The Ten Most Important Things That The CSO Of The Republican and Democratic Conventions Should Be Doing To Ensure The Security of The Event
In 2004 I had the unique responsibility of being CSO for the Republican convention in NYC. My role was primarily to secure the campaign network and work with the host committee to ensure security of their network. To help those currently in similar positions or involved with other short time events and conventions I complied the top 10 measures that helped keep our environment secure. In no way is this list complete, but the most important items have been listed. This list also does not address obtaining management support or developing security policy, which are two fundamental elements to implementing all of the measures described below.
The Top Ten
The Convention Security Top Ten Security Measures (in no particular order) are:
Change Passwords Frequently
Implement External Network Filtering
Physically Separate Speech Network
Change Voice Mail Messages
Review User Accounts and Access Lists
Create an Incident Response Plan
Enforce a no Wireless Policy
Implement Intrusion Prevention
Implement Disaster Recovery Plan
Continually Walk Around and Assess
What makes Convention Security so Different?
There is no permanent IT staff, organization, or existing IT documentation.
Everything done for the convention is temporary; everything must be taken down and returned a few days after the convention.
The project must be completed by the date of the convention. There is no room for failure.
Many decisions are based upon political considerations, including the appointment of key IT personnel.
IT budget is usually “raised” specifically for this event. In the case of the Democratic and Republican convention all funds are usually dual-approved between Host Committee and Campaign.
Political conventions have a major emphasis on IT security: it’s a National Special Security Event (NSSE) (i.e. involves Homeland Security, US Secret Service, FBI, NYPD and CERT).
Short timeframe in some cases only 30 to 60 days to install the IT infrastructure in convention sites.
No IT Program Management or Project Management structure.
Top Ten Detailed Measures
On the following pages is a description of each security measure with actual real world examples used in the Republican National Convention of 2004.
1. Change Passwords Frequently
Based on my experience passwords are the number one way an attacker will gain access to a computer system. The attacker gets in because the password is either the default supplied by the vendor, blank, easily guessable, written down, or typed in a file on another system. Therefore, change all passwords as often as possible including system accounts, users, mobile devices, firewalls, routers, etc. Don’t wait until the last minute to find out your blackberry servers bsadmin service password is “blackberry”.
Changing passwords at first will be painful for the users, but this is a must for event security due to turn over of employees, use of volunteers, and maintaining control of the systems under management of the security staff. During the week of the convention IT should try not to change any passwords. In fact ALL CHANGES should be frozen during the week of the convention unless there is some emergency.
2. Implement External Network Filtering
Implement external firewall and router ACL filters that exclude every country outside of the US. There are very good lists that can reduce your IPS hits from 100,000s a day to 100s a day.
See my IP black list posting
3: Physically Separate Speech Network
Usually in a convention there are a series of speeches given by well-known individuals. In the 2004 convention there were several important people speaking like Arnold Schwarzenegger, Dick Chaney, and the President George W. Bush. The original network design was setup with the speech network connected to the Host Committee and Campaign network, which were connected to the internet. The worst possible scenario would be hacking the speech system prior to the event or when the actual candidate was talking on live TV. Thus, as a security professional it is important to separate the speech network and make sure there is no way any user on the internet has any chance to connect to these systems.
In the 2004 convention, amazing as it was, the speech server was placed in an X-ray room at Madison square garden. With the level of paranoia the fuses were pulled on the X-ray machine and a separate pad lock was purchased and put on the door. We called this the red room because the outside had a red Danger sign on the door because of the X-ray system and it was in the Red Zone. The only system on that same network was a Cisco network IDS server and only three individuals had access to the room.
This room located was in the Red Zone; the secret service controlled area that restricted access to the under stage and candidate environment. Only four IT staff members had access to this zone. For the 2004 convention the staff that had access was the CIO, the CSO, the Cisco engineer that ran the network cables, and an intern with political connections who administrated the badge system alongside the secret service.
4: Change Voice Mail Messages
This has to be one of those hard lessons learned for some of the IT staff at the 2004 convention because several employees were harassed for weeks during the convention as a result of their voice mail messages. Many of the IT staff didn’t use office phones because there were several other means of communication such as cell phones, NextTel click to talk phones, and Blackberry devices.
Social engineering attacks are a very big threat for several months prior to the convention. As CSO you will need to talk to the front desk staff and find out actually how many calls come in. Many of them will come in from the other party (i.e. Democratic Party in this case). The week of the convention the front desk staff was so used to these calls that the majority of them were just transferred to the main desk at the Democratic convention.
