MIAMI – Casting more uncertainty over the presidential nominating process for 2008, the Florida Legislature on Thursday moved the state’s primary up to Jan. 29, ignoring the threat of sanctions from the national Republican and Democratic parties. The new date puts the Florida primary ahead of all but four states. State party leaders hope that it will give Florida, the most populous swing state, a bigger role in choosing presidential nominees. But officials in other states said Florida’s move would only create more chaos around the nominating process, which has already been upended by other states’ decisions to hold earlier primaries. New Hampshire may move up its primary as a result – possibly even to this year, political leaders in other states said. And in South Carolina, Republican officials said they, too, would advance the date of their own primary. “South Carolina will name a date that keeps us first in the South,” said the chairman, Katon Dawson. “It could be as early as Halloween and our version of trick-or-treat, if we have to.” He added, “At the end of the day, the truth of the matter is that the nominee of either party is going to want to make sure they have not offended the big donors and the biggest activists in the most important state in the country that is electorally available.” Some of the states that have moved up their primaries to Feb.5, including California, Connecticut, New Jersey and New York, said they did not expect to seek even earlier dates. “I just don’t see it as likely,” said Ron Nehring, chairman of the California Republican Party. “California is going to be relevant, regardless of what other states choose to do.” In addition to New Hampshire, the states with contests before Jan.29 are Iowa and Nevada. In recent presidential election years, Florida’s primary has taken place in March. The Florida House voted unanimously for the change on Thursday, a week after the Senate approved the measure. In the same legislation, they approved Gov. Charlie Crist’s plan to replace the touch-screen voting machines used in many of Florida’s counties with paper ballots counted by scanning machines. Spokesmen for two Democratic presidential candidates, Sens. Hillary Rodham Clinton of New York and Barack Obama of Illinois, indicated they would not hold back from campaigning in Florida. “The DNC and the Florida state party will arbitrate this, and we will compete on the final field vigorously,” said Bill Burton, a spokesman for Obama. Stacie Paxton, press secretary for the Democratic National Committee, said the party would hold fast to its rules but suggested that Florida’s primary could be nonbinding. Its delegates could still be allowed at the nominating convention, she said, if the state agreed to hold a caucus later in the year. “This is not the first time that a state Legislature has set its primary on a date outside DNC party rules,” she said, adding that the committee is working with the state party to find alternatives that comply with the rules.160Want local news?Sign up for the Localist and stay informed Something went wrong. Please try again.subscribeCongratulations! You’re all set! Choosing primary dates has always been contentious, with states that held primaries late in the season feeling marginalized. But frustration soared this year, and dozens of states began to jostle for position, with more than 20 so far settling on Feb.5, or considering it. The shifting dates have forced the presidential campaigns to reconsider every aspect of their nominating strategy – where to compete, how to spend money, when to start television advertising. Both parties have been trying to put a halt to the leapfrogging. They have said they would penalize all but a handful of states if they hold a primary before Feb.5, stripping them of half their delegates to the national nominating conventions. Under Democratic Party rules, the candidates can also be penalized, losing the delegates they won in the rule-breaking state. But Florida officials scoffed at those threats, calling the conventions little more than a formality. “We have people who get invited to a big party where they drop a balloon and people wear funny hats,” said Marco Rubio, the Republican speaker of the state House of Representatives. “But they don’t have any role to play.”
