📋
Extracted from Consolidated Report
This investigation was originally published as part of a larger consolidated report containing multiple investigations. View the consolidated PDF for the complete document.
San Mateo County Grand Jury
• 2018-2019
R7. Combat Island Hopping with Fido Key Vendor Requirement: Acre and ISD should require employees and contractors of
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings 17 findings
F1
Page 35
The veracity of the County’s election broadcasts on any ACRE or CMO online communication platform is important to the public’s trust in the electoral process. Response: ACRE agrees with this finding.
F2
Page 35
Unlike DHS, ACRE does not include the security of online election communications when describing election security on its website. Response: ACRE partially agrees with this finding. ACRE will provide appropriate security information on the Elections website in a similar manner as utilized by DHS and as recommended by ACRE’s Cybersecurity vendor.
F3
Page 35
Protecting online communication platforms with multi-factor authentication that is susceptible to SIM hijacking, phishing, and man-in-the-middle attacks—as is the case with the use of one-time PINs (OTPs) sent to cell phones—exposes the County to election disinformation attacks. To: Honorable Donald J. Ayoob From: Mark Church, Assessor-County Clerk-Recorder & Chief Elections Officer September 23, 2019 Response: ACRE partially agrees with this finding. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F4
Page 36
Although the County implemented several email security protections that provide many of the DMARC benefits following a 2016 phishing attack, the County’s email security practices do not follow DHS guidelines for federal agencies due to the absence of complementing DMARC protection. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F5
Page 36
The County utilizes multi-factor authentication methods for its email that remain susceptible to SIM hijacking, phishing, and man-in-the-middle attacks. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F6
Page 36
ACRE’s website security practices do not follow DHS guidelines for federal agencies requiring the use of multi-factor authentication protection by users who have the system permissions to alter the ACRE webpages. Response: ACRE partially agrees with this finding. ACRE’s website support vendor currently utilizes multi-factor authentication (MFA). ACRE is working with the SMC ISD team to implement MFA equivalent to FIDO for ACRE’s content contributors.
F7
Page 36
ACRE outsource the domain management and hosting of its smcacre.org website to a third-party vendor. Response: ACRE agrees with this finding.
F8
Page 36
The San Mateo County Information Security Training produced by ISD does not make any recommendations for security practices of official County social media accounts. To: Honorable Donald J. Ayoob From: Mark Church, Assessor-County Clerk-Recorder & Chief Elections Officer September 23, 2019 Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F9
Page 37
The San Mateo County Departmental Social Media Policy produced by CMO requires that multiple employees share official social media account passwords. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F10
Page 37
ACRE and CMO employee share passwords to their official social medic counts listed in Table 1 with multiple employees within their offices. Response: ACRE agrees with this finding.
F11
Page 37
The San Mateo County Departmental Social Media Policy produced by CMO does not make any recommendations about using multi-factor authentication to protect against an unlawful takeover of social media accounts. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F12
Page 37
The ACRE and CMO social media accounts listed in Table 1, with the exception of the CMO Facebook page, do not use multi-factor authentication. Response: ACRE agrees with this finding. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F13
Page 37
ACRE and ISD could strengthen their coordination of the evaluation and addition of security features to address election security. Response: ACRE partially disagrees with this finding. ACRE and ISD meet and discuss all aspects of cybersecurity at monthly IT Security meetings, and quarterly IT Governance meetings. Additional coordination meetings occur on an as needed based on projects or events. To: Honorable Donald J. Ayoob From: Mark Church, Assessor-County Clerk-Recorder & Chief Elections Officer September 23, 2019
F14
Page 38
ISD utilizes a DHS “Vulnerability Scanning” service for the entire County, but ACRE does not utilize any of the other seven free elections-specific DHS services listed in Table 2. Response: ACRE partially disagrees with this finding. ACRE uses services and information provided through DHS, MS-ISAC, EI- ISAC, and the Secretary of States Cybersecurity team. Additionally, ACRE works with our Cybersecurity vendor to assess Election operations security needs. ACRE will continue to coordinate with ISD and their Cybersecurity administration team to ensure ACRE Elections security needs are met and will evaluate the appropriate use of DHS tools identified in Table 2.
F15
Page 38
ISD runs network assessments (“Vulnerability Scanning”) for the County devices but does not audit the practices of employees to identify behavioral sources of network vulnerability. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F16
Page 38
The Internal Audit Division of the County Controller’s Office “performs internal audits of departments’ operations,” which has sometimes included cyber hygiene assessments. Response: This finding was addressed to the Controller. The Controller addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F17
Page 38
The Internal Audit Division of the County Controller’s Office has not performed a cyber hygiene assessment of the Elections Division of ACRE. Response: This finding was addressed to the Controller. The Controller addressed this finding in its reply. Please see CMO / ISD response for more information and details.
Recommendations 14
-
R1Page 38Incorporate Communications into Election Security Definition: ACRE should adopt a policy that defines election security to include the security of the ACRE To: Honorable Donald J. Ayoob From: Mark Church, Assessor-County Clerk-Recorder & Chief Elections Officer September 23, 2019 website, ACRE staff email accounts, social media accounts used for ACRE announcements, and other platforms ACRE uses for publishing election announcements. ACRE should implement this recommendation by December 31, 2019. Response: The recommendation requires ACRE to work with SMC, ISD and our cybersecurity vendor to revise the Department's security policies. ACRE will complete the updates to include the Department website, email accounts, social media and other platforms that ACRE utilizes for elections announcement.
