📋
Extraído del Informe Consolidado
Esta investigación fue publicada originalmente como parte de un informe consolidado más amplio que contiene múltiples investigaciones. Consulte el PDF consolidado para ver el documento completo.
San Mateo County Grand Jury
• 2018-2019
F10. Acre and CMO employees share passwords to their official social media accounts listed
⚠️ Aviso de traducción: Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings 17 findings
F1
The veracity of the County’s election broadcasts on any ACRE or CMO online communication platform is important to the public’s trust in the electoral process.
F2
Unlike DHS,161 ACRE does not include the security of online election communications when describing election security on its website.162
F3
Protecting online communication platforms with multi-factor authentication that is susceptible to SIM hijacking, phishing, and man-in-the-middle attacks—as is the case with the use of one-time PINs (OTPs) sent to cell phones—exposes the County to election disinformation attacks. Vulnerability of the County’s Email
F4
Although the County implemented several email security protections that provide many of the DMARC benefits following a 2016 phishing attack, the County’s email security practices do not follow DHS guidelines for federal agencies due to the absence of complementing DMARC protection.
F5
The County utilizes multi-factor authentication methods for its email that remain susceptible to SIM hijacking, phishing, and man-in-the-middle attacks. Vulnerability of ACRE’s Website
F6
ACRE’s website security practices do not follow DHS guidelines for federal agencies requiring the use of multi-factor authentication protection by users who have the system permissions to alter the ACRE webpages.
F7
ACRE outsources the domain management and hosting of its smcacre.org website to a third-party vendor. Vulnerability of Social Media Accounts
F8
The San Mateo County Information Security Training produced by ISD does not make any
F9
The San Mateo County Departmental Social Media Policy produced by CMO requires that multiple employees share official social media account passwords. Department of Homeland Security. “Election Security.” Accessed March 22, 2019. https://www.dhs.gov/topic/election-security. Assessor-County Clerk-Recorder and Elections. “Election Security and Accuracy.” Accessed April 27, 2019. https://www.smcacre.org/post/election-security-and-accuracy.
F10
ACRE and CMO employees share passwords to their official social media accounts listed in Table 1 with multiple employees within their offices.
F11
The San Mateo County Departmental Social Media Policy produced by CMO does not make any recommendations about using multi-factor authentication to protect against an unlawful takeover of social media accounts.
F12
The ACRE and CMO social media accounts listed in Table 1, with the exception of the CMO Facebook page, do not use multi-factor authentication. Status of Cyber Hygiene
F13
ACRE and ISD could strengthen their coordination of the evaluation and addition of security features to address election security.
F14
ISD utilizes a DHS “Vulnerability Scanning” service for the entire County, but ACRE does not utilize any of the other seven free elections-specific DHS services listed in Table 2.
F15
ISD runs network vulnerability assessments (“Vulnerability Scanning”) for the County devices, but does not audit the practices of employees to identify behavioral sources of network vulnerability.
F16
The Internal Audit Division of the County Controller’s Office “performs internal audits of departments’ operations,” which has sometimes included cyber hygiene assessments.
F17
The Internal Audit Division of the County Controller’s Office has not performed a cyber hygiene assessment of the Elections Division of ACRE.
