Vulnerabilities / Threats

2/13/2018
05:20 PM
50%
50%

As Primaries Loom, Election Security Efforts Behind Schedule

While federal agencies lag on vulnerability assessments and security clearance requests, the bipartisan Defending Digital Democracy Project releases three new resources to help state and local election agencies with cybersecurity, incident response.

With primaries for 2018 elections beginning March 6, efforts to harden state, local election systems are being hindered by federal sluggishness and "wariness of federal meddling," the Associated Press reports. 

One of state and local election officials' main complaints, according to the AP report, is their struggle to obtain federal security clearances, which would enable greater information sharing in the event of a security threat or incident. Fewer than half of the officials that have requested federal clearances have yet received them, according to the AP, including the state elections board executive director in Illinois, one of two states where voter registration databases were breached in 2016. 

Another key concern: vulnerability assessments of the state and local election systems. The US Department of Homeland Security offered to conduct these assessments - but only 14 state and three local agencies took DHS up on the offer, and only five of these requested vulnerability assessments have been completed. DHS says all will be completed by mid-April, according to AP.

Election officials did, however receive new guidance Thursday, from the bipartisan group that recently released cybersecurity guidance for election campaign managers. The Defending Digital Democracy Project (D3P) at Harvard Kennedy School's Belfer Center for Science and International Affairs - co-chaired by the former campaign managers for Mitt Romney and Hillary Clinton and the former Defense Department chief of staff during the Obama Administration - published "The State and Local Election Cybersecurity Playbook," "The Election Cyber Incident Communications Coordination Guide," and "The Election Incident Communications Plan Template." 

D3P's recommendations cover paper trails, audit practices, multi-factor authentication, access controls, log management, vendor agreements, end user training, incident response, and communications plans, in addition to details about the specific threats affecting voting systems, from the hardware to registration databases.

For more information, see the Associated Press and D3P.  

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/14/2018 | 2:09:25 PM
If you want good security in voting
EACH computerized voting site should be a simple NON INTERNET closed loop network unto itself - nothing outside the building.,  Cables from station to switch to system with a removable hard drive.  When voting done, drive is PHYSICALLY SIGNED FOR AND REMOVED UNDER HUMAN SECURITY to SECURE TRUCK to secure local office where data is UNLOADED and then drive destroyed.  No internet ever.  
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.