly self-driving cars roll out is dependent on the industry addressing some very serious IoT cyber security issues.

Now that Uber has commenced a pilot test of driverless vehicles in Pittsburgh, and competitor Lyft has predicted that most of its cars will be driverless by 2021, self-driving cars are what everyone is talking about. Many question whether the machine learning and artificial intelligence that power these cars have advanced enough for the vehicles to truly drive themselves, or if Lyft’s prediction is overly optimistic. However, the biggest stumbling block for the driverless car industry is not the artificial intelligence and machine learning technology that powers these vehicles but the IoT cyber security issues that the car industry has yet to address.

Smart Cars Just as Hackable as Other Smart Devices

Although self-driving cars are still in beta testing, other Internet of Things (IoT) devices, including fitness wearables, smart thermostats, and smart medical devices, have been commonplace for several years, and newer model cars come with an abundance of smart technology. Cars can already park themselves; they just can’t drive themselves. However, once a device, any device, is connected to the internet, it immediately becomes a potential target for hackers. IoT cyber security issues are the same as those that threaten desktop and laptop computers.

IoT cyber security threats are not just hypothetical. Recently, Chinese security researchers discovered multiple vulnerabilities that allowed them to hack into the controller area network (CAN) of a Tesla Model S, which gave them remote control of the vehicle’s sunroof, driver’s seat, windshield wipers, central display, door locks, brakes, and other computer-controlled systems – both when the car was parked and when it was in motion.

Tesla is considered one of the most cyber security-conscious car manufacturers in the world, yet one of their vehicles was hacked. Most organizations are not taking the threat to connected cars and other smart devices seriously, despite the gravity of the situation; 90% of organizations have no cyber security plan to address IoT cyber security specifically, and 68% have no testing strategy for IoT devices. In the wake of the Tesla hack, the U.S. Department of Transportation announced a series of guidelines for manufacturers to address cyber security issues in driverless cars. While these guidelines are voluntary, it’s reasonable to expect that the government will begin enacting legislation down the line, especially if a major hack happens.

Ransomware a Major Threat to Self-Driving Cars

In addition to hackers taking over a vehicle and remotely operating it, ransomware looms large as an IoT cyber security issue. The healthcare industry, which is being plagued by ransomware attacks on electronic health records, is wringing its hands over the possibility of hackers holding IoT pacemakers and insulin pumps for ransom. Driverless car manufacturers should share their concerns.

Researchers at Intel Security recently discovered a vulnerability allowing them to install malware on a smart car’s infotainment system. In the experiment, the malware set the stereo to play the same song over and over, but what if a hacker found a way to use the infotainment system as a door into the rest of the car’s systems, installed ransomware, and rendered the car inoperable until the owner paid a ransom? Earlier this year, Hollywood Presbyterian Hospital paid $17,000.00 in Bitcoin to hackers who had locked down the facility’s electronic health records. A consumer who needs their car to get to work or drive their children to school may be willing to fork over several hundred dollars to a hacker, especially since trying to fix the car’s computer may cost that much or even more. If a hacker manages to disable a commercial fleet of self-driving vehicles, the stakes are even higher, and the targeted company may be willing to pay that much per car.

Most Consumers “Very Concerned” About IoT Cyber Security

Whether Uber’s trial works out or Lyft’s prediction comes true will not matter if consumers reject driverless cars; 58% of consumers report being “very concerned” or “highly concerned” about IoT cyber security. If consumers do not feel that autonomous cars are safe, they will refuse to buy them or even ride in them. Car manufacturers cannot afford to take a lackadaisical attitude toward IoT cyber security. Autonomous vehicles should be subjected to a comprehensive security evaluation and testing process, and businesses that intend to purchase driverless cars should hold off on purchasing vehicles that haven’t been proven safe.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems and IoT devices and keep hackers out.

[bpscheduler_booking_form]

Secure Your Organization’s Email and Prevent Attacks Like the DNC Email Hack

Cyber security – or, more specifically, the lack of it – is playing a major role in this year’s U.S. presidential election. The recent DNC email hack by Russian cyber criminals, which was discovered in June after the release of numerous emails on WikiLeaks, has turned out to be much larger than originally believed, involving “the private accounts of more than 100 party officials and groups,” as reported by the New York Times.

The emails that have been released on WikiLeaks so far are quite damaging and embarrassing, involving what appear to be party officers plotting to smear Bernie Sanders by questioning his religious faith and planning to reward high-dollar DNC donors with federal appointments in an anticipated Hillary Clinton administration. Additionally, numerous emails contained the private identifying information of these donors, including an image of a six-figure donation check, complete with the donor’s routing and bank account number. In the wake of the DNC email hack scandal, the DNC’s chairperson, CEO, and communications director were forced to resign.

What happened to the DNC could happen to any organization, and in fact, it already has. The DNC email hack is very similar to the infamous Sony email hack of 2014, which was believed to have been carried out by North Korean nation-state hackers. The hack, which involved over 170,000 emails – many of them containing scathing commentary about major Hollywood personalities – resulted in a class-action lawsuit and led to the removal of then-chairman Amy Pascal.

Modern organizations run on email. The DNC email hack and the Sony hack were notable in that they exposed ethical violations by organizational insiders, but even in cases where there are no ethical breaches, the release of corporate email can still severely damage an organization by leaking proprietary product, strategy, or operations information.

How to Protect Yourself Against Email Hacks

Outsource Your Corporate Email Services

The DNC ran its own, private email server as opposed to outsourcing email to a third party, such as Google or Yahoo. In most cases, this is a bad idea. Most organizations simply do not have the in-house monetary and human resources to ensure that email server connections and protocols are secure, maintain up-to-date filters to flag spam and suspicious email messages, and continuously monitor the server for anomalous activity. Outsourcing email services will not guarantee email security, but it’s a very good starting point, as it is likely a third-party email provider will offer a much higher level of security.

Don’t Let Employees Pick Their Own Passwords

The overwhelming majority of data breaches are the result of the misuse of legitimate login credentials, and it is thought that both the DNC email hack and the Sony hack followed this pattern. When employees are allowed to choose their own passwords, they tend to pick weak passwords and/or use passwords that are identical or nearly so to those they use for their personal accounts; this creates a situation wherein a hacker could get hold of an employee’s Facebook password and use it to get into your email system. Set up your system to assign random, strong passwords to your employees and require that they be changed regularly, again to a random, strong password.

Make Sure Your Employees Are Aware of Social Engineering Techniques, Especially Spear Phishing

Experts believe that the DNC email hack and the Sony hack occurred as the result of a spear-phishing campaign. Unlike regular phishing emails, which are often intercepted by spam filters, spear phishing emails are carefully crafted not only to pass through spam filters but also look completely legitimate. The best defense against spear phishing is employee training. Employees should be instructed on how to spot spear phishing emails, which, despite hackers’ best efforts, often contain small mistakes. They should also be prohibited from sending any sensitive information, including their login credentials, to anyone via unsecured email.

Neither the DNC email hack nor the Sony hack had to happen, and a similar attack doesn’t have to happen to your organization. A proactive approach to email security will prevent your company’s confidential emails from ending up on sites like WikiLeaks.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its email server and other systems and keep hackers out.

[bpscheduler_booking_form]