Ransomware attacks reveal weakness in government cyber defenses
Ransomware attacks are becoming an all too frequent occurrence for state and local governments. Last month, two cities in Florida were attacked - Lake City paid $460,000 and Riviera Beach officials paid $600,000 to hackers to release their networks.
The computers of the Georgia Administrative Office of Courts were frozen by cyber criminals in June as well. In May, a successful phishing scheme asked for an $80,000 payment to reactivate the City of Baltimore’s paralyzed computer networks. In 2018, Atlanta was hit by ransomware that not only shut down their computer systems, but also interrupted operations at Hartsfield-Jackson International Airport.
These attacks are becoming more common and affect multiple computer systems used to run the government, remotely encrypting all the systems’ files. As officials across the country continue to deal with fallout from cyber-attacks, the lack of organizational resilience both in and out of cyber space is laid bare as repercussions continue to impact constituents and day to day operations of city and state governments.
These issues and the costs of recovering from the attack, whether or not a ransom is paid, are a testament to the reality that in 2019, cyber technology undergirds and connects some of the most fundamental aspects of everyday life. These systems are central to the basic function of government and because these systems serve the public, the network repairs and rebuilding must be done with organizational resilience in mind.
In Baltimore’s case, there were many missed opportunities for progressive organizational resilience. Reports from Baltimore officials speculate that the ransomware attack was initiated through phishing efforts.
While phishing attacks are difficult to deter, regular training of city employees on good cyber security hygiene could have possibly foiled this attack before it started. Training and education are among the methods of progressive organizational resilience that organizations can add to their efforts.
The failure to put up basic cyber defenses played a large part in the Baltimore attack. A critical vulnerability in Microsoft software, famously exploited in 2017’s WannaCry ransomware attacks, was reportedly present in the City of Baltimore’s computer systems. Microsoft introduced a patch for the vulnerability in March 2017, yet two years later the city never updated its systems to defend against this well-known threat.
Oversights such as this demonstrate how even massively important organizations like the Baltimore City Government are not adequately responding to cyber threats, and the consequences of this oversight are now being felt by individuals and businesses throughout the Baltimore area.
The Baltimore incident is just one of many ransomware attacks which have been crippling to organizations around the globe. For organizations wondering how to quickly prevent and speed up recovery from ransomware attacks, three basic IT controls are recommended: Offline Backups, Patch Management, and Vulnerability Scanning.
Offline backups are the most important disaster mitigation an organization can implement. Backups should be stored offline, snapshots should be taken consistently - preferably daily or every few days, and restoration should be allowed from any snapshot not just the latest.
Re-doing a few days of work is much easier than rebuilding a database which has been populated over the last few decades. Backups are increasingly forgotten in new IT infrastructure implementations or are only kept “online” where an attacker could corrupt the backup and cripple the organization.
Patch management is another key component to a healthy IT infrastructure. Critical and high severity patches should be applied as soon as possible to affected systems, preferably within a few days. The risk of compromise grows exponentially for both internal and internet accessible systems the longer severe vulnerabilities are left unpatched. In the case of Baltimore, the critical severity patches were not applied for over two years.
Vulnerability scanning is used to validate patch management by identifying systems where patches have not been installed. Once identified, system administrators install the missing patches and run additional scans to ensure the patches were installed successfully.
Resilient organizations also conduct annual penetration tests to identify exploitable gaps in their patch Management and vulnerability scanning processes. Unfortunately, not all vulnerabilities are patched by the vendor and resilient organizations must also identify and mitigate these vulnerabilities.
Being proactive, not reactive, to emerging threats can help organizations and governments alike mitigate the severity of cyber-attacks and other disruptions.
The first step in being proactive and improving organizational resilience is to perform a benchmarking audit to understand an organization’s strengths and weaknesses. A thorough review and evaluation of core business processes such as governance, risk, supply chain issues can help organizations identify issues and prioritize where to use their resources for improvement.
To improve organizational resilience, organizations need to adopt a stance of preventative control, mindful action, performance optimization and adaptive innovation to embed competence and capability throughout the organization. Paradoxical thinking helps leaders shift beyond ‘either/or’ towards ‘both/ and’ outcomes.
From the initial benchmark and understanding of areas in need of improvement, organizations should examine which areas are defensive (stopping bad things from happening) in nature and those that are progressive (enabling good things to happen).
Organizational resilience helps organizations recover from any type of disaster from tornados to cyber-attacks. The lack of plans on what to do in case the computer networks went down stymied Baltimore officials. In an attempt to get city systems back up and running, city employees created free Gmail accounts.
These workarounds were initially shut down by Google because they triggered Google’s automated security system when numerous accounts were created from the same IP address, and because these types of accounts should be under Gmail’s paid G-Suite service. A lack of contingency plans also left anyone trying to sell a property within Baltimore in a lurch.
While not infected with malware, the system that creates and processes lien certificates used in processing deeds had to be shut down. The work around system is now entirely manual and requires all transactions to be completed in person and lien certificates have to be hand-delivered by the seller to another office.
Additionally, sellers are required to sign an affidavit that they will pay any outstanding taxes or other liens on the property within 10 days of being invoiced by the city, yet it is unclear when the invoices will start flowing again.
The cost and long-term effects of this cyber-attack and lack of organizational resilience in Baltimore will be felt for years to come. Hopefully, as the city recovers and examines their systems and processes they will decide to implement the principles of organizational resilience and abide by best practices to ensure business continuity. We are entering a new age of cyber terrorism which is still evolving and planting roots.
In the near future attacks will likely increase exponentially across the globe as a small number of bad actors can affect millions of vulnerable systems within minutes. Because computer networks are so central to the delivery of services, it is paramount that governments safeguard their collective cybersecurity and stay updated on evolving cyber threats and to remain vigilant about cyber defenses.