DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 32, Issue 3

Full Contents Now Available!

Monday, 21 October 2019 14:42

Ransomware City – Population: Too Many

Written by  FRANK KRIEGER

Five ways to fortify and help protect city governments from ransomware attacks

Ransomware hackers are trekking from city to city around the world, shutting down government services, hospitals, first responders, school districts and universities. According to a CNN report this month, in the last 10 months, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks.

As a result, hospitals are halting admissions of new patients, first responders are slower to respond to distress calls, city services are interrupted and schools are suspending classes. Unfortunately, many of these organizations are opting to pay ransoms for their data, making them easy targets and creating a lucrative market for ransomware hackers.

In October, an Alabama hospital paid hackers an undisclosed amount to unlock its data after being forced to halt new patient admissions. In June, Lake City, Florida paid $460,000, and Riviera Beach, Florida paid more than $600,000 in Florida to recover their data. All over the U.S. cities like Baltimore, Cleveland, Atlanta and Tallahassee have fallen victim to vicious ransomware attacks. Multiple Louisiana school districts were hit so badly in July that the governor declared a state of emergency

Unfortunately, this trend will undoubtedly continue as hackers exploit common vulnerabilities of state and local governments and education entities with limited budgets and easy access to affordable cyber insurance.

Most local governments are forced to assign IT budgets and resources to improve services through next-generation technologies like 5G networks, IoT, and cloud computing. In the process, their operations and data are becoming more connected through local and global networks, and their IT professionals are overwhelmed by IT data regulations and demand for innovation. There’s little or no time or resources left to protect their networks.

For many of these cities, the easiest solution is to buy cyber insurance, which costs on average $1,500 a year, and hope no one notices or suffers when operations and services are shut down by a cyber-attack. But there are ways government and education services can fortify their defenses through outside resources and best practices that are just as affordable and as easy to implement than cyber insurance. Many of these start with changing the way we think about the problem.

Understand the difference between penalties and consequences

I know this may sound esoteric, but there is a big difference between penalties and consequences when it comes to cybersecurity. While there might not be a specific penalty for governments to fall victim to ransomware attacks, they still face significant consequences. When city services are down, citizens can’t contact first responders, frozen property records might stall loan applications, or hospitals, such as the case in Alabama, might be unable to admit and treat new patients.

A simple ransom payment, backed by cyber insurance, can put data and operations back in order. But what’s the cost to citizens that rely on services and to the city’s overall reputation? Worse, by paying ransoms, we’re just hackers, which explains the momentum of these occurrences. These hackers can know who is paying for insurance and how much their coverage.

However, no one should assume there safe from penalties. Just ask any of the organizations that are paying out fines after violating data privacy acts GDPR, HIPAA, or the California Data Privacy Act once it goes live.

Replace or supplement cybersecurity with subscription-based IT services

Whether its data backup, IT compliance, or security programs, most cloud-based IT services these days are available through monthly subscriptions, which can equal the same price or less than cyber insurance.

Most small city governments employ IT experts in the single digits, which means they're focused on the latest trouble ticket, instead of keeping equipment and software updated. Hackers know when the newest software upgrades or patches are issued. And they know that the smaller organizations will likely take their time to make the upgrades. Companies that provide cloud-based services are regularly issuing and making upgrades and installing patches on their services and data centers.

Keep access controls current

One of the easiest ways into a city government or school is through an outdated access point. This happens when employees ranging from full-time administrative to part-time seasonal workers quit.  Logins and passwords need to be immediately removed when employees leave their jobs. Knowing that onsite resources are limited, this process needs to be communicated and treated as a top priority.

Separate sensors and IoT devices over different networks

As cities expand services over next-generation technologies, they are increasingly becoming more connected. By 2025, more than 75 billion devices are expected to be connected over the Internet of Things (IoT), which means a single, unprotected access point can leave any database vulnerable.

IoT devices rely on sensors to collect data on power grids, traffic, garbage collection, or road conditions to deliver services more efficiently. However, hackers know that many smaller cities lack the IT resources and expertise to lock down these sensors. Hackers can use this access to hold cities hostage through ransomware, sometimes crippling critical systems for months at a time.

At most, security measures and devices should be applied to these sensors and their IoT devices. At the very least, city officials should store and run their data and applications through different data centers. This can also be done over the cloud.

Adhere to CJIS requirements

Nearly every city connects to the U.S. Criminal Justice Information System (CJIS), which contains information maintained by federal law enforcement agencies, including the FBI. Local law enforcement agencies access this system for background checks and employment verifications. Hackers know they can easily infiltrate most of these small town-town systems to obtain national security data.  

Cloud services work to map their data storage with CJIS encryption standards. CJIS enforce 13 policy areas for vendors covering mobile devices, personnel security, access controls, incident responses, and security awareness training. City officials should ask prospective vendors if their solutions meet these CJIS policy standards.

It’s okay to say no

City governments with data backup and contingency plans nearly always have the option to say no to ransomware attackers. In August, 22 Texas entities, mostly with smaller city governments, were targeted during a coordinated ransomware attack that crippled operations. But within seven days, the cities were up and running without paying a dime to its attackers. Officials credited the success of Texas’ response to a comprehensive plan quickly executed across a dozen state agencies.

The Texas response taught hackers that it's more difficult to target small government agencies that work together and have the backing of a state government established backup and recovery plans. And that it’s best not to mess with Texas.

Krieger FrankFrank Krieger is vice president of governance, risk and compliance, and data protection officer at iland Cloud where he manages, directs, and oversees enterprise risk, compliance and governance programs for international and domestic operations with emphasis on EU GDPR, ISO 27001 | 9001 | 20000, BS 10012:2017, SSAE 16/18, Australian IRAP and US FISMA and ITAR regulations. Registered FG - Netherlands.