Pelgrin: [Governor Pataki] is a visionary in this area. He blessed the concept of creating a unique office focusing on cyber-preparedness and being as resilient as we could be in New York state. We are made up of individuals on the cyber side and from geographic information systems and critical infrastructure coordination. We take our assets, depict them geographically and relate them to incidents. We can see the two converging; if the event is cyber, we can see what potential physical consequences there may be.
We want the office to stay small. This is about collaboration, not about mandates or control. We want to be a role model for partnerships.
What is the reporting structure and information sharing like between your groups?
Pelgrin: All state agencies have an information security officer. We work collaboratively with them, creating a joint security policy. I'm a big believer this has to be about building relationships on the private side as well.
There are eight committees: health, financial, agricultural, telecommunications, education and public safety among them. It's a real collaborative effort. We meet monthly by phone and share information about risk and vulnerabilities. We also have major player meetings where all major utilities are invited to a conference call.
Every year, we take a hindsight view to see if we're providing a value-add. One of my guiding principles is that we do no harm to the private sector. We've got enough structure and processes in place that we can tap in and get information as appropriate. We don't want to see everything. They respond favorably to that. Trust has been building, it's not a right, it's something we earn.
Why the mock phishing exercises? Was there a problem?
Pelgrin: We tend to do a good job filtering out the crud. However, the concern of hackers moving from phishing to spear phishing where the apparent sender is a real trusted source, forced us to say 'Let's get ahead of it before becomes a problem.' We wanted to use this as an opportunity to forestall that from becoming an issue.
What did you do with those who failed?
Pelgrin: Part of this is a tactile approach to learning. Repetition is very important; it's true with kids that the only way to teach is through repetition.
This is not the only event; it's part of our standard awareness program. We are asking agencies to deal with phishing in their annual awareness training as well. We are also providing this template to anyone willing to use it. All states in the union have got it. One other state is in the process of doing a similar exercise.
We did start to change some of the culture where no one in one department saw this as an exercise but as an illegitimate phishing scam. Everyone in the department was told to just delete it. That's what this is all about, changing the culture.
This is not about 'I got you.' If it's about blame, we all lose. You learn about the past to make the future better.
Aren't you concerned state employees will lose trust with legitimate e-mail messages coming from your office?
Pelgrin: We debated that at length. Here's why I did this and why I concluded it was the right thing to do. It came from the agency ISO, a trusted source. What better way to say if I get something from the ISO and he wants personal information, I still have to say no. That's the biggest clue: an ISO will not ask for personal information.
There's no negative impact that they can't trust e-mail. It gave them time to pause and think that no matter who it is, they should not lower their security standards. There are ways to handle this securely. If you get one of these e-mail messages, even if it's from a trusted source, end the session, phone that person and talk to them about it then go back and deal with the information they may or may not need.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.
This was first published in March 2006