It's important to find the silver lining in any negative situation -- and this continues to ring true during a global pandemic. As we approach the always-competitive U.S. election in November, politics aside, there is a silver lining there, too. This year, even with COVID-19 concerns increasing the adoption of mail-in voting and chief election officials across the country reflecting on the impacts of the Russian interference from the 2016 election (among other considerations), the silver lining may be that the voting process is being scrutinized like never before.
During the Black Hat 2020 virtual conference, keynote speaker Matt Blaze analyzed the security weaknesses in our current voting process and urged the infosec community -- namely pentesters -- and election commissions to work together. His point: Testers can play an invaluable role in securing the voting process as their methodology of exploring and identifying every possible option for exploitation and simulating crisis scenarios is the perfect complement to shore up possible vulnerabilities and security gaps.
Given the regulatory nature of elections, it may be difficult for government and private sectors to work in tandem, especially at this late stage of the election cycle. However, this summer, Election Systems & Software, the top U.S. manufacturer of voting technology, announced that it would allow outside security experts to test its systems -- a first for the security industry. Until further collaboration occurs, pentesters may still be at arm's length. But that doesn't mean there aren't key insights into election security vulnerabilities that security professionals can learn from. Pulling from past and present experiences in the pentesting space, I will explore three election security vulnerabilities and share actionable remediation considerations that the security industry can apply to their own work.
Election security vulnerability #1: Software implementation opens the door to more remote breaches
Remediation considerations: Perform regular security testing earlier in the software development lifecycle (SDLC) and implement automated testing suites prior to deployment.
Software is used in nearly everything we do, and voting is no exception. And while we can't rule out physical hardware cyberattacks, attacking software is an easier and more common way for a bad actor to compromise the election, as a software breach is typically attempted remotely through the introduction of a virus or malware.
Look to electronic pollbooks for a relevant case study. Many polling locations across the country use laptops and tablets, with a pollbook vendor's software installed, to sign voters in. While compromised electronic pollbooks won't change the vote, cyberattacks against the devices could cause delays that prevent people from voting. This example demonstrates the critical role of software in the election process, but software is also prevalent in voter registration, voting machines, creating ballots, and counting and tabulators.
What does the pollbook case tell security professionals in the business environment? In two words: shift left. It's up to the product development and IT teams to set the software development requirements and be proactive in implementing enough integrity checks to ensure there isn't any tampering or malware detected in the ecosystem, and that audits and analysis can occur.
These automated test fields should be considered early in the SDLC, to ensure the vulnerabilities are not occurring in the source code, or when designing the software. Automated testing suites not only are a necessary component of software design but are also key to testing systems prior to deployment, or in this case voting security, election day. Setting more regular testing milestones and thorough requirements will allow for timely alerts and generate audit trails to understand when and where a virus was introduced.
Election security vulnerability #2: External partner organizations provide new attack surfaces
Remediation considerations: Set and enforce minimum security requirements for all partners.
Headlines across the United States have reported on the Senate Select Committee on Intelligence Report of Russia's attempts to access election infrastructure in 2016. Based on the information released to date, the Nation State attackers hacked the voter registration process by accessing the network through third-party organizations -- private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations. It's realistic that most partner organizations are connected to the internet and attackers can use this as an entry point to perform malicious activities, such as injecting malware.
Bad actors accessing security weaknesses from the outside, through vulnerabilities over the internet, is a common cause of security incidents. Take the infamous 2013 Target breach as an example. Adversaries accessed Target's point-of-sale system through its HVAC vendor, which did not have minimum security requirements in place. Or, the latest Instacart incident in which employees of a third-party tech support vendor had access to more shopper profiles than necessary.
To ensure an adversary does not enter the network through a third-party partner, there cannot be any weak links. CISOs must ensure all partner organizations have minimum security requirements as outlined by their regulatory bodies -- and seek out partners that go beyond the regulatory requirements and address security in a proactive fashion. Minimum security requirements typically include multiple layers of protection, such as building behavioral analysis capabilities in an application that can set alerts if compromised, performing regular code review and penetration testing, doing threat modeling to ensure assets are protected across different trust boundaries, among others.
Election security vulnerability #3: Existing security controls not working as they are intended
Remediation considerations: Implement a Defense-in-Depth strategy and perform adversarial simulations.
Under the direction of the chief election official, every election commission has some form of security strategy and threat detection tools (firewalls, intrusion detection, etc.) -- but how do they know these are working properly? This is where a Defense-in-Depth strategy becomes critical, particularly in crisis situations, for any organization. Defense-in-Depth provides multiple layers of security, so, if one tool fails or is tampered with, there are backup measures to protect the integrity of the process as a whole.
To ensure the efficacy of detective controls and incident response teams, adversarial simulations are key. If controls are not configured properly, you won't know until it's too late and a breach has already occurred. Simulations can also put incident response teams to the test to see if they are detecting malicious activity performed by pentesters and red teams.
When working with and building an infrastructure where the overall integrity of the system is of utmost importance, pentesting becomes critical. Testers aim to make the system misbehave and put themselves into the shoes of a bad actor. The financial industry should be looked to as an example of security sophistication. Security of banks and other financial institutions is evaluated under a microscope and they are required to adhere to strict regulations, such as more frequent and thorough testing to find and remediate vulnerabilities faster. Voting systems themselves are a key part of the democratic process and warrant the same amount of scrutiny that our financial infrastructure receives.
Everyone involved needs to work together for election security
My final piece of advice: Infosec professionals, chief election officers and election commissions need to work closer together to reinstate confidence in the election process. But, in order for the infosec community to get involved, we have to be given the opportunity to do so. In a recent conversation I had with Cassio Goldschmidt, Head of Information Security at ServiceTitan, he explained Brazil's election security process. The Brazilian government hosts an event to test their electronic voting systems, making it a collaborative and open effort to create a trustworthy voting infrastructure, which in essence, is a country-wide pentesting investment. Other countries and businesses could learn from this model.
While the increased scrutiny of the voting process may be a silver lining of the pandemic, there is always room for improvement. We must continue to use our cybersecurity knowledge in our own security practices but also challenge and scrutinize the voting process to create a secure foundation for elections with integrity.
About the author
Nabil Hannan is a managing director at NetSPI. He leads the company's consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pentesting, secure code review and vulnerability remediation.