Malicious websites also present a problem, since much of the interaction is hid from the user. When presented with a waterfall chart of what goes on behind the scenes of a typical webpage download, with upwards of 100 separate sites accessed, the average user is astounded. But the threat is real, with 46% of the top million websites exhibiting risky behavior according to a Menlo Security study. The first link on a site may be innocuous, but the second may do you in! Since not many enterprises lockdown browsing CNN during lunch breaks, real protection loops back to user training, not clicking unknown sites (or any third-party sites at all while at work), and if in more critical lines of business, mandating the installation of ‘safe’ browsing add-ins and whitelists that cannot be deactivated by the user.4. Practice overall security hygiene. Overall security hygiene may be as simple of enforcing password discipline, and more. In the absence of controls, people are just plain sloppy. A recent Ixia security report identified root, admin,ubnt,support, and user as the top five passwords that hackers guess. They do this because all too many systems use these. But password discipline must take different forms. Mark Ford, a cyber risk services leader from Delotte & Touche describes a case where a physician’s laptop containing Personal Healthcare Information, subject to HIPAA, was stolen from his house. The laptop was encrypted, but the password was written on a sticky note attached to the device. Here, it didn’t really matter the complexity of the password (and one must assume that it was in fact hard to remember, if written down). Though not every company will have the resources for SOC2 or even to deploy two-factor authentication or single sign-on, they should begin to move in this direction. Part of it will of course depend on whether IT is core or ancillary to their business, but at the end of the day, if a customer’s credit card information, or worse, is compromised, an ounce of prevention goes a long way.What additional risk do employees pose when responsible for the enterprise’s infrastructure, either on-premises or in the cloud? This is the second level of training, which must be structured and tested. If the enterprise, for example, subscribes to a SaaS CRM or cloud document service, they should have a procedure in place to determine the security posture of this offering, as well as how to integrate it with their business and provide any required audits. Or, if deploying applications on Google Cloud Platform IaaS, they must fully understand the shared responsibility model and lock down their components. Formalized third-party training and any required certifications shouldn’t be an afterthought, and if the enterprise doesn’t have a CISO, a designated individual with the same level of experience and more importantly, authority, should be assigned.Still, the enterprise may implement best practices, train and retrain its employees, and prepare for the worst, but a breach may occur. How does it protect its infrastructure if something falls through the cracks? Here is where automation comes into play, as a backstop to the human element.Instead of snapshots, which lose accuracy with each minute, and are less effective for cloud deployments, virtualization, and now containers, the enterprise must continually verify its security posture against a known baseline. This is continuous security, reducing the threat of breaches and with this, overall fear and distraction. No matter that an employee may be sloppy with passwords, smartphone security, deleting old but confidential files, or the like, the system will ensure that the infrastructure is aligned with CIS, NIST, PCI, HIPAA, and other benchmarks. There is no excuse why the enterprise should not be in continuous compliance with regards to the latest security and regulatory benchmarks, and with all the tools at IT’s disposal, the enterprise shouldn’t be subject to ‘friendly fire’ from the enemy within. Though many in IT focus on external threats, I believe that the ‘enemy within’ may be just as damaging. Addressing the human element, both malicious and unintentional, may generate some of the greatest returns on security investment. Counter to conventional wisdom, the majority of breaches are not due to malicious intent. According to Ponemon, 52% are in fact due to human error or process failure. And this is not going to go away anytime fast based on reports of too few trained in cybersecurity as well as the ever-present budget issues. In fact, as traditional attacks on networks and servers have decreased, those targeting users and their devices have increased per the 2016 Verizon Data Breach Investigations Report.So, what are we seeing today? How can the CISO and his or her team close this gap?On the user training front, there are two levels required. The company must drill all employees in the risks of phishing attacks, social media, malicious websites, and overall security hygiene. And I do mean drill, just like the military, which does this for a reason. It works. Re-allocate tasks, conduct unannounced tests, and maintain constant vigilance. Just don’t become complacent.1. Prevent phishing attacksAs many as 85% of enterprises have been the subject of attack, 30% of phishing emails get opened. It only takes a single success to create a whole lot of havoc, and the average cost of attack is at least $1.6 million. Strong email filtering is the first line of defense, since by the time it gets to the distracted end-user, the battle may be lost. Here, user awareness and training from the likes of Phishme and others are key. A smaller company may think it doesn’t have the budget for these types of tools, but the potential cost of an attack is much worse, and in fact they could be at greater risk due to closer ties between their CEO and employees. The request for employee W-2s or other closely held information would not seem out of line.2. Understand the risks of social media.The use of social media presents special problems, since it is not only the corporate account that must be secured, but employees more and more share their work experiences on their personal accounts. It is the corporate account that isn’t at risk here, since this is usually maintained by those with the proper background and skill set. However, if an employee is privy to confidential information, or is at a sufficient level in the organization to be of external influence, his or her social sites must be monitored by any one of a number of third-parties such as Zerofox. Social risk may in fact tie to phishing, where the attacker researches the company via social media to build a dossier used to impersonate a CEO or other C-level executive. The more material on social media, the more convincing the attack. Glassdoor also presents risks since it is unmoderated and disgruntled former employees are more likely to post confidential information.3. Minimize exposure to malicious websites.