Election TidBytes
Quarterly Newsletter of Election Technology "Tidbits"
• • •
• • •
• •
Issue 4, February 2001
Inside this Issue:
"Social Engineering" Claims Another Victim
Minnesota 2000 Election Night Reporting System
TidByte Tip – For A Successful Election System Procurement and IT Project Implementation
What’s New
Keep Us Posted
"Social Engineering" Claims Another Victim
No, the headline is not about another victim
at a fraternity or sorority party. It is not about a tragic accident at an
election victory party. It is about exposing a most common problem in
information systems security.
Typically, people focus on the hacker
headlines and think of computer security. They spend a great deal of money on
firewalls, security software, and passwords to keep the bad guys from breaking
into their computer systems. The 15-year-old hacker with a modem and time on
his/her hands scares everyone.
However, 75% of the computer security
incidents reported to the FBI are "inside
jobs." Many others are the result of age-old tricks that leave systems and
networks even more exposed than they are to outside attacks.
Consider work we did in the latter part of
2000. Our client’s main production servers were protected inside a "server
farm" located inside a secure mainframe site. The site ostensibly required
visitor sign-in, badges, and escorts to go in the mainframe/server area, which
also housed the telecommunications hub for the entire enterprise. The mainframe
and servers contained highly secure and sensitive information.
Working under contract to our client, an InfoSENTRY principal went to the
security entrance and informed the guard that he was finishing implementation
testing and documentation for the well-known client. The principal informed the
guard that he had been in the facility earlier and needed to complete
documentation of a particular vendor’s efforts at testing the newly installed
servers. The guard was reluctant at first. However, the principal indicated
that other client staff would be along soon to help finish the testing and
documentation. The guard issued a visitor badge, without requiring any
identification, and escorted the principal into the otherwise unattended
mainframe and telecommunications facility. The guard left and we photographed
the inside of the facility.
This kind of "attack" on a
computer facility is typically called "social engineering." Six
minutes was the total amount of time required for us to gain unrestricted
access into the facility! Fortunately, we were there as part of a systems
security test. We were not there to compromise the confidentiality, integrity,
or availability of the programs and data inside the center.
Here are a couple of ideas to help with your computer security and to avoid more serious social engineering attacks.
Keep your computers and critical telecommunications equipment in a secure site.
Restrict access to that facility to a very limited number of people.
Challenge everyone who attempts to gain entry into the facility, unless they have documented clearance into the facility. Require photo identification from everyone who enters the facility. If a trusted escort is required, make sure it is provided.
Require all of your vendors to agree contractually to adhere to state and local computer security laws…and to your security policies and operations.
Do not assume that your information assets are secure because you restrict external telecommunications access to your system. That kind of restriction is at best the tip of a very large security iceberg.
Carry out security awareness efforts to remind everyone, including your office staff, computer security staff, and your vendors of their responsibilities to protect your information assets.
Contact us at info@infosentry.com or
919.838.8570 to set up a FREE
one-hour consultation or to learn other
ways InfoSENTRY Services can help you with information systems security
reviews, network vulnerability assessments, and information systems security
planning.
• • • •
Minnesota 2000 Election Night Reporting System
We received a paper from the Minnesota Secretary of
State about their innovative use of the Internet and mainframe computers to
deliver accurate and timely election results during the 2000 General Election.
With all the furor over election technology problems
last fall, it is great to report on this success! We have excerpted text and
graphics from the report the Secretary’s office sent us. The entire report is
available on our web site at: http://www.infosentry.com/ET_MN_ENR.htm.
It contains a large file with superb screen images and greater detail of the
comprehensive capabilities of the system. Thanks very much to the Secretary for
this timely and excellent information!
The Minnesota Election Night Reporting System (ENR)
was designed to provide near real-time results down to a precinct level for all
races reported to the Secretary of State directly from the counties. Races
reported included President, U.S. Senate and House of Representatives, State
Senate and House, Judicial and some county offices.
