As if municipal budgets weren’t strained enough, now comes a new element – hackers tying up municipal IT systems with variants of ransomware. Dozens of municipalities have been hit in 2019 alone, and it is affecting everything – from critical services such as 9-1-1 and EMS, to the mundane tracking of parking ticket fines.
Many municipalities are not IT-savvy – particularly at the upper management level – and they simply have not taken the proper precautions or made adequate investments to protect themselves. When cities get hit, they make news. Just recently, ransomware attacks have been reported on five major municipalities: New Bedford, Mass.; Lake County, Fla.; Flagstaff, Ari.; Wilmer, Texas; and the biggest one, Baltimore, Md.
Protect your Clients
A number of straightforward “defense-in-depth” steps can be taken to prepare your clients for a potential ransomware attack.
1. Educate. Since a large percentage of successful exploits are delivered via email – web links and file attachments – ongoing employee education, training and in-house testing is a good place to start. Check out the services from KnowBe4 as a starting point.
2. Anti-malware and anti-ransomware software may use one or more of several techniques to perform its protective function. Traditionally, signature analysis has been used in anti-virus/malware software, but that addresses known threats. Behavioral analytics detects abnormal processes and file access and may block unauthorized access or file encryption.
Ransomware often targets files in common locations, such as desktop and documents, and may place bait files in those locations which initiate a counter response if such a file is a target of modification. Responses may include journaling the unaffected data, quarantining the threat, or otherwise rendering it useless. A Google search on PC and business-class end-point anti-malware products should yield a range of product options.
3. Have a solid backup and recovery strategy, which should include back-up files to media or in a location that cannot be included in the attack. Cloud backup is a common answer, but be certain that your client’s folders on file syncing services – such as DropBox and OneDrive – are protected from compromise.
The View from the Front Line
As important as municipal services may be, healthcare and hospitals are also a common target for ransomware attacks. Unlike municipalities, this sector has a much higher level of information and network security expertise. I caught up with my friend and professional colleague, Randall Frietzsche, Enterprise Chief Information Security Officer (CISO) for Denver Health, to weigh in on the topic. Here’s what he had to say:
You must be seeing ongoing and serious attacks targeting your network. What are the most common threat vectors?
Frietzsche: As a municipal hospital, we are subject to constant attacks, including malware, phishing, ransomware and attempts to break into the network. The most common threat vector is phishing. Phishing allows an attacker to easily email thousands of users, hoping that just a fraction of a percentage clicks a link, opens an attachment, or fills out their username and password on a web form.
Ransomware is our biggest threat, which for a hospital, can be an existential threat. If our imaging systems, which take x-rays, CT scans, etc, are encrypted, we can no longer image our patients. If we cannot image a patient, we cannot take that patient, which means we refuse to take any patients and divert them to other healthcare providers.
Because our imaging systems hold very large image files, the process to restore those images from backup (remediation for ransomware) can take days or weeks. (Diverting patients) costs our organization $8,000/minute, or about $25 million a week. We absolutely must understand this threat and put in the controls needed to prevent ransomware from spreading into our imaging servers.
What steps have you taken to make your organization’s employees and affiliates cyber-aware?
We perform at-hire and annual training around cybersecurity and email security. As CISO, I also attend department-level staff meetings to share security awareness tips and ensure our employees understand what they must do under our policies. We also use a variety of methods – screensavers, monthly emails, etc. – to continue to ensure our staff is aware of cyber threats and how they can help protect the organization and patient data.
What should CISOs be looking for in anti-malware products to deal with ransomware, and what gives you the confidence that these products will work?
An anti-malware product should be able to not only identify malware by hash signatures, but it should also be able to detect anomalous behavior. Often, basic anti-virus solutions will only detect 30% of actual threats. We need to have an additional layer of threat intelligence on our endpoints. Many products do this well – but that additional layer of behavioral-based detection is really critical for today’s threats.
Another critical control is to limit local administrator access for our users. This simple, but hard-to-implement control effectively eliminates almost all malware, simply because the malware executes at the level of the logged-in user. If the user cannot install anything, malware becomes largely inert.
What is your recommended data back-up strategy and what is a reasonable expectation for recovery time?
Due to the ubiquitous nature of virtual computing today, we should be able to leverage screenshot technology to back up our systems frequently, even hourly for the most critical systems. We need to ensure we’re backing up our servers nightly. And we must find ways to back those up online, instead of tapes. This effort ensures that we’re able to more quickly restore systems in the event of a security incident.
Note: Randall Frietzsche can be reached at [email protected] or through LinkedIn at www.linkedin.com/in/randallfrietzsche.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and the CONSULT Technical Security Symposium. Reach him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter, @RayCoulombe.