The main problem that affected the technology staff was not just the political activists, it was the individuals that listed to voice mail messages and was smart enough to identify the IT staff and then harass them later. In one case we had one specific vendor, who will remain anonymous, that left their company name and cell phone number on the voice mail. When the harassing attack occurred this person was receiving several calls a day on their personal cell phone and ended up contacting the local police who continued the investigation. In the end basically you will have to change your cell phone, so it is important to change all of the technical staff voice messages to avoid social engineering and harassing attacks. Remove names, titles, cell phone numbers, etc. You don’t want your top IT staff getting spammed with calls that essentially DOS their cell phones because they left the number and their title on their office phone.
5: Review User Accounts and Access Lists
Continually review user accounts and access lists to systems, applications, network devices and datacenters frequently. You might be amazed how many volunteers have access and other staff members that no longer work for the convention. This is a must and should be done several times before the event.
6: Create an Incident Response Plan
Create a solid response plan and make sure that CERT (http://www.cert.org/) and the Secret Service are included. Although spam may be your only incident it will be important to have worked out who to call first and who can investigate the incident. During the 2004 convention we came across four items that could be classified as incidents. These were social engineering, DOS attempts, data leakage, and spam.
Social engineering was discussed above in item 4: Change Voice Mail Messages, DOS attempts were targeted at the campaign web site which was externally hosted with an infrastructure capable of the traffic. During setup we performed a site inspection of the third party and required additional technology implemented for preventative measures. Data Leakage occurred and we were notified after it hit the media. The problem turned out to be an internal volunteer that leaked an Excel file of Campaign names to the media. This is always a difficult and costly problem to solve, but in this case the repercussions were small and had little affect other than media coverage. Then our one major incident that we fully enacted the IR plan turned out to be confusion among a spam email that got through the filter and was titled something along the lines of “you’ve been hacked”. It turns out it the message was a spam email for a video tape that some delegate received and thought his system was compromised. Overall the process worked great based on after incident feedback. The process for this is below.
Incident Response Process Flow Example:
Enforce the “need to know” policy. Tell the details of an Incident to the minimum people necessary.
- Initiate the Investigation.
- Can you confirm this is an incident? If yes go to step 5. If no go to step 4.
- Make note on Incident report form and explain that it was not an incident; Go to Step 15.
- Notify the Secret Service.
- Activate the Incident Response Team. Fill out the Incident Report Form (Appendix D).
- Continue Investigation.
- Were systems on the network affected? If yes go to step 9, If no go to step 10
- Notify staff and administrators on affected system(s). If dispatched to a site remember to document location. Go to step 10
- Is there a possibility of criminal action? If yes go to step 11. If no go to step 12.
- Notify the Secret Service and wait for instruction. Do only as they say.
- Contain and/or isolate victim system(s). If this is a virus or worm unplug the system from the network. DO NOT power down the system because some viruses may delete information when the system is rebooted. If it is NOT a virus or worm disconnect the network or do a hard shutdown of the system. DO NOT do a graceful shutdown because valuable information may be lost. Log all actions.
- Notify the Secret Service. Log all actions.
- Return the system to normal operation. Log all actions.
- Incident over. Fill out Incident Report Form (Appendix D). List all actions.
- Hold a short meeting with the Incident Response Team, CERT, and Secret Service to identify the Lessons Learned and adjust the program accordingly. List all actions.
7. Enforce a no Wireless Policy
This is just a simple solution. Wireless is not secure enough, hard to monitor, and should be turned off on every device connected to the network. Make sure that all laptops have the wireless setting disabled too. Only use blackberry and Nextel type devices. You don’t want anyone with a wireless card bridging in external networks or something worse.
It’s a hard enough job to ensure that everything is shut down; let alone trying to monitor outsiders connecting to the network. The Secret Service may also block wireless at different time (though they can neither confirm nor deny that!), which may cause disruptions of signals.
During the convention at night when the speeches were being conducted the main job of the CSO and the IT support staff was to simply monitor wireless systems and ensure that no device was connected to our network cables.
8. Implement Intrusion Prevention
Install both network and host intrusion prevention. There will be viruses so this combined with anti-virus will stop propagation. Behavioral based solutions work very well and should be installed on every system. Below is a diagram for the network with the placement of network IDS systems.
9. Implement Disaster Recovery Plan
Implement redundancy for all equipment and possible circumstances. In most cases communication is the most important item so ensure email and other services are redundant and located offsite.
10. Continually Walk Around and Assess
Check cabling, wiring closets, and wireless access points (that shouldn’t be there) by walking around the facilities regularly and constantly scanning for wireless devices. It is amazing how many people have access to your wiring closets. It’s also amazing when you find water dripping on your cords, so check everything multiple times.