Q and A With Jerry Gamblin: May 2011
Jerry Gamblin, security specialist with the Missouri House of Representatives, talks about the biggest online threats to legislative users.
State Legislatures: What do you see as the biggest security risks for the legislative institution?
Jerry Gamblin: The smartphone. Five years ago, only a few people had a phone with email, now, most people have one with a calendar, contacts and email, and they’re connecting these devices to the legislative network and are carrying a ton of constituent information in their pockets.
SL: What are the biggest security risks for individuals?
Gamblin: Twitter and Facebook accounts. Social media is becoming an integral part of our legislators’ constituent outreach.
SL: What are the most common security questions you hear?
Gamblin: They ask “How did I get this virus? I only went to my usual websites, and I got a popup that said I had a virus.” These popups are from ads embedded in sites, even in well-known newspaper sites, and it happens even if you are running the best anti-virus software. The popups say “click here to get rid of these security risks,” then they charge you $25, and maybe they’ll remove their software, but now they have your credit card information. No one can keep up with all the malware, and you need to call in a professional to fix the problem.
SL: What other types of threats do you see?
Gamblin: Lots of attempts on our network—1,200 to 2,000 intrusion attempts per day. But these are not generally attempts focused on hacking our network per se; many are just running automated tools that look for anyone running a particular version of a software package.
SL: Is spoofing a problem in the legislature?
Gamblin: It is a big deal. Our users don’t care if they get their own spoofed emails, but they don’t want spam going out to constituents from “Your Rep. John Doe.” There’s not much we can do about it. We can implement Sender Policy Framework and try a couple of other things, but it’s not totally successful. Email address security is antiquated—it’s like a postcard. I can send a postcard and say it’s from you, even if you watched me sign your name to it.
SL: What security practices do you have in place that users complain about most?
Gamblin: Having to change passwords. In our environment, computer users pick their own passwords. They don’t like having to change them but we want them to be safe. So we make them change their passwords and we try to impart how important it is to have a different password for your legislative systems, social media sites and personal finance. The worst thing you can do is have the same password across multiple sites.
SL: Any final thoughts?
Gamblin: Security is everyone’s business. You’re just as responsible for security as your IT person. You have a link in the security chain and you can blow it up pretty quickly.