State extends Project Boundary Fence funding
March 28, 2022
Project provides preventative assessments for municipalities
An ounce of prevention is worth a pound of cure, said Founding Father Benjamin Franklin.
His remark was directed toward 18th Century fire prevention in Philadelphia but rings true for cyber security in the 21st Century.
Two years ago, Dakota State created a pilot project to provide an ounce of prevention through cyber security assessments for South Dakota cities and counties. Project Boundary Fence is intended to secure municipalities’ networks through external penetration testing on outward-facing technology infrastructures.
Supported through funding from the Attorney General’s Consumer Protection Division, the two-year project was very successful, and funding has been extended for another three years, said Dr. Arica Kulm, Director of Digital Forensics Services at Dakota State University.
Kulm oversees the staff for Project Boundary Fence, one full-time employee and several student workers, who serve as “friendly hackers,” she explained, individuals who use the same tools as a bad hacker but with the intent to find vulnerabilities in systems and advise how to fix them before a bad actor takes advantage, she explained.
“It’s better to be assessed by someone on the good side than on the bad side,” Kulm said.
“Preventative measures can’t stop all cyber-attacks, but can serve as a way to eliminate some vulnerabilities, and recommend ways to help municipalities become more secure.”
Bad hackers may be interested in these systems because cities and counties store a variety of information, from payment information to voting records, or health and employee data.
“Nobody is too big or too small to be a target,” Kulm stated, and “if a municipality hasn’t been hacked, it’s just that they haven’t been hacked yet.”
Consumer Protection Director Jody Gillaspie said, “This collaboration has done exactly what we hoped and predicted it would do.”
“It’s brought the topic of hacking and ransom attacks to the forefront for discussions on how we can better protect consumer's information, and one of the first ways is knowing what your systems’ vulnerabilities are. The things that our cities and counties’ IT staff can glean from having this ‘friendly hack’ performed are extremely valuable,” Gillaspie stated.
“Our hope is that by partaking in this project, the entities will continue to evaluate their systems on a regular basis to ensure that they are doing everything they can to make the systems that contain consumers’ personally identifiable information as secure as they can,” Gillaspie said.
Throughout the pilot period, Project Boundary Fence had clients from the smallest cities to the biggest, Kulm said, and from east to west across the state. Clients complete a pre-assessment questionnaire, and then staff complete thorough testing, including two weeks of external testing, two weeks of internal tests, and ending with a written report. Project Boundary Fence can also complete deep and dark web monitoring, and offer basic cyber training, she stated.
One common issue they see is weak passwords, but they have also seen systems that send out SPAM or give access to network cameras. Some systems have an issue with physical access, and there is a human factor as well, she noted. “In South Dakota, people are so nice here, but that’s not what you want in our field,” Kulm said.
Strengths in city and county systems have included restricted access in buildings or one system that had a “honey pot,” designed to look vulnerable and draw in attackers. “This showed they were trying to get good security.”
While South Dakota is not a big state, there is still a lot to assess, and the process is never-ending.
“It’s always ongoing because there are always things to add as the cyber environment changes, such as adding hardware or software, or changing to hosting data in the cloud,” Kulm said, “so we hope at the end of the next cycle we can continue to offer these services.”
For information on this program, contact projectboundaryfence@dsu.edu, or call (605) 610-8897.