January/February 2017

 

Know how to reset your network password and avoid lockouts

Frustrated when you get locked out of a network account because you have forgotten a password or failed to update it on time?

The solution lies in registering for Self-Service SSPRPassword Reset (SSPR) -- a web application that enables users to change their own passwords in a secure fashion. Users no longer must call the IOT Help Desk for password changes and can change their own network passwords any time on any device with internet connectivity. 

All state employees using the network are asked to register at the Self-Service Password Management website at https://password.in.gov/.

The site walks you through several quick and easy steps to get registered and provides links enabling you to reset network passwords and unlock network accounts.

If you experience any issues using Self-Service Password Management, please contact the IOT Helpdesk at 317-234-HELP (4357).


GovDelivery (Granicus) 2016 usage

GovDelivery, recently purchased by Granicus, is the state's enterprise bulk email provider. Though the company was purchased, the product the state owns will still be called the GovDelivery Communications Cloud and the GovDelivery Network.

Agencies utilizing GovDelivery sent a record number of messages last year to a record number of subscribers. 

In total, more than 12,000 emails were sent from GovDelivery to more than 42 million recipients. Both of those numbers are significantly higher than 2015, where fewer than 10,000 emails were sent to approximately 35 million recipients. 

For the 26 agencies participating in the GovDelivery Network, they saw significant organic subscriber growth. In total 48.6% of all new subscribers came via the GovDelivery Network. The Network uses a feature similar to the suggestions on Amazon: "Customers Who Bought This Item Also Bought." When a user subscribes to a topic, he or she is presented with suggested topics that are similar.

The Network includes all of the Indiana accounts, but also all the other states that utilize the GovDelivery Network and the federal government. This reach exposes each Network account to hundreds of users that never have to visit the agency website.

The GovDelivery Network also provides agencies total control of its account, no more shared photo folders, and templates will not get mixed up with another agency. Network accounts can also be tied to Facebook, Twitter or SMS, so when a bulletin is distributed, a message can automatically be posted to those platforms. If your agency is interested in joining the GovDelivery Network for a $1,000 yearly cost, contact Ted Cotterill

Below is a chart indicating where new subscribers have come for the Indiana Housing and Community Development Authority over the past 12 months.

GDimage


Message from the State's Chief Information Security Officer

The past couple of weeks the State of Indiana workforce has been targeted by multiple phishing scams. It's really nothing new, we've long been a target. It does, however, seem like the intensity has been ratcheted up a couple of notches. Such attacks seem to come in cycles so the likelihood of additional attacks in the near term is high.

The attacks have had good news/bad news results. The good news is that the vast majority of state workers recognized the scams for what they were. The bad news is that a few fell prey. These failures exposed the state to some potentially serious negative consequences. Please review the recent examples below for information that will help you identify similar scams in the future.

It used to be that scammers focused the majority of their efforts during the holidays (e.g. - FedEx and UPS package deliveries) and tax season (e.g. - threatening messages from the IRS). Unfortunately, the methods they use today can be effective at any time. Recent attacks have used trusted companies (Cisco, Microsoft) and support functions (IT support, Email support, etc) to get their foot into our door. 

We need you to be ready when the next attack comes. Our protections do a good job. For every attempt that gets through to you hundreds of others have been stopped. Unfortunately, our opponents are persistent. They know the common defenses used and eventually design a scheme to get around them. When they are successful you must recognize the deception. Please remain skeptical of each message or phone call you receive. Scrutinize messages for who they come from and determine whether that person/company should be asking for or doing what they are doing. 

Thank you for your good work and remain vigilant over the coming weeks.

Tad Stahl, Chief Information Security Officer 


IN.gov Analytics

Last year, IN.gov switched its website analytics provider to Siteimprove. This is a very easy to use tool to quickly figure out basics of website traffic. Of course, if you are interested in a deeper dive into analytics, you can do that too. 

Siteimprove
IN.gov portal stats from Jan. 1, 2017 through Feb. 27, 2017.

For the whole IN.gov portal, over the past calendar year there have been more than 53 million visitors. Of those visitors, an average of 41 percent came from a mobile device or tablet. In total, more than 182 million pages were viewed. 

A huge majority of all website traffic, 65% comes from either search or social media. Direct traffic, where the site is either bookmarked or the user types the address, only accounts for 35% of IN.gov visits. 

Where else is traffic coming from? GovDelivery accounted for nearly 500,000 conversions and Facebook exceeded 700,000. 

What do people do once they get to the website? In the past calendar year, there have been 6,292,731 searches on the website. The top three search terms are jobs, BMV and license. Citizens also use the FAQs. More than 650 times each day, a link is clicked on one of the agency FAQs.


Be an Email Detective

Security Mentor is a service provided by IOT that assists preparing securitymentorstate employees to deal with cyber threats. Currently, more than 70 agencies take advantage of this training.

Here are some notes from the most recent Security Mentor training session on checking to make sure an email is legitimate.

Observe: 
1) Do you know the sender?
2) Did you expect the email?
3) Did you expect an attachment?

Investigate:
1) Is the From address an alias? What’s the sender’s address?
2) Are there many or strange typos, or wording that doesn’t make sense?
3) Does the email warn that something bad will happen or promise gifts?
4) Where do the message links go? Is it a safe website?

Deduce:
1) Are there danger signs?
2) Do you need to read it?
3) Any doubts, report it to your IT Department or the IOT Help Desk.