IT disaster recovery procedures

Regular testing, auditing, and rehearsal of your disaster recovery plans are essential to make sure that they do work, and can be progressively refined to cope with any changes in your work requirements.

A common problem is where the backup portion of the plan is tested, but not the restoration process. Only during an actual disaster are problems with the restoration process discovered.

Departmental managers should budget for staff time and expenses to perform regular full rehearsals of the disaster recovery plan.

Internet Usage Guidelines

Organization may provides Internet access primarily to enable the conduct of IT and administrative activities in support of the organisation’s operations. The following guidelines for Internet usage should be noted:

Access to Internet resources from on – campus organisation facilities must be made using Internet access arranged or approved by CEO/HOD

When using the Internet from the Organisation network, you are presenting yourself as a representative of the organisation and should conduct yourself in accordance with all aspects of organization Policies.

Users must not download material from the Internet that is subject to copyright or other intellectual property right protections unless the material is governed by fair use principles or express permission to do so is granted by the material owner Users are encouraged to verify the authenticity and accuracy of materials sent via the Internet, and to use good judgment when deciding whether to download or open materials from people they do not know and organizations they did not contact.

Physical Security

Physical controls are often viewed as involving only physical access to a facility. However, physical controls also include access to controlled areas within a facility, access to computers or other network devices, handling of laptops, and location and handling of printers. Unauthorized access to an unattended device can result in harmful or fraudulent use of the device or exposure of confidential or office – use only information stored within it or accessible through it.

Access to Organisation’s facilities should be controlled in a manner that provides security to the organisation’s community and assets while providing for the detection of perimeter breaches. Since no physical security measure will withstand all intrusions, Organisation’s facilities should always be provided with a degree of physical protection commensurate with the value of the assets in, around, or accessible from that facility. Users should protect their workstations in a manner that precludes unauthorized access to organisation’s information resources. This would include logging out of computers when left unattended or invoking a password protected screen saver to deter unauthorized use. Encryption of files that contain protected information should be considered for the storage of protected information.

Laptop computers require special consideration in addition to those regarding general purpose desktop computers. When not in use the laptop should be stored in a locked cabinet or desk drawer, or otherwise secured with some type of physical locking device. When traveling, maintain physical control of the system at all times, and consider the use of removable media for storage of protected Information while on travel.

Note that all organisation’s facilities must also adhere to all local, state and national electrical, fire, and other appropriate codes and insurance requirements.



Network User Names and Passwords

Passwords are the first line of defense for the protection of AU information system resources. Using good passwords will help reduce the possibility of unauthorized access and abuse of information.

Below are some simple suggestions to assist with proper password management:

  • Immediately change your password if it has been disclosed
  • Protect all software and files containing formulas and algorithms used for the generation of passwords
  • Never use your login name in any form as a password – either as – is, reversed, capitalized, doubled, etc.
  • Avoid personal names as passwords – yours, your spouse, children, etc.
  • Avoid using personal information as passwords that could readily be obtained or guessed – this could include license plate numbers, pet names, telephone numbers, social security numbers, the brand of your automobile, zip code, the name of the street you live on, etc.
  • Avoid a password using several repeating digits or letters
  • Avoid using words unless combined with numbers or punctuation marks
  • Configure devices with separate accounts for privileged and unprivileged access, where possible, then, authenticate with an unprivileged account rather than a privileged account, switching to the privileged account only when and or as long as necessary while logging all activity. Note that password changes on all centrally – managed systems are synchronized so that one change updates all systems with the same password.

Cybersecurity Guideline – Malware

What it is

Malware is malicious software or software designed to perform malicious actions on a device. It can be introduced to a system in various forms, such as emails or malicious websites. Additionally, various kinds of malware have distinct capabilities dependent on their intended purpose, such as disclosing confidential information, altering data in a system, providing remote access to a system, issuing commands to a system, or destroying files or systems. The most prolific types of malware currently include:

  • Spyware is malware that records keystrokes, listens in via computer microphones, accesses webcams, or takes screenshots and sends the information to a malicious actor. This type may give actors access to usernames, passwords, any other sensitive information entered using the keyboard or visible on the monitor, and potentially information viewable through the webcam. Keyloggers, which mainly record keystrokes, are the most common type of spyware and ZeuS, the most famous keylogger, has been on the SCS’s Top 10 Malware list for several years.
  • Trojans (a.k.a. Trojan Horses) are malware that appears to be a legitimate application or software that can be installed. Trojans can provide a backdoor to an attacker and subsequently full access to the device, allowing the attacker to steal banking and sensitive information, or download additional malware, like Emotet.
  • Ransomware is malware that that blocks access to a system, device, or file until a ransom is paid. Malicious actors use ransomware to either encrypt files (crypto ransomware), erase files (wiper ransomware), or lock systems (locker ransomware) on an infected system or device. Ransomware holds infected systems or files hostage until the victim pays the ransom demand. However, paying the ransom does not guarantee that access to the files will be restored.
  • Click Fraud is malware that generates fake automatic clicks to ad-laden websites. These ads create revenue when clicked on. The more clicks, the more revenue that is generated. Kovter, one of the more prolific versions of click fraud, has been on the SCS’s Top 10 Malware list for the past year.
  • Cryptocurrency mining malware (a.k.a. cryptojacking) is malware that primarily utilizes a compromised system’s resources in order to generate cryptocurrency revenue such as Bitcoin, Litecoin, Ether, or Monero. Cryptocurrency mining malware, like Coinminer, have increased in use over the past year to become one of the more prolific malware variants.

Why does it matter

Election systems and networks running vulnerable services are likely to be impacted by malware, as it is among the most common malicious activity observed. Malware infections can affect the confidentiality, integrity and availability (CIA) of the data in election systems and networks. Certain types of malware, such as spyware, click fraud, and cryptocurrency miners continually run in the background and are likely to drain system resources and slow down all affected systems, reducing the lifespan of systems. Furthermore, spyware, trojans, and ransomware have the ability to exfiltrate sensitive data such as user credentials or voter information. Ransomware may also block access to the infected system rendering it useless until it is remediated or the ransom is paid and the applicable decryption keys provided.

In addition to direct impacts, IP addresses or email addresses associated with an infected system may be placed on a blacklist if the malware is trying to connect to other systems. Blacklists are reputation-based lists that cybersecurity professionals use to prevent connectivity with malicious IP and email addresses. Being on a blacklist means that electronic traffic, including emails from and legitimate traffic to and from an election office may be blocked.

What you can do

Election officials should ensure their organization routinely patches all systems and maintains up-to-date anti-malware protection, like antivirus and firewalls, as these will mitigate most malware. Additionally, officials should work with their technical staff to ensure their organization maintains up-to-date data backups, which are stored offline, regularly tested for completeness, and provide the ability to reinstall in the event of an infection.

Officials should consult with their technical staff to receive periodic briefs on the types of malware discovered on the network and their associated impacts. Election officials can then work to make sure their Business Continuity Plans (BCP) cover potential malware scenarios and to conduct various table top exercises for those situations. Furthermore, review the SCS’s monthly Top 10 Malware blog for up-to-date information on malware trends to incorporate into the BCP and table top exercises.

Lastly, election offices should prioritize training to help employees recognize malicious emails, as they are one of the most popular vectors of spreading malware. Training should emphasize that employees not open suspicious emails, click links contained in such emails, post sensitive information online, and never provide usernames, passwords, or personal information to any unsolicited request. After training employees, conduct organized phishing exercises to test and reinforce the concepts using services such as those provided by CIS or through DHS’s Phishing Campaign Assessment.