BrakeSec Education Podcast
BrakeSec Education Podcast
Bryan Brake, Amanda Berlin, and Brian Boettcher
2020-040- Jeremy Mio, State of Ohio Election Security
1 hour 3 minutes Posted Nov 1, 2020 at 9:26 pm.
0:00
1:03:35
Download MP3
Show notes

Previous Election Security podcast: https://brakeingsecurity.com/2018-042-election-security-processes-in-the-state-of-ohio 

 

Jeremy Mio (@cyborg00101)

 

https://itsecurity.cuyahogacounty.us/

 

Ohio Counties Meet LaRose's Deadline to Strengthen Election Security - Ohio Secretary of State (ohiosos.gov) 

(added cybersecurity Directives during 2018 last podcast -jmio)

  • Directive 2018-15 (6/21/18) - Cybersecurity 
    • EI-ISAC Membership, DHS Services, IDS (Albert) Monitoring, Elections Infrastructure Security Assessment, Secure Online Services (DDoS Protection), examples via the State: Win10, DB Monderization, MFA, Cloud Email Pilot, IT Support Pilot
  • Directive 2018-30 (9/28/18) - Reminder and Additional Clarifications

 

Einstein (US-CERT program) - Wikipedia

Albert Program

(added new cybersecurity Directives since last podcast  -jmio)

  • Directive 2019-07 (5/06/19) - Specifics on security event reporting (expansion on 2017 Directive)
  • Directive 2019-08 (6/11/19) - Expansion on 2018 and technical guides 
    • Continuing 2018 requirements: EI-ISAC members, phishing tests, vulnerability scanning, continue to secure online systems (TLS/DDoS)
    • Remediate all high priority findings from 2018 assessment by 1/31/2020
    • Additional technical requirements
    • Additional DHS Services requested by 7/19/2019 (mitigate high findings by 1/31/20): Risk and Vulnerability assessment, Remote Pen Test, Arch Design Review, Cyber Threat Hunt
    • Others: 2019 TTX, required all to use .US or .GOV domain, Annual assessments and background checks, Technical procurement guide, DMARC

 

LaRose issues directive to set a new standard for election security in 2020 (added -jmio)
  • LaRose Announces Pick For Chief Information Security Officer
  • Directive 2020-12 (7/14/20): Additional cybersecurity (and others) requirements by 8/28/2020
    • Cybersecurity Liaisons
    • Extended IDS Albert funding and SIEM Services
    • New: EDR and MDBR by 8/28/2020 (and additional push for DMARC)
    • Securing Online Services and WAF, and requiring DHS Services Annually
    • Vulnerability Management: Critical and High SLA
    • Continue Annual cybersecurity training and background checks (including vendor/contractors), Physical Security Training
    • Emergency Planning with local EMA and Sheriff 

 

Vuln disclosure policy: Vulnerability Disclosure Policy - Ohio Secretary of State (ohiosos.gov)

Did anyone think to pentest the vuln acceptance form? (lol, layers in layers --brbr)

 

 

Ohio to ramp up election security with new federal funds | TheHill

“Ohio has taken steps to combat those types of threats. In October, Ohio Gov. Mike DeWine (R) signed into law a measure that required post-election audits to ensure the accuracy of the vote count, and created a “civilian cyber security reserve” to defend against potential cyberattacks.

LaRose says invitation to hackers will set new election security standard; expert says it's risky (wcpo.com)

“His [secretary of state LaRose] first-of-its-kind Vulnerability Disclosure Policy invites Ohio’s crop of “white-hat” hackers — the good guys, opposite malevolent “black-hat” hackers — to break into the state’s election system, find bugs and report them so officials can ensure they’re fixed by Election Day.

There are some strings attached: White hats aren’t allowed to phish for information or tamper with electronic county voter registration systems, and actual voting machines — legally barred from being connected to the internet — are off-limits. If they do find sensitive information, they’re expected to report it.”

How did the threat model shift from the last time we talked?

What has changed in terms of organization and threats? You mentioned 4-5 different voting regions last time, all with different levels of technology. Any updates on the tech? 

How did covid change how voting occurred? 

How have you leveraged the Elections Infrastructure ISAC (EI-ISAC) in passing along threats and sharing information?

Has insider threat been part of your threat model and what has your group done to minimize the chances? (why does it feel like the Oscars has more scrutiny in terms of voting security than the US democratic process? --brbr)

What does physical security look like in terms of people going to the polls? (wasn’t sure if that was something in your purview --brbr) (this is not (Election Board and Sheriff), but can discuss high level -jmio)

Using hardware domain block services? Malicious Domain Blocking and Reporting (MDBR) Newest Service for U.S. SLTTs (cisecurity.org)

LaRose Setting New Standard For Election Security - Ohio Secretary of State (ohiosos.gov)

88 election districts will have access to domain blocking tech (mandated to start by 28 August 2020), cybersecurity experts. Can you give us an update on any of what was mentioned in the press release

 

  • “LaRose in recent months has also implemented statewide use of endpoint detection monitoring software and required counties to develop contingency plans for any incident that disrupts the voting process.”

 

Background checks