Free cybersecurity tools for state, local governments

Cybersecurity tools are available for free to many local governments – they just need to know to ask for them, a panel of experts said during a webinar hosted by the National Association of Counties.

“One of the challenges I have found over the past few years is knowing what resources we should be taking advantage of and being able to differentiate between one organization that provides a resource and another,” NACO CIO Rita Reynolds said during the Jan. 26 event titled “Advanced Security Resources Available for Local Government Through the Center for Internet Security.”

One tool that is available free to all state, local, tribal and territorial government members of the Center for Internet Security’s (CIS) Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) is a malicious domain blocking and reporting (MDBR) service. CIS works to provide that through a partnership with the federal Cybersecurity and Infrastructure Security Agency and Akamai.

MDBR acts as an agency’s domain name service (DNS) and prevents endpoints and systems from connecting to malicious domains.

“It prevents malicious traffic by blocking it and not allowing it to resolve,” said Eugene Kipniss, director of partnerships and stakeholder maturity at MS-ISAC. “Every lookup that is attempted from your organization from everyone that uses your DNS centrally, that’s going to be compared against a list of known bad domains. It’s going to be checked for levels of suspiciousness.”

More than 4,000 state and local MS-ISAC members are enrolled in the MDBR program, and it has blocked 3 billion DNS requests out of 592 billion total requests since 2020 – 0.5% of all traffic routed through it, Kipniss said.

Although that sounds low, “consider how many pieces of digital touch you have across your organization, how many people and end users, how many programs are going to be beaconing out and leveraging DNS whether it’s for web browsing or for other applications and processes and needs,” he said. “If you think about the mass quantity, the sheer volume of interaction that our computing systems have with DNS, half a percent being bad is scary. It’s that half a percent that can cause you to work overtime a week trying to fix a problem.”

Of the blocked requests, 65% were known malware domains, 22% were related to malicious command and control and 5% were related to phishing.

To set it up, government agencies must replace their DNS with Akamai’s DNS server, which runs MDBR. It can be installed in less than 15 minutes, added Kathryn Boockvar, CIS’s vice president of election operations.

Another tool is endpoint detection and response (EDR), which is software that collects data from workstations and servers – the endpoints – and transmits it to a server for analysis of suspicious threats. If it finds one, the affected machine is isolated until someone can review and remediate the problem.

The federal government has provided free EDR licenses for anything that touches local elections work. “Your entire election office -- every computer that you have -- could get this for free,” Boockvar said, adding that officials can use it beyond elections-related applications for a fee of $60 per endpoint per year.

For EDR, CIS partnered with CrowdStrike in November 2021 to provide fully managed CIS Endpoint Security Services (ESS). Tailored to state, local, territorial and tribal entities, it includes more than 12,000 MS-ISAC members with more than 14 million endpoints in total.

ESS involves five modules that use the CrowdStrike Falcon platform and run through CIS’s security operations center (SOC). One is a next-generation anti-virus module that can monitor malicious threats using known signatures and behaviors that indicate a threat. It couples with the second module to automatically quarantine a potentially problematic machine. Within 10 minutes of detection, SOC analysts can rule out false positives and alert the appropriate party at the affected agency.

The third module lets agencies ask the SOC to run an asset and application inventory and monitor user access to watch for rogue devices on the network. The SOC provides a report about what machines and applications are running, what versions they're using and whether anything seems suspicious.

The fourth module involves USB device control so that agencies know about every USB plugged into their network and lets them set rules, for example, such as blocking all but a certain kind of USB from accessing their networks.

Last is firewall management, which lets agencies push rule updates out to any live device, whether it’s connected to the cloud or an on-premise location.

“The days of having a firewall and an [anti-virus] are over,” said Jamie Ward, cybersecurity solutions manager at MS-ISAC and mayor of Mayfield, N.Y. “The threats are more and more complex and that’s where the features of this endpoint security service, better known as EDR, are really shining.”

Additionally, this spring, CIS will launch a peer-to-peer collaboration portal for MS-ISAC and EI-ISAC members that will allow for listserv capabilities and file sharing to facilitate cross-jurisdictional communication. It is also readying the “Essential Guide to Election Security” in paper and electronic formats, with a plan to continuously update the digital version.

“It is one of the NACO priorities on cybersecurity that all counties join both MS-ISAC and EI-ISAC,” so they can take advantage of these resources, Reynolds said.

Stephanie Kanowitz is a freelance writer based in northern Virginia.