The main ENR page is shown below, listing the races
and includes links to other elections related information.
The system provides statewide results for President,
U.S. Senate and certain judicial offices. For offices below a statewide level,
results are reported for that level and also include the results in that
district for the higher offices as well. The system provides results at a
precinct level in two ways: 1) a user can select a specific set of up to 5
precincts in a county to view all races in those precincts, or 2) a user can
select a legislative district to see the precinct level results.
After the polls close and results are tallied locally,
counties submit results to the system in 3 ways. Counties with automated ballot
tabulation systems log onto a secure web site and upload their result files.
Manual count counties log onto the web site to enter their results or they can
log onto the mainframe computer to enter results. The web method more closely
matches precinct tally sheets to speed reporting. For the General Election only
2 counties entered using the mainframe. The ENR system also has a page used to
track reporting progress during the night. The Percentage of Precincts
Reporting link shows how many precincts have come in from each county. As
Election Night progresses during the night, the page could look like the
picture below.
The Office of Secretary of State worked closely with
the media in building this site. The media had access to data using 2 methods.
They could download text results off the main ENR page (see lower right corner)
or they could log into an FTP site that had the text results and Associated
Press formatted results. A number of media outlets set up automated scripts
that regularly downloaded results and fed them into their systems.
On election night, precinct level data was available
on the media FTP site and put on the public page the next day. We also provided
precinct level data in an MS Access database that could be downloaded by the
end of the week.
• • • •
TidBytes Tip
Webster’s dictionary defines successful as "having a favorable
outcome" and as "having achieved success."
Every election official would like success in the procurement and installation
process of a new election system.
We hate to keep harping on the importance of proper preparation and planning before you engage in the implementation of a new mission-critical voting or election administration system. Just talk to some of your colleagues across the country or read the trade magazines to learn about all the horrors of an IT project gone awry, with cost overruns, unmet deadlines, and worse yet, a system that doesn’t work or meet your core business requirements.. So to be successful in your next election IT project, here are some helpful tips:
1: Have a plan and well thought out system architecture
in place from the start. As
recommended at a recent Election Center workshop, begin with a comprehensive
needs assessment and requirements analysis. Then prepare your RFP by
incorporating the detail from these reports.
2: Include a performance plan and measure your progress
often.
3: Be sure your IT project is aligned with your agency’s
mission and strategies. The needs assessment should address these important
factors.
4: Match project team competencies with the tasks at
hand; don’t be afraid to get additional expertise as needed. This includes
preparation of the needs assessment/requirements analysis, RFP and the
contract. Make certain the RFP and contract specify your system requirements,
software testing and quality assurance, and other elements to protect your
needs and precious resources.
5: Identify the risks and proposed solutions to those
risks.
6: Engage an experienced project manager who can lead
the project through the highs and inevitable lows and make the tough decisions
to keep the project on track, on-time and on-budget.
InfoSENTRY offers a complete
range of services essential for a successful project. Call us to assist
you in preparing a winning strategy and successful election system procurement and IT project
implementation.
• • • •
What’s New
Visit our web site at http://www.infosentry.com
to read "Slow Path to Voting Technology Change," the
latest white paper written by M. Glenn Newkirk.
• • • •
Keep Us Posted
There is always something great happening in the
election community. If you would like us to help you get the word out about
some technical bit of news in your state or office, please let us know. You may
contact us at the following address, telephone or fax numbers, or email
addresses:
InfoSENTRY Services, Inc.
telephone: 919•838•8570
M. Glenn Newkirk: glenn_newkirk@infosentry.com
©InfoSENTRY Services, Inc. 2001. All rights
reserved. Copying or otherwise making multiple copies of this publication without
express written permission of InfoSENTRY Services, Inc. is prohibited. For
permission to distribute the newsletter in multiple copies, please contact Jennifer_helget@infosentry.com.
InfoSENTRY might mention the names of vendors’
products or services from time to time in Election TidBytes.
However, we do not distribute, sell, license, nor endorse any of these products
or services.