Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

YouTube videos are no longer supported on SlideShare

View original on YouTube

© 2018 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Securing Voting Infrastructure befo...
© 2018 Denim Group – All Rights Reserved
My Background
• Ex-Air Force Intel & Cyber Officer
• 20+ Year Security Profession...
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 28

Securing Voting Infrastructure before the Mid-Term Elections

32

Share

Download to read offline

The prospect of nation state interference with our 2018 mid-term elections is a reality that secretaries of state are facing. Given the fast-changing nature of the threat and the sprawling election infrastructure across the country, how are state officials securing their voting systems and databases in anticipation of the election? What are emerging strategies given the limited resources and unlimited needs? Where are the most vulnerable parts of the election systems and where should state officials focus their efforts given the potential for disruption? This webinar will provide an attacker’s view of a typical state-run election system and will make recommendations where to focus limited time and resources in the run up of the 2018 mid-term election in November.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Securing Voting Infrastructure before the Mid-Term Elections

  1. 1. © 2018 Denim Group – All Rights Reserved Building a world where technology is trusted. Securing Voting Infrastructure before the Mid-Term Elections John B. Dickson, CISSP @johnbdickson
  2. 2. © 2018 Denim Group – All Rights Reserved My Background • Ex-Air Force Intel & Cyber Officer • 20+ Year Security Professional • Denim Group Principal • Blogger Dark Reading Columnist • Political Science Major
  3. 3. © 2018 Denim Group – All Rights Reserved Denim Group | Company Background • Trusted advisor on all matters of software risk • External application & network assessments of voter registration systems • Threat modeling to identify areas of needed security improvement • Managed security services • Developed
  4. 4. © 2018 Denim Group – All Rights Reserved Webinar Overview • Mid-Term Election Cycle • The Nature of the Nation State Threat • Conventional Wisdom on Election Security • Threat Modeling – Thinking Like an Attacker • Shoring up the Election Infrastructure for the Mid-Terms • Questions & Answers
  5. 5. © 2018 Denim Group – All Rights Reserved Mid-Term Election Cycle
  6. 6. © 2018 Denim Group – All Rights Reserved What Happened in 2016?
  7. 7. © 2018 Denim Group – All Rights Reserved Mid-Term Election Cycle “We assess Moscow will apply lessons learned from its Putin- ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes.” Source: Assessing Russian Activities and Intentions in Recent US Elections, Intelligence Community Assessment, January 2017
  8. 8. © 2018 Denim Group – All Rights Reserved Mid-Term Election Cycle • $380 million from Federal Government • Might be an opportunity to apply lessons learned in 2016 and perfect 2020 attack strategies • 35 Senate seats, 435 House seats, 36 Governors offices involved in this election cycle • DHS Support • Building partnership • Sharing information • Making available tools
  9. 9. © 2018 Denim Group – All Rights Reserved Election Infrastructure • Voter registration databases and associated IT systems • IT infrastructure and systems used to manage elections • Voting systems and associated infrastructure • Storage facilities for election and voting system infrastructure • Polling places, to include early voting locations • Source: DHS, https://www.dhs.gov/topic/election-security
  10. 10. © 2018 Denim Group – All Rights Reserved Election Infrastructure “Voting systems and associated infrastructure”
  11. 11. © 2018 Denim Group – All Rights Reserved Election Infrastructure Election Infrastructure does not include: • Political action committees • Campaigns • Or any other non-state or local government election related group • Source: DHS, https://www.dhs.gov/topic/election-security
  12. 12. © 2018 Denim Group – All Rights Reserved Yet…. • Campaigns
  13. 13. © 2018 Denim Group – All Rights Reserved The Nature of the Nation State Threat
  14. 14. © 2018 Denim Group – All Rights Reserved Nature of a Nation State Threat • Different types of threat actors • Nation states, organized crime, hackavists • Near unlimited resources and unparalleled technical capabilities • Typically combined with social engineering, disinformation, and espionage • Goals: state secrets, intellectual property, defense technologies, undermining Western institutions
  15. 15. © 2018 Denim Group – All Rights Reserved Nature of the Russian State Threat • Influence Election Outcomes • Undermine Faith in the US Democratic Process • Undermine Faith in US institutions • Undermine US-led Democratic Order • SOW discord between US and its Traditional Allies
  16. 16. © 2018 Denim Group – All Rights Reserved Conventional Wisdom of Election Security
  17. 17. © 2018 Denim Group – All Rights Reserved Conventional Wisdom of Election Security • Election Security = Voting Machine Security
  18. 18. © 2018 Denim Group – All Rights Reserved Conventional Wisdom of Election Security • Election Security = Voting Machine Security
  19. 19. © 2018 Denim Group – All Rights Reserved Threat Modeling = Thinking Like an Attacker
  20. 20. © 2018 Denim Group – All Rights Reserved Threat Modeling – Thinking Like an Attacker Source: Department of Homeland Security Election Infrastructure Security Resource Guide
  21. 21. © 2018 Denim Group – All Rights Reserved Threat Modeling – Thinking Like an Attacker • A structured approach to analyzing an application (or system) to identify, measure, and address the cyber security risks associated with an application • Reviewing Risk • Impact (damage potential) • Possibility of attack • Ease of Exploit
  22. 22. © 2018 Denim Group – All Rights Reserved IoT Threat Model 22
  23. 23. © 2018 Denim Group – All Rights Reserved Shoring up the Election Infrastructure for the Mid- Terms
  24. 24. © 2018 Denim Group – All Rights Reserved Potential Strategies • Conduct vulnerability testing of known ”static” voting resources like voter registration systems • Provide rigorous training to election staff to identify social engineering attempts • Conduct anti-phishing training for key election officials • Review reporting entry point susceptibility to Distributed Denial of Service (DDoS)
  25. 25. © 2018 Denim Group – All Rights Reserved Potential Strategies • Consider 2-factor authentication and other e-mail defenses for state election officials • Train election judges and local officials to identify and report cyber attacks • Review recovery plans for target ransomware attacks • Educate campaigns on basics of cyber security • Formalize relations with local press for to ID disinformation activities
  26. 26. © 2018 Denim Group – All Rights Reserved Final Thoughts • View your systems from the perspective of an attacker • Identify and remediate most “Critical” and “High” vulnerabilities that put your state at risk • Leverage outside resources (EAC, NASS, MS- ISAC, consultants etc.)
  27. 27. © 2018 Denim Group – All Rights Reserved John B. Dickson, CISSP @johnbdickson www.denimgroup.com Questions and Answers

×