Best Practices for Securing Election System

Your Trusted Partner in Election Cyber Security - 46 Labs

By adhering to cybersecurity best practices, election organizations—including state, local, tribal, and territorial (SLTT) governments—can improve the security of their election systems. The Cybersecurity and Infrastructure Security Agency (CISA) developed the best practices in this tip from lessons learned through engagements with SLTT governments, election stakeholders, and others. Organizations can implement these best practices, which harden enterprise networks and strengthen election infrastructure, at little or no cost. CISA's election systems best practices cover the following topics:

Software and Patch Management

Implementing an enterprise-wide software and patch management program reduces the likelihood of an organization experiencing significant cybersecurity incidents. A software and patch management program includes the establishment of an enterprise-wide inventory list, which provides an organization with greater insight into the software running on its networks and associated vulnerabilities. The organization can then use the inventory list to help identify and mitigate the risks to its election-related information technology (IT) infrastructure. Mitigations often include implementing application allowlisting, a best practice. (See Implementing Application Allowlisting.)

CISA has observed a correlation between the absence of a patch management program and the partial or complete compromise of an enterprise network due to the presence of commodity malware. Commodity malware is widely available, has minimal or no customization, and is used by a wide range of threat actors. A partial or complete compromise could lead to additional impacts, including ransomware infection and the theft of sensitive data, which may include personally identifiable information.

Failure to deploy patches in a timely manner can make an organization a target of opportunity, even for less sophisticated actors, increasing the risk of compromise. If an enterprise-wide patch management solution is too costly, an organization should consider enabling automatic updates. CISA recommends organizations subscribe to the National Cybersecurity Awareness System for alerts about security updates, threats, and vulnerabilities. This will assist organizations in maintaining situational awareness of critical vulnerabilities present in software widely used throughout their enterprise environments. It is vital to act quickly to apply patches, especially if there is an associated vulnerability being exploited.

Log Management

Retaining and adequately securing logs from both network devices and local hosts supports triage and remediation of cybersecurity events. An organization can analyze the logs to determine the impact of cybersecurity events and ascertain whether an incident has occurred.

Centralized Log Management

Organizations should set up centralized log management:

Forward logs from local hosts to a centralized log management server—often referred to as a security information and event management (SIEM) tool. CISA has observed threat actors attempting to delete local logs to remove on-site evidence of their activities. By sending logs to a SIEM tool, an organization can reduce the likelihood of malicious log deletion.
Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole.
Review both centralized and local log management policies to maximize efficiency and retain historical data. CISA recommends that organizations retain critical logs for a minimum of one year, if possible.

Update PowerShell and Enable Advanced Logging

In addition to setting up centralized logging, organizations should ensure that instances of PowerShell are logging activity. PowerShell is a cross-platform command-line shell and scripting language that is a component of Microsoft Windows. CISA has observed threat actors, including advanced persistent threat (APT) actors, using PowerShell to hide their malicious activities.

Update PowerShell instances to version 5.0 or later and uninstall all earlier PowerShell versions. Logs from PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities.
Ensure PowerShell 5.0 instances have module, script block, and transcription logging enabled.

Network Segmentation

Organizations can limit the impact of a cybersecurity incident by enforcing network segmentation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event they gain a foothold somewhere inside the network. (See Securing Network Infrastructure Devices.) During on-site engagements, CISA has observed organizations without effective network segmentation suffer commodity malware compromises of all Windows hosts in their environments.

Organizations should define their distinct organizational components (e.g., human resources, IT administration, demilitarized zone, elections) and create a separate Virtual Local Area Network (VLAN) for each component. Alternatively, if feasible, organizations should implement physical network segmentation for each component. CISA recommends that organizations restrict traffic between VLANs following the principle of least privilege. See below for additional guidance for protecting elections-specific VLANs.

Segment Elections-Related Hosts from the General User Network

Use dedicated servers and workstations for elections-related tasks. Organizations should never allow workstations with elections-related roles—such as submitting election results to a reporting server—to be used for general purpose computing, such as browsing the internet. Organizations should ensure up-to-date patching of workstations and servers dedicated to elections-related tasks.
Follow the principle of least privilege. Organizations should only allow elections-related VLANs to communicate with machines unrelated to elections on an as-needed basis. Other network traffic should be explicitly denied (e.g., by using a DENY/DENY ruleset).
Apply the appropriate technical controls (e.g., implement Group Policy Object [GPO] and firewall rules) to restrict general internet browsing from elections-related workstations and servers.

Block Suspicious Activity

Many organizations set their security devices to alert on suspicious activity instead of blocking it. When an organization does not block suspicious activity by default, it increases the likelihood of adverse events that allow an adversary to compromise IT resources. Organizations should follow best practices in disabling network protocols known to spread malware, such as Server Message Block version 1 (SMB v1).

Prevent Malware and Malicious Traffic

Organizations should perform the following actions to block malicious traffic and malware:

Enable security features. Many network appliances, cloud services, and security software (e.g., host intrusion prevention systems) have features—not enabled by default—that block malicious traffic. CISA recommends that organizations enable these features. Note: organizations should thoroughly test changes before implementing them in production environments.
Scan all incoming emails for malicious attachments and links prior to delivery, and quarantine emails, as necessary.
Train employees to recognize phishing attempts and ensure a process exists for reporting and triaging phishing emails.
Block macros from running in documents throughout enterprise. (See Who Needs to Exploit Vulnerabilities When You Have Macros? for more information.)
- Before restricting macro-enabled documents, determine if any users need macro-enabled documents to perform their work functions. If macros are not used, disable them by GPO.
- If blocking macro-enabled documents across an organization is too restrictive, consider alternative solutions, such as only allowing macro-enabled documents for specific users or blocking macros from running when received as email attachments from external users.

Disable SMB v1

In the course of recent engagements, CISA has observed threat actors using SMB v1 to spread malware across organizations. Based on this specific threat, CISA recommends organizations consider the following actions to protect their networks:

Disable SMB v1 internally on their network.
Block all versions of SMB at the network boundary by blocking Transmission Control Protocol (TCP) port 445 with related protocols on User Datagram Protocol ports 137—138 and TCP port 139.

Credential Management

Managing passwords and using strong passwords are important steps in preventing unauthorized access to databases, applications, and other election infrastructure assets. Multi-factor authentication (MFA), in particular, can help prevent adversaries from gaining access to an organization's assets even if passwords are compromised through phishing attacks or other means. Threat actors have the capability to defeat single-factor authentication, especially when passwords are weak (e.g., common or trivial passwords) or—taking into account credential reuse—have been exposed in unrelated third-party breaches. CISA has published the following guidance to assist organizations with preventing unauthorized access: