📋
Extraído del Informe Consolidado

Esta investigación fue publicada originalmente como parte de un informe consolidado más amplio que contiene múltiples investigaciones. Consulte el PDF consolidado para ver el documento completo.

San Mateo County Grand Jury • 2018-2019

R7. Combat Island Hopping with Fido Key Vendor Requirement: Acre and ISD should require employees and contractors of

Published: December 31, 2019 23 pages
View PDF View Full Original

Findings 17 findings

F1 Page 35
The veracity of the County’s election broadcasts on any ACRE or CMO online communication platform is important to the public’s trust in the electoral process. Response: ACRE agrees with this finding.
F2 Page 35
Unlike DHS, ACRE does not include the security of online election communications when describing election security on its website. Response: ACRE partially agrees with this finding. ACRE will provide appropriate security information on the Elections website in a similar manner as utilized by DHS and as recommended by ACRE’s Cybersecurity vendor.
F3 Page 35
Protecting online communication platforms with multi-factor authentication that is susceptible to SIM hijacking, phishing, and man-in-the-middle attacks—as is the case with the use of one-time PINs (OTPs) sent to cell phones—exposes the County to election disinformation attacks. To: Honorable Donald J. Ayoob From: Mark Church, Assessor-County Clerk-Recorder & Chief Elections Officer September 23, 2019 Response: ACRE partially agrees with this finding. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F4 Page 36
Although the County implemented several email security protections that provide many of the DMARC benefits following a 2016 phishing attack, the County’s email security practices do not follow DHS guidelines for federal agencies due to the absence of complementing DMARC protection. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F5 Page 36
The County utilizes multi-factor authentication methods for its email that remain susceptible to SIM hijacking, phishing, and man-in-the-middle attacks. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F6 Page 36
ACRE’s website security practices do not follow DHS guidelines for federal agencies requiring the use of multi-factor authentication protection by users who have the system permissions to alter the ACRE webpages. Response: ACRE partially agrees with this finding. ACRE’s website support vendor currently utilizes multi-factor authentication (MFA). ACRE is working with the SMC ISD team to implement MFA equivalent to FIDO for ACRE’s content contributors.
F7 Page 36
ACRE outsource the domain management and hosting of its smcacre.org website to a third-party vendor. Response: ACRE agrees with this finding.
F8 Page 36
The San Mateo County Information Security Training produced by ISD does not make any recommendations for security practices of official County social media accounts. To: Honorable Donald J. Ayoob From: Mark Church, Assessor-County Clerk-Recorder & Chief Elections Officer September 23, 2019 Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F9 Page 37
The San Mateo County Departmental Social Media Policy produced by CMO requires that multiple employees share official social media account passwords. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F10 Page 37
ACRE and CMO employee share passwords to their official social medic counts listed in Table 1 with multiple employees within their offices. Response: ACRE agrees with this finding.
F11 Page 37
The San Mateo County Departmental Social Media Policy produced by CMO does not make any recommendations about using multi-factor authentication to protect against an unlawful takeover of social media accounts. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F12 Page 37
The ACRE and CMO social media accounts listed in Table 1, with the exception of the CMO Facebook page, do not use multi-factor authentication. Response: ACRE agrees with this finding. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F13 Page 37
ACRE and ISD could strengthen their coordination of the evaluation and addition of security features to address election security. Response: ACRE partially disagrees with this finding. ACRE and ISD meet and discuss all aspects of cybersecurity at monthly IT Security meetings, and quarterly IT Governance meetings. Additional coordination meetings occur on an as needed based on projects or events. To: Honorable Donald J. Ayoob From: Mark Church, Assessor-County Clerk-Recorder & Chief Elections Officer September 23, 2019
F14 Page 38
ISD utilizes a DHS “Vulnerability Scanning” service for the entire County, but ACRE does not utilize any of the other seven free elections-specific DHS services listed in Table 2. Response: ACRE partially disagrees with this finding. ACRE uses services and information provided through DHS, MS-ISAC, EI- ISAC, and the Secretary of States Cybersecurity team. Additionally, ACRE works with our Cybersecurity vendor to assess Election operations security needs. ACRE will continue to coordinate with ISD and their Cybersecurity administration team to ensure ACRE Elections security needs are met and will evaluate the appropriate use of DHS tools identified in Table 2.
F15 Page 38
ISD runs network assessments (“Vulnerability Scanning”) for the County devices but does not audit the practices of employees to identify behavioral sources of network vulnerability. Response: This finding was addressed to the County. ISD addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F16 Page 38
The Internal Audit Division of the County Controller’s Office “performs internal audits of departments’ operations,” which has sometimes included cyber hygiene assessments. Response: This finding was addressed to the Controller. The Controller addressed this finding in its reply. Please see CMO / ISD response for more information and details.
F17 Page 38
The Internal Audit Division of the County Controller’s Office has not performed a cyber hygiene assessment of the Elections Division of ACRE. Response: This finding was addressed to the Controller. The Controller addressed this finding in its reply. Please see CMO / ISD response for more information and details.

Recommendations 14