Stats & Trends
The Barkly Team
May 2018

Local Government Cybersecurity in 2018: Blocking Ransomware and Other Threats

local-government-cyber-attacks-2018

Photo by Daniel X. O'Neil

Cyber attacks on local governments are on the rise. Here's what county and municipality IT teams need to know to address the latest threats and keep their organizations safe.

With major malware incidents like the one that hit Atlanta in March making headlines, many government organizations around the country are no doubt asking themselves whether their systems are prepared to fend off a similar cyber attack. After all, if a city the size of Atlanta can still be reeling after spending nearly two months and an estimated $5 million in recovery efforts, what does that imply for smaller counties or municipal governments that are equally vulnerable if not more so?

Local governments are big targets for cyber attacks

One can hope Atlanta is serving as a wake-up call, but the reality is these kinds of attacks on public sector networks are unfortunately nothing new. In many cases, the CIOs and CISOs in charge of protecting local government IT infrastructure have been sounding warnings for years. Nearly 40 percent say the frequency of the attacks they're facing is increasing. Over a quarter report their networks are experiencing cybersecurity incidents on an hourly basis. 

In Texas, for example, the state’s IT agency blocks billions of instances of malicious traffic a year, with an average of 3 billion monthly intrusion attempts at last check. The city of Fort Worth alone sees about 15,000 every day.

What makes local governments attractive targets for cyber attacks?

  • They house private data: Not only do local government networks house valuable data, they can also serve as gateways into state systems and other larger networks, where the quantity and value of that data is even greater. 

  • Security often isn't a top (or well-funded) priority: When it comes to security, local governments are typically light on staff, budget, and resources. A recent report for the state of Texas, for example, found that only 200 cities out of 1,100 in the state had a staff member dedicated to handle cybersecurity. Not only can that lack of support translate into a critical lack of well-maintained policies, processes, and planning, it can also create situations where, even if issues are known, there's little to no opportunity to address them. Atlanta, for example, failed a security certification audit conducted in January 2018, during which auditors presciently noted:

    "While stakeholders perceive that the city is deploying security controls to protect information assets, many processes are ad hoc or undocumented, at least in part due to lack of resources. Dedicating resources to formalize and document information security management processes would prepare the city for certification, and, more importantly, provide assurance that the city is adequately managing and protecting its information assets."

    Two months later, the city's network was crippled by SamSam.  

  • Attacks have been successful: From a criminal's perspective, there's also the matter of track record. There have been multiple cases where local governments have been willing to pay attackers in order to regain access to their files and get disrupted public-facing services back online. In March, the City of Leeds, Alabama paid ransomware criminals $12,000 in Bitcoin to regain control of their systems. In April, the City of Leominster paid $10,000 following a ransomware attack on the city's school district. When attacks against a particular sector turn a profit, rest assured criminals will be back conducting more.

  • Attacks against local governments are public-facing: For hackers with political or antisocial bents, or who are merely looking to create chaos and embarrassment, attacks on local government systems can provide a potent outlet, resulting in a variety of disruptive, public consequences.

What's at risk: Costs and consequences of cyber attacks on local governments 

What kind of damage and disruption can malware bring to local governments? To give you an idea, here are some of the real costs and consequences from recent attacks across the country.

  • Loss of vital services: Ransomware that locks down networks can deny employees and residents access to critical services. In Spring Hill, TN, ransomware shut down the mobile data terminals in city police cars and emergency dispatching systems, forcing dispatchers to handwrite 911 calls on a dry erase board.

    Over a month after a similar attack on Mecklenburg County NC, residents still couldn’t make online tax payments. Access to code enforcement, HR, social services, and parks and recreation was also still limited, and the county remained unable to accept online job applications to fill vacant positions.

  • Loss of records: In addition to losing access to critical records while an attack is ongoing, there have been many instances where some records are lost forever. In the small town of Cockrell Hill, TX, for example, a ransomware attack encrypted all of the police department files. When the department refused to pay the $4,000 ransom demand, it lost nearly a decade’s worth of records, dating back to 2009.
  • Loss of productivity: The most expensive cost of nearly every attack — both in the private and public sectors — is the loss of productivity. In fact, the average cost of an attack now tops $5 million, with system downtime and lost productivity accounting for over half of the cost.

    In Spring Hill, employees were locked out of their email for days, bringing work to a crawl and forcing them back into the “Dark Ages” of pen and paper. The recent SamSam attack on the Colorado Department of Transportation — which managed to get through even with McAfee antivirus in place — was even worse. It knocked more than 2,000 employee computers offline for a week. That amounts to as much as 80,000 hours of lost time for employees who rely on their computers to get work done. The attack is already estimated to cost up to $1.5 million, and recovery is ongoing. Six weeks following the attack, the agency was still just 80 percent operational.

  • Cost of recovery comes at taxpayers’ expense: Most local government budgets are extremely lean to begin with. Unexpected costs can take a heavy toll, often at the expense of other programs. Officials for the city of Allentown, PA expected to spend nearly $1 million to recover from the Emotet virus that hit their systems. In 2017, it cost the state of Kansas $1.2 million to recover from a hack at its Department of Commerce. Those are costs not accounted for in the operating budget, which means that money has to come from somewhere.

  • Inability to collect revenue: While recovery costs add up, many organizations are simultaneously unable to process payments and collect revenue to fund operations, adding insult to