Friday, May 29, 2015

“We’re all doomed.” -Gizmodo

The list of 2014’s most popular passwords -- go ahead and replace “most popular passwords” with “worst passwords on the planet” -- is pretty alarming. Gizmodo really said it best, but we feel like we should take this opportunity almost midway through 2015 to remind everyone that passwords are important. More important than remembering your mom’s birthday.

No, you are definitely not the only one who thought “letmein” was going to cut it.
Let’s start with the list in all its glory. Here it is from SplashData -- the most popular passwords from 2014:
  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. 123456789
  7. 1234
  8. baseball
  9. dragon
  10. football
  11. 1234567
  12. monkey
  13. letmein
  14. abc123
  15. 111111
  16. mustang
  17. access
  18. shadow
  19. master
  20. michael
  21. superman
  22. 696969
  23. 123123
  24. batman
  25. trustno1
Feeling a little less creative about your current password? Shocked that “michael” (#20) really must be the most popular name on the planet? Or maybe you are feeling oddly secure after reading the list because you have been using your cat’s name combined with your birthday? Sorry, that isn’t any better.

It’s time to get your life together.
Listen to this newsbit from CNN Money, published one year ago: Hackers have exposed the personal information of 110 million Americans -- roughly half of the nation's adults -- in the last 12 months alone. Yikes.

So get your passwords up to speed. Create and use strong passwords or pass-phrases that contain a mixture of upper and lower case letters, at least one number, and at least one symbol/special character. And please, PLEASE don't use the same password/pass-phrase for all of your accounts and logins. We are begging you.

Other ways to secure your stuff:
  • Use two factor authentication (Gmail user? Learn how to turn it on right now)
  • Use -- and regularly update -- anti-virus, malware, and spyware software
  • Never provide personal or financial information in response to an email, even if it appears legitimate
  • Do not click on links or download attachments in email messages you receive from people you do not know or content that seems suspicious
  • Use unique passwords for all accounts. Your personal email password should not be the key to unlocking your bank account!
  • Let’s do that last bullet one more time: Use unique passwords for ALL of your accounts.
Want more? Check out our Office of Information Security online for additional tips and how-tos.

Debbi Blyth: Chief Information Security Officer. Colorado native (almost!), beach lover, deep sea diver, Sunday school teacher. I'm the queen of keeping Colorado safe online. Find me on Twitter at @debbiblyth.

Thursday, May 21, 2015

From the IT shadows

Today’s guest blog comes from Brandon Williams, Director of Google Operations for the Governor’s Office of Information Technology. Brandon is responsible for supporting nearly 30,000 Colorado state employees using Google Apps for Government.

I recently wrote about fostering real government innovation in CIOReview — including the need to bring Shadow IT out of the shadows. I urged you to identify, and then embed, Shadow IT within your teams, and to shine the light on them…and give them air. Shadow IT will surprise and shock you when allowed to play, and you will learn from them.

In that article, I mentioned that Shadow IT are the “ones that make your security team shake like lab rats.” No doubt, they can bring security challenges. Here at the State of Colorado, however, Google Apps for Government gives us the freedom and tools we need to encourage them to explore, while simultaneously providing a secure environment for them in which to innovate.

One example of how we get at this balance surfaced after we used our Google control panel to run a report that identified all of the third party apps installed using our state accounts. We found 1,800 third party apps “in play.”

When we took a look at this, our first reaction was to shut down access. Then we paused, took a deep breath, and asked ourselves what were we really looking at? Threats? No. We were looking at our users giving us a report card. They liked for these apps to solve challenges. Challenges we had failed to see, anticipate and provide answers for yet. It was a report card.

As a result of the report, we decided to formalize Shadow IT — identifying and organizing them to help improve idea-sharing through the enterprise.

To learn more about how we did this with our Shadow IT, and the benefits realized because of this decision, check out my panel presentation on June 2 for #Atmosphere15 — Google for Work's largest digital event. This unique social experience explores creative ways to innovate and work together, and features speakers who’ve disrupted industries and inspired global change. Learn more and register for free here to take part — and to learn more about our Shadow IT revolution at the State of Colorado.

Brandon Williams
Director of Google Operations, OIT
On Twitter @bwwilliams
Brandon with the Google Atmosphere team at OIT headquarters

Tuesday, May 12, 2015

Security is never done

Cyber attacks have been all over the news recently, with aggressive attacks on businesses, governments and personal information. The year 2014 — the quote-unquote Year of the Data Breach — proved to us that no enterprise, regardless of the size of security investment, is immune to attack. Attackers’ weapons are changing daily, technology is advancing exponentially, and businesses are evolving constantly — requiring rapid response and preventative tools to detect and thwart the increasingly sophisticated level of cyber attacks.