-
R2Page 39Publish Updated Security Policy: ACRE should update the ACRE website’s written descriptions of the election security to incorporate the policy resulting from R1 on the security of election communications in addition to the current focus on security of (a) registration, (b) vote casting, and (c) results tabulation. ACRE should implement this recommendation by June 30, 2020. Response: ACRE will update its Election and Security Accuracy page on the ACRE website to conform to the policies established in Recommendation 1 above.
-
R3Page 39Prevent Spoofing with DMARC: ISD, CMO, and ACRE should improve email security for employees involved in election announcements by configuring and enabling DMARC for at least the smcacre.org and smcgov.org domains. ISD, CMO, and ACRE should implement this recommendation by June 30, 2020. Response: ISD replied to this recommendation in its reply. ACRE will work with ISD, CMO to improve email security for employees involved in election announcement. Please see CMO / ISD response for more information and details.
-
R4Page 39Combat ACRE Email Account Phishing with FIDO Keys: ACRE should provide FIDO physical security keys to each of its permanent elections employees and require the use of those FIDO keys as part of their multi-factor authentication for accessing their County email accounts. ACRE should implement this recommendation by December 31, 2019. Response: ISD addressed this recommendation in its reply. ACRE will coordinate with ISD to determine the best means to implement FIDO type MFA for Elections Division’s email accounts. Please see CMO / ISD response for more information and details. To: Honorable Donald J. Ayoob From: Mark Church, Assessor-County Clerk-Recorder & Chief Elections Officer September 23, 2019
-
R5Page 40Combat Other Email Account Phishing with FIDO Keys: ACRE should identify County employees outside of ACRE that have a role in election announcements (e.g., Chief Communications Officer, senior ISD employees, etc.) and ask that the departments of the identified employees provide FIDO physical security keys to each of the identified employees and require the use of those FIDO keys as part of their multi-factor authentication for accessing their County email accounts. ACRE should complete this recommendation by December 31, 2019. Response: ACRE agrees with this recommendation and will coordinate with ISD to determine the best means to implement FIDO type MFA for other official email accounts as directed.
-
R6Page 40Combat Website Account Phishing with FIDO Keys: ACRE should require all County employees whose user accounts allow them to alter the ACRE website to use FIDO physical security keys as part of their multi-factor authentication. ACRE should implement this recommendation by December 31, 2019. Response: ACRE is working with ISD to implement San Mateo County’s MFA standards for ACRE staff that interact with the ACRE website. ACRE’s current website vendor already uses MFA equivalent to FIDO. ACRE will implement MFA for its website.
-
R7Page 30Combat Island Hopping with FIDO Key Vendor Requirement: ACRE and ISD should require employees and contractors of any vendor that hosts the ACRE website to use FIDO physical security keys as part of their multi-factor authentication.165 ACRE and ISD should implement this recommendation by December 31, 2019. Protect the Social Media Accounts
-
R8Page 30Stop Sharing Social Media Account Passwords: ACRE and CMO should implement procedures whereby communications staff manage official County social media accounts with multi-user administration, and no employees share social media account passwords. ACRE and CMO should implement this recommendation
-
R9Page 30Request FIDO Key Feature If Not Available: ACRE and CMO should jointly draft and send a FIDO-key feature request citing this report to the social media companies used by the County to broadcast election announcements, but that do not currently offer FIDO account security protections—especially Instagram and Nextdoor. ACRE and CMO should implement this recommendation
-
R10Page 30Combat ACRE Social Media Account Phishing with FIDO Keys: ACRE should require any employee social media accounts capable of administering the official ACRE social media pages listed in Table 1 to use FIDO physical security keys as part of their multi- factor authentication. ACRE should implement this recommendation
-
R11Page 30Combat SMC Social Media Account Phishing with FIDO Keys: CMO should require any employee social media accounts capable of administering the official San Mateo County social media pages listed in Table 1 to use FIDO physical security keys as part of their multi-factor authentication. CMO should implement this recommendation by December 31, 2019. Improve Cyber Hygiene
-
R12Page 30Coordinate Election Security with Interdepartmental Working Group: ACRE and ISD should create an election security working group that meets periodically and is responsible for evaluating and improving the security of elections (a) registration, (b) vote casting, (c) results tabulation, and (d) communication within San Mateo County. ACRE and ISD should implement this recommendation
-
R13Page 30Evaluate Free DHS Elections Security Assistance Programs: ACRE and ISD election- security working group should evaluate the benefits of having all members of the election- security working group participate in any of the free DHS elections security assistance 165 At a minimum for any user account with a public portal capable of administering the ACRE website, any virtual private network (VPN) account that can access a private portal capable of administering the ACRE website, any account capable of managing the smcacre.org domain, and every email account within the vendor organization. programs listed in Table 2. ACRE and ISD should implement this recommendation
-
R14Page 31Offer Behavioral Cyber Hygiene Audits: ISD and the County Controller’s Office should develop a behavioral auditing program consisting of sampling the day-to-day routines and security practices of employees, contractors, and/or vendors and offer to audit each department within the County periodically to (1) evaluate compliance with existing cyber hygiene policies and (2) provide proactive advice on cyber hygiene improvements that could inform new policies. ISD and the Controller’s Office should begin to implement this recommendation by offering to audit ACRE and ISD (itself) in time to finish