Illustration: Sarah Grillo/Axios

State elections officials struggle with some of the basics of office cybersecurity, according to a new report from cybersecurity auditor NormShield.

Why it matters: With the 2020 elections looming, there is a massive push to button down election cybersecurity.

Details: NormShield audited how state election authorities in all 50 states, D.C. and the territories handled common security tasks not related to the specialized equipment used in elections. NormShield only evaluates what it can see externally, without breaching a system.

  • NormShield uses letter grades to denote how skilled a hacker would have to be to exploit red flags they found. "A C grade means an average hacker could take advantage," said Bob Maley, chief security officer at NormShield and a former chief information security officer for the state of Pennsylvania. "You'd want to see A or B grades for elections boards."
  • In a July scan, by the NormShield metrics, an average hacker would be able to breach 27 state's systems. States had particular trouble with keeping patches up to date — nearly averaging the lowest possible grade in tests — and in preventing stolen credentials from showing up on the dark web, although states by and large performed well in other areas of testing.
  • NormShield informed states of what they found, giving them a chance to mitigate vulnerabilities, and performed a new scan in August. In the follow-up scan, states preformed dramatically better, though 13 states would still be vulnerable to an average hacker.

The reason the patch management grades suffered: Election boards' web servers use older operating systems and programs that are at or near their end of life.

  • A hacked website may not sound as critical as a hacked voting machine, but it could create confusion about voting locations, times and procedures.
  • In July, 4 states used Windows Server 2003, which Microsoft ceased releasing security patches for in 2015; 4 states used a version of the Apache web server that hasn't been patched since 2017; and 9 states used unsupported versions of the NGNIX web server.

Leaked credentials can be a problem, Maley said, even if they don't provide access to official accounts. Election officials shouldn't be using their official email addresses to sign up for personal online accounts.

  • "I actually saw leaked credentials from one state's CISO," said Maley.

Go deeper

Washington Redskins will change team name

Photo: Patrick McDermott/Getty Images

The Washington Redskins announced Monday that the NFL team plans to change its name.

Why it matters: It brings an end to decades of debate around the name — considered by many to be racist toward Native Americans. The change was jumpstarted by nationwide protests against systemic racism in the U.S. this summer.

2 hours ago - Health

Houston public health system CEO says coronavirus situation is "dire"

Houston's coronavirus situation is "dire, and it's getting worse, seems like, every day," Harris Health System CEO and President Dr. Esmail Porsa said Monday on MSNBC's "Morning Joe."

The big picture: Porsa said the region is seeing numbers related to the spread of the virus that are "disproportionately higher than anything we have experienced in the past." He noted that Lyndon B. Johnson Hospital's ICU is at 113% capacity, and 75% of its beds are coronavirus patients.

Fund managers start to board the stock bandwagon

Illustration: Aïda Amer/Axios

Asset managers at major U.S. investment firms are starting to get bullish with their clients, encouraging stock buying and trying not to get left behind right as the metrics on tech stocks rise back to highs not seen since the dot-com crash of 2000.

What's happening: Appetite for stocks is starting to return, but slowly as institutional money managers were overwhelmingly sitting on the sidelines in cash during April and May.