Recommendations 14
-
R1Incorporate Communications into Election Security Definition: ACRE should adopt a policy that defines election security to include the security of the ACRE website, ACRE staff email accounts, social media accounts used for ACRE announcements, and other platforms ACRE uses for publishing election announcements. ACRE should implement this recommendation
-
R2Publish Updated Security Policy: ACRE should update the ACRE website’s written descriptions of the election security163 to incorporate the policy resulting from R1 on the security of election communications in addition to the current focus on security of (a) registration, (b) vote casting, and (c) results tabulation. ACRE should implement this recommendation by June 30, 2020. Protect the County’s Email
-
R3Prevent Spoofing with DMARC: ISD, CMO, and ACRE should improve email security for employees involved in election announcements by configuring and enabling DMARC for at least the smcacre.org and smcgov.org domains. ISD, CMO, and ACRE should implement this recommendation
-
R4Combat ACRE Email Account Phishing with FIDO Keys: ACRE should provide FIDO physical security keys to each of its permanent elections employees and require the use of those FIDO keys as part of their multi-factor authentication for accessing their County email accounts. ACRE should implement this recommendation
-
R5Combat Other Email Account Phishing with FIDO Keys: ACRE should identify County employees outside of ACRE that have a role in election announcements (e.g., Chief Communications Officer, senior ISD employees, etc.) and ask that the departments of the identified employees provide FIDO physical security keys to each of the identified employees and require the use of those FIDO keys as part of their multi-factor authentication for accessing their County email accounts. ACRE should complete this recommendation by December 31, 2019. Protect ACRE’s Website
-
R6Combat Website Account Phishing with FIDO Keys: ACRE should require all County employees whose user accounts allow them to alter the ACRE website164 to use FIDO physical security keys as part of their multi-factor authentication. ACRE should implement this recommendation by December 31, 2019. Assessor-County Clerk-Recorder and Elections. “Election Security and Accuracy.” Accessed April 27, 2019. https://www.smcacre.org/post/election-security-and-accuracy. Including all accounts capable of directly editing the ACRE website, managing the smcacre.org domain, and any administrator account capable of managing other accounts that can edit the website or manage the domain.
-
R7Combat Island Hopping with FIDO Key Vendor Requirement: ACRE and ISD should require employees and contractors of any vendor that hosts the ACRE website to use FIDO physical security keys as part of their multi-factor authentication.165 ACRE and ISD should implement this recommendation by December 31, 2019. Protect the Social Media Accounts
-
R8Stop Sharing Social Media Account Passwords: ACRE and CMO should implement procedures whereby communications staff manage official County social media accounts with multi-user administration, and no employees share social media account passwords. ACRE and CMO should implement this recommendation
-
R9Request FIDO Key Feature If Not Available: ACRE and CMO should jointly draft and send a FIDO-key feature request citing this report to the social media companies used by the County to broadcast election announcements, but that do not currently offer FIDO account security protections—especially Instagram and Nextdoor. ACRE and CMO should implement this recommendation
-
R10Combat ACRE Social Media Account Phishing with FIDO Keys: ACRE should require any employee social media accounts capable of administering the official ACRE social media pages listed in Table 1 to use FIDO physical security keys as part of their multi- factor authentication. ACRE should implement this recommendation
-
R11Combat SMC Social Media Account Phishing with FIDO Keys: CMO should require any employee social media accounts capable of administering the official San Mateo County social media pages listed in Table 1 to use FIDO physical security keys as part of their multi-factor authentication. CMO should implement this recommendation by December 31, 2019. Improve Cyber Hygiene
-
R12Coordinate Election Security with Interdepartmental Working Group: ACRE and ISD should create an election security working group that meets periodically and is responsible for evaluating and improving the security of elections (a) registration, (b) vote casting, (c) results tabulation, and (d) communication within San Mateo County. ACRE and ISD should implement this recommendation
-
R13Evaluate Free DHS Elections Security Assistance Programs: ACRE and ISD election- security working group should evaluate the benefits of having all members of the election- security working group participate in any of the free DHS elections security assistance 165 At a minimum for any user account with a public portal capable of administering the ACRE website, any virtual private network (VPN) account that can access a private portal capable of administering the ACRE website, any account capable of managing the smcacre.org domain, and every email account within the vendor organization. programs listed in Table 2. ACRE and ISD should implement this recommendation
-
R14Offer Behavioral Cyber Hygiene Audits: ISD and the County Controller’s Office should develop a behavioral auditing program consisting of sampling the day-to-day routines and security practices of employees, contractors, and/or vendors and offer to audit each department within the County periodically to (1) evaluate compliance with existing cyber hygiene policies and (2) provide proactive advice on cyber hygiene improvements that could inform new policies. ISD and the Controller’s Office should begin to implement this recommendation by offering to audit ACRE and ISD (itself) in time to finish