1 in 3 Michigan workers tested opened fake 'phishing' email

LANSING, Mich. — Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password.

The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training. Phishing schemes — in which hackers try to deceive email recipients by posing as legitimate entities — can lead to identity theft and other problems.

The topic of the email was about an expired password, said Kelly Miller, state relations officer for Michigan's Office of the Auditor General.

Phishing was how Russian-linked players stole the emails of Hillary Clinton's presidential campaign chairman John Podesta.

Auditors made 14 findings, including five that are "material" — the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network.

"Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

The Department of Technology, Management and Budget agreed with many of the findings while partially concurring with some. It said the auditors' phishing email was reported to a "security tips" mailbox multiple times and there are other controls that may limit the effectiveness of such attacks.

The agency added that it is formalizing a standard that adopts industry best practices for secure configurations, estimating it will be done in April.

"The data held within the state government network is safe and secure due to the many layers of protection in our security ecosystem," said spokesman Caleb Buhs, who said the state has already begun implementing many of the auditors' recommendations. "This audit provides us with a good roadmap for prioritizing future technology infrastructure investments."

The audit, which covered a three-year period between 2014 and 2017, said the state did not fully establish and implement an effective process for managing updates to network devices' operating systems. Ten high- or medium-severity vulnerabilities were identified.

Overall, Auditor General Doug Ringler deemed state's efforts to design, administer and monitor a secure IT network as "moderately sufficient."

A Democratic critic of Gov. Rick Snyder's administration, Senate Minority Leader Jim Ananich of Flint, said "there is just no excuse for why Michigan's top officials have failed to protect our state from hackers."



Audit: http://bit.ly/2IwhmAe


Follow David Eggert on Twitter at https://twitter.com/DavidEggert00 . His work can be found at https://apnews.com/search/David%20Eggert

Must Read

Witnesses refuse to testify in hearing on...

Sep 13, 2016

Three witnesses ordered to testify Tuesday before a House committee investigating Hillary Clinton's...

Software co.: We warned Tesla about hands-free...

Sep 16, 2016

The company that made the camera and computer system for Tesla Motors' semi-autonomous Autopilot...

Waymo self-driving minivan will start test drives...

Jan 9, 2017

Waymo, Google's self-driving car division, will start testing its new fleet of minivans on public...

Apple proved a phone can change the world in just...

Jan 9, 2017

Few people realized it at the time, but the world shifted fundamentally a decade ago when Steve...

US gov't accuses Fiat Chrysler of cheating on...

Jan 13, 2017

The U.S. government is accusing Fiat Chrysler of failing to disclose software in some of its...

Sign up now!

About Us

In The Headline sought to bring professionalism back into journalism, bringing you only the most exclusive and the most impactive news from all over the globe.

Contact us: sales[at]intheheadline.com