Can Cities Survive the Latest Ransomware Assaults?
Can Cities Survive the Latest Ransomware Assaults?
Public entities and municipalities may be more vulnerable to cyberattacks, but creating a safe computing environment is possible.
It doesn’t have to be “Cyber Month” to recognize that the dark side of technology is currently infiltrating self-insured municipalities: ransomware attacks. Ransomware attacks occur when criminals break into an organization’s IT systems, encrypt as much data as possible, and then extort money (usually in Bitcoin) from the organization to get its own data back. If the ransom is not paid, the criminals may release it to the general public, or delete your data altogether.
How does ransomware occur? Criminals make ransomware products and tools available on the “Dark Web” to other criminals and then receive a cut of the “take” if the ransom is paid by the victims. Both the ransomware purveyors and the attackers who use these products to infiltrate these systems usually operate from countries that the FBI can’t reach.
Self-insured public entities such as municipalities are among groups that are particularly vulnerable, because they:
- Operate within a significant regulatory environment;
- Have data that others could steal and monetize (personally identifiable information such as social security numbers, HIPAA-related information, credit card numbers, etc.;
- Have data that is critical and necessary to conduct business.
Actual risk includes more than just data housed on a server; it includes reputational/brand risk, and the impact of losing trust from partners/vendors and members/customers as a result of an attack.
Obviously, the adage, “it won’t happen to us,” is no longer valid. In fact, there have been more than 170 ransomware attacks on U.S. state and local governments since November 2013, notes the technology security company Recorded Future.
“Unfortunately, it happens again and again to municipal systems that don’t have all the latest software, the latest protections or the highest-paid IT staffs,” Lee McKnight, an associate professor at Syracuse University’s School of Information Studies and an expert on cybersecurity, told USA Today.
Richard Mathis, CTO of CHSI Technologies, a Las Vegas provider of enterprise software to public entities and smaller insurers, says it’s not all about the latest software or highest paid IT staffers—it’s a bigger picture that includes a solid IT governance program comprising comprehensive compliance and quality assurance. “This type of risk management requires common-sense due diligence, a clear line of responsibility for technology systems, a secure cloud platform, a plan that holds all partners and vendors to the same security requirements, and should the worst possible case occur, an incident response plan.”
More Common than Ever
Unfortunately, the worst possible case is becoming a common occurrence, and the way municipalities and public entities deal with incident response is reflective of lessons being learned along the way.
For example, in March 2018, the city of Atlanta had more than a third of its systems crippled by a ransomware attack. Recovery took more than a year, with costs estimated at $17 million. In May 2019, Baltimore officials, after refusing to pay an $80,000 ransom at the advice of law enforcement authorities, approved $10 million in emergency funding to recover from a similar attack that immobilized some of the city’s systems and services, according to reports. Even smaller cities such as Lake City, Florida are finding themselves under fire: city administrators recently paid hackers a ransom of 42 bitcoins, or roughly $426,000.
In August, the computer systems in 22 towns in Texas were attacked, with data held hostage in a large-scale hack that was coordinated and launched by a “single-threat” actor. Hackers asked a collective ransom from all 22 towns and counties of $2.5 million paid in Bitcoin, NPR reported. In this case, hackers breached the city’s network using software that was used by an IT company to remotely manage Keene’s infrastructure… software that was also used by the other municipalities, confirmed the mayor of Keene, Texas, one of the cities attacked.
It’s unclear whether the cities affected had sufficient security measures or backups of their systems and data. Although Texas’ state systems were not part of the hack, the attack did initially impact normal city business and financial operations and services.
What is clear is that not one of the cities agreed to pay the ransom. Instead, the Texas State Department of Information Resources (DIR), a government information portal providing technology advice to state authorities, deployed experts from more than 10 government agencies and private sector partners to help cities recover, according to ZDNet.com. The DIR said that “more than 25% of impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual.”
It’s worth noting that the scale of these attacks has grown so large that it warranted coverage on a recent CBS “60 Minutes” episode. More than a quarter of cities and towns in the United States have fended off ransomware attacks, and 26 percent say they fend off an attack every hour, according to the “60 minutes” report.
Awareness and Accountability
The news out of Texas did not escape the attention of Keith Alberts, Director of IT and Marketing at Texas Political Subdivisions Joint Self-Insurance Fund (TPS), a Dallas-based self-insurance pool owned and operated by its members, local governments throughout the State of Texas. TPS provides a host of insurance products, including cyber insurance, to 146 public entity (schools, cities, counties, central appraisal districts, etc.) members.
That said, TPS takes its risk management efforts very seriously, encrypting
and housing member data offsite, and keeping a mirrored back-up of the data available should a cyber incident occur.
