TWO-FACTOR AUTHENTICATION IN 2 WEEKS
HHS’ open-source authentication solution protects users who connect to GrantSolutions.gov — and is poised to do even more
In the cybersecurity sprint that followed the Office of Personnel Management data breaches last year, civilian agencies across the government increased their use of personal identity verification cards to 83 percent. However, that ini- tiative did not address how authorized users who did not have a PIV card could securely access government data.
At the Department of Health and Human Services, tens of thousands of grantees worldwide were checking the status of their government grants
by signing into the GrantSolutions.
gov website with just a username and password. Determined to come up with a more secure yet cost-effective solu- tion, Director of Application Develop- ment Paul Hasz and his team built an open-source two-factor authentication solution that protects public- and private-sector grantees and the numer- ous financial systems that connect to GrantSolutions.gov.
The solution works by first asking
for the user’s registered username and password. It then generates a one-time, unique code that it delivers to the user via a smartphone authentication app, text message or voice message — a definite improvement over the previous
login process, according to Hasz. What he said is most innovative about the solution, however, is the
way existing components and code developed in-house were combined
to create a solution. And it’s one that other government websites can use as well. By providing design documents, code and help files, the team can assist other agencies in deploying a two-factor authentication solution in as little as two weeks without incurring significant cost.
In fact, the entire package has al- ready been provided to three additional government partners, two of which are already in production.
that we defined our rules and restrictions down to a T,” said Lisa Wiswell, the Defense Digital Service’s digital secu- rity lead. “You have to make sure that you tell folks what they can do and, almost even more importantly, what they cannot do.”
DOD is now working on a permanent bug-bounty pro- gram and issued a request for proposals in August. Other agencies, meanwhile, are looking to the Defense Digital Service for advice on develop- ing programs of their own.
— Troy K. Schneider
How LA corralled its security data
Los Angeles’ Integrated Security Operations
Center consolidates all departmental cybersecurity into one central system
The IT staff for the city of Los Angeles manages systems and network traffic for more than
37 departments, which have 35,000 full-time employees and more than 120,000 networked devices. Collecting and correlating security data from all the city’s depart- ments was a challenging and labor-intensive activity — and one that often delivered inac- curate results.
“If an inconsistency or potential security breach was found, the protocol in place required pulling security logs from each individual depart- ment, reviewing and analyz- ing the disparate reports and then correlating the data manually with multiple secu- rity tools,” said Timothy Lee, the city’s chief information security officer. “This was a time-consuming process that resulted in slow resolution and errors.”
This past spring, the city realized how dire the situ- ation was after it recorded more than 135 million attacks in April and a 200 percent increase in cyberattacks over
the previous year.
“This is when we realized
the enormity of the threat, its growing nature and how this project was direly needed,” Lee said.
The resulting project — the Integrated Security Opera- tions Center — is a central- ized system that is monitored round-the-clock. It provides real-time cybersecurity situ- ational awareness across all city departments and enables information sharing with the FBI and other states through the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The system has three pri- mary elements:
• A Cybersecurity Posture Dashboard that provides stakeholders with a graphic representation of the city’s cybersecurity status.
• A Cyber Alert Indicator that displays malicious activity
on the city’s network in real time.
• A Threat Intelligence Portal
— Suzette Lohmeyer
GCN OCTOBER/NOVEMBER 2016 • GCN.COM 43