So what is the State of Colorado doing to stay on top of this?
Secure Colorado is a multi-year phased plan focusing on the 20 Critical Security Controls and other security improvements to reduce risk across the state. The plan is based on a layered security approach, and Colorado is one of only two states to have demonstrated a “solid and robust” understanding of the importance of integrating cyber security in their strategic IT plans.

What have we done so far?
The first two years of Secure Colorado focused on:
  • Alignment of the team to proactively address security and manage risk
  • Establishment of a risk and audit committee to perform risk assessments, track risks, and manage security in a consistent manner across all agencies
  • Remediation of audit findings
  • Implementation of the “first five” critical security controls resulting in an inventory of connected devices and deployed software, as well as an estimated 75 percent reduction in malware events
  • Establishment of metrics
  • Implementation of next generation firewall technology for better filtering for individual agency needs and to provide increased visibility and automated prevention for advanced threats
  • Creation of a SECURE system development life cycle (S-SDLC) for application code reviews at appropriate times in the implementation and change process
What’s next?
As a progressive and innovative state, our security team continues to evolve and embrace new technologies. Coloradans are demanding mobile applications, social media interaction and other new ways of interacting with state government — and we have to include security in these innovations from the very beginning in order to stay ahead of attacks.

Here’s what we have coming up with Secure Colorado:
  • Continuing to implement detective and preventative tools
  • Training teams to respond quickly to contain ANY type of event
  • Implementing and refining tools to filter security events through intelligence information — so that we can more quickly identify targeted attacks
  • Creating the next iteration of Secure Colorado to ensure that the state continues to improve security
Each of the 20 Critical Security Controls includes multiple sub-controls: 182 total sub-controls, with 75 “quick wins.” The quick wins for each of the 20 controls will all be implemented by July 2016, and additional sub-controls will be prioritized for implementation based upon risks/threats, evolving technology/business strategy, cost, and other factors.

Want to know more about Secure Colorado?
Join me and Rick Howard, Chief Security Officer for Palo Alto Networks, for a free webinar — A Safer Colorado through Security Excellence — Thursday, May 21, at 12 noon MDT.

Debbi Blyth: Chief Information Security Officer. Colorado native (almost!), beach lover, deep sea diver, Sunday school teacher. I'm the queen of keeping Colorado safe online. Find me on Twitter at @debbiblyth.

Wednesday, May 6, 2015

We are OIT, and we love tech.

This week is Public Service Recognition Week, and with this celebration of amazing public sector employees we are kicking off our brand-spanking-new blog -- #StateofCO IT.

Who are we?

We are are the Governor’s Office of Information Technology (“OIT” for short), and we collaborate to provide day-to-day digital support and present smart solutions that transform government through IT. We love this incredible state, and we strive to impact the lives of all Coloradans to create a safer, happier and healthier place of residence.

Who you’ll hear from: The blog writers.

Suma Nallapati: Colorado Secretary of Technology and Chief Information Officer. Colorado lover, business owner, mom, nuclear physics junkie. She’s the boss.
Brenda Berlin: Deputy CIO and Chief Financial Officer. Disneyland aficionado, coat checker, valet (except after an accident), volunteer. She keeps everyone in line and holds the purse strings.
Debbi Blyth: Chief Information Security Officer. Colorado native (almost!), beach lover, deep sea diver, Sunday school teacher. She’s the queen of keeping Colorado safe online.
David McCurdy: Chief Technology Officer. Honey bee keeper, 3D printer enthusiast, dad, football superfan. He’s the tech junkie.
Monica Coughlin: Chief Strategy Officer. Sports enthusiast, volunteer, proud aunt, world traveler. She tells the IT industry why Colorado is the place to be.
William Chumley: Chief Customer Officer. Weekend color guard judge, computer science study, traveler, bookworm. He lives, breathes and sleeps for the customer.
Tauna Lockhart: Chief Communications Officer. Painter extraordinaire, ex-news producer, puppy wrangler. She’s the woman with the answers.
What we want to share with you.
We have a voice, and we want to connect with you. Government tech is evolving and innovating every day, and we want you to know how the State of Colorado is adapting and building a better state for you -- our customers and Colorado residents.

We’ll be blogging once a week on govtech, security tips, tech trends, nerd out moments, things our customers need, and what the Governor thinks. Yep, Governor John Hickenlooper. Really.

How to join the conversation.

We want to hear from you on topics, questions, comments, your favorite tech toy, and more. You will be able to comment on our blog posts and -- as long as you follow our straightforward (we think!) commenting policy -- it will be published within 24 hours.

You can also email us directly at Or, for the traditional folks out there, snail mail us at OIT Blog Editor, Communications Team, 601 E. 18th Ave., Ste. 250, Denver, CO 80203. We love talking; so don’t hesitate to reach out.

Get ready. We’re excited!