TPS’s school district members must build cybersecurity into their day-to-day operations, thanks to Texas Senate Bill 820 district cybersecurity law, which requires independent school districts to create a cybersecurity policy and designate a person responsible for it.
Because TPS deals online with a managed care vendor as well as other business partners, the organization also restricts, based on user role, access to certain layers of data the organization’s portal, and encrypts data on all laptops. TPS recently engaged KnowBe4, a company that tests users and networks against phishing threats, and provides training for all users. “We are concerned about phishing scams that lead to ransomware. We are doing things right,” says Alberts.
CHSI’s Mathis notes that a big part of doing things right involves acknowledging that everyone who touches sensitive data is accountable. “Security is an end to end problem, and all humans make mistakes, so we put multiple barriers in place. When a human error occurs, that’s natural; but the alert is issued when several errors are made in a row.”
Monitoring and Controlling Access
For public sector entities, it’s typical to have users from any number of internal and external sources involved in the access and manipulation of data. For example, NGU Risk Management, an insurance program administrator based in Hendersonville, Tenn. that serves the needs of 206 public entities, including local government, schools and utility districts, contracts with a variety of third parties for the processing of customer information. Providing customized risk management programs that include property, liability (cybersecurity) and specialty lines coverages, the organization relies on a host of third-party contractors to help service its members.
Because 90% of members, agents, business partners, third-party appraisers and other stakeholders access the organization’s portal, NGU has made network security a strong priority. The company has issued an Acceptable Use Policy for all users, an incident response program, and recently engaged NetDiligence (ND), the preferred cyber risk management partner of Great American, the company NGU uses to write its cyber liability coverage.
“We realize that public entities are a bit thin-stretched in security, and don’t have a specific line-item budget for security,” says Kyle Greenup, NGU’s VP of IT. “Because vulnerabilities are discovered so fast, it’s hard to keep up with, so our members count on us to create a safe computing environment for them to do business with us.” To date, this philosophy is working; NGU enjoys a retention rate of 97 to 99 percent.
As the enterprise technology solution provider for both NGU and TPS, CHSI restricts access to data based on an IT whitelist provided by the customer. Two-factor authentication is required and the customer can only access the data with a predefined IP address. Security is an end to end problem, so we’ve locked down our side,” notes Mathis. “Customers must go through multiple hoops to access their data from our cloud-based system. If our customers want their own remote employees to access, they have to access via a VPN provided by the client. All backups are placed on a time-limited URL, so if a client forgets to access updates, the data doesn’t just sit there waiting to be hacked.
“We realize that public entities are a bit thin-stretched in security, and don’t have a specific line-item budget for security. Because vulnerabilities are discovered so fast, it’s hard to keep up with, so our members count on us to create a safe computing environment for them to do business with us.” – Kyle Greenup, NGU Risk Management
CHSI Technologies follows ISO 20071, a specification for an information security management system (a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes). “As a generic protocol, it helps frame the conversation around how we make things secure,” he says, “and it informs our comprehensive compliance and assurance programs.”
Advice Worth Heeding
To assess your relative risk to a ransomware attack, experts say public entities should consider their size, the number of cities and counties they represent or do business with, and the cybersecurity measures currently employed.
“Assess your own risk tolerance—the potential damage to your organization that hackers could inflict,” says TPS’s Alberts, “then assess the cybersecurity countermeasures you currently have in place.”
Protecting your organization from a ransomware attack does not necessarily require expensive next-generation firewalls, intrusion prevention systems or “security as a service” systems, notes Mathis. “What’s really required is attention to restriction: Designate the least number of people with access to the data, and those who do have access should have a minimal amount of privileges. This puts an extra burden on administration, but it’s worth it, i.e., it’s more difficult to ask for permission, but doing so will keep them out of the news, and their public entity safe.”
NGU’s Greenup says that user education, vulnerability patches, and basic penetration testing by a third party will be helpful. Plus, NGU is anxious to use the tools that NetDiligence is providing as part of their program. “With ND, we will provide end-user training, security awareness and have everyone involved, including our loss control guys, who will take up that mantle and help train users how to detect phishing, incorporate password intelligence and more.”
With experts predicting 50 billion devices connected to internet by 2020, ransomware attacks will only increase, say experts.
“By creating a culture of alert self-monitoring, a plan that makes employee safety training and security safeguards a priority, and a strategy that involves all stakeholders, including technology solution providers, the chances of being vulnerable to a ransomware attack diminish,” notes Mathis.
This article originally appeared in Public Risk Magazine, reprinted here with permission from PRIMA.