More and more city and state governments are feeling the heat from ransomware attacks. In August 2019, 22 municipalities in Texas experienced this type of cyber attack and Baltimore was also hit by a ransomware attack in May that crippled the city’s computers. Cyber attacks on local governments aren’t slowing down, either. In this blog, we’ll cover lessons you can learn and how to tell if your local government is properly protected.
Cyber Attacks on Local Governments
At the time of the Baltimore ransomware attack, news reports said experts debated if the strain of ransomware involved in the Baltimore attack, Robbinhood, leveraged NSA hacking tool EternalBlue. While the Texas and Baltimore incidents received plenty of attention, other local governments are being hit, too.
Earlier this year, two locations in North Carolina suffered from cyber attacks. The city of Greenville fell victim to the Robbinhood strain, and Orange County was hit for the third time in six years. Additionally, seven municipalities in Florida have suffered from ransomware attacks in the last year.
As more details come out on all of these attacks, I think the real focus should be on what lessons can be learned from this. Ask yourself a few questions. Are you doing enough to protect yourself from a cyber security standpoint? If not, what steps do you need to take to get there? In this blog, I’ll do my best to answer those.
The Bottom Line
EternalBlue is a critical vulnerability that isn’t being addressed by most organizations. This is despite high publicity and a patch being available for over two years – a fact that the National Security Agency (NSA) is using to deflect criticism.
Please understand this – organizations have had two years to install one critical patch and haven’t. This patch can save hundreds of thousands of dollars in remediation costs or ransoms. The cost of the Baltimore cyber attack is now estimated at $18.2M. Around $4.6M of that number is tied to direct costs from the incident.
Every single risk and vulnerability assessment I led in 2018 involved machines that were vulnerable to EternalBlue. My assessments were all done at the state and local government level, so it’s no surprise to me that we’re seeing a continuation of attacks on public sector targets.
Why Aren’t Local Governments Protecting Themselves?
If a city or state government doesn’t have properly patched systems or a vulnerability management program, it usually means they don’t have the money, the staff, or both. While that’s an easy concept to understand, implementing patches across an enterprise isn’t as simple.
Finding the right balance between security and operations is tough. It’s a battle that information technology and cyber security professionals find themselves fighting all the time. For small governments especially, there is little budget for security. This means the balance is usually skewed towards operations and keeping customers and citizens happy. This model works until there’s an incident, like the Baltimore cyber attack, or the Atlanta incident in 2018.
Ransomware attacks are not going away. According to the 2019 Verizon Data Breach Investigation Report (DBIR), 24 percent of cyber attacks involve malware. And, there are a lot of other types of attacks going on, too.
How Can You Make Sure You’re Protected?
So, how can you make sure you’re protected?
- Get a Vulnerability Assessment
If you haven’t had a vulnerability assessment in the past two years, you should consider getting one immediately. It should be done by a third party. Think of it as someone else checking your blind spots.
- Implement a Vulnerability Management Program
This is basic maintenance that goes a long way to improve your cyber hygiene. It also boosts your resilience to malicious actors. The bare minimum is having antivirus, but it’s in your best interest to have endpoint management and protection. Endpoint security is a crucial part of protecting your business from cyber threats like ransomware. Antivirus and other traditional endpoint security tools have blind spots. At the very least, scan your systems and manually patch the critical vulnerabilities.
- Stay Informed
Part of keeping a balance between cyber security and operations is keeping up with the changing cyber security landscape. There are several ways you can stay up to date:
- Get current threat information and participate in cyber security related events through Information Security and Analysis Centers (ISACs).
- Subscribe to a few good blogs (like this one) – check out the Security Bloggers Network for hundreds of blogs to follow, or sign up for their handy RSS feed.
- Join one of over 80 InfraGard chapters.
Is Paying the Ransom an Option?
Should you pay the ransom? The government says you shouldn’t because you’d be supporting the criminals. Security experts warn that it doesn’t mean you’ll regain access. But, in my opinion, the option of paying the ransom should be left on the table. It should be factored into your risk calculus. If paying a $400K ransom saves you $4.8M in direct costs, that’s a compelling argument.
But, if that’s something you decide to do, and you regain lost access to your systems, you shouldn’t just sweep this under the rug. You must still follow through with the proper steps after the fact—a cyber hunt or compromise assessment, remediation, and disaster recovery. The good news is, you’ll have less remediation to do if you’ve regained access quickly, and operations have continued pretty much as normal. And, if you have aging infrastructure that needs to be replaced, this could be an opportunity to get resources for delayed upgrades.
So, how do you effectively advocate for resources to prevent cyber attacks on local governments in an era of tight budgets? How can you convincingly present your case to non-IT decision makers? Cyber security explanations are anything but simple, but high-profile ransomware cases like Baltimore (remember that $18.2M number) can help you make your case.
A good risk and vulnerability assessment will also help you seal the deal. When Delta Risk conducts an assessment, we tailor our recommendations to support a client’s needs. The goal is to improve your cyber security, not to punish the people working to keep your systems secure. Findings from our assessments are characterized to be constructive and will help you justify funding for cyber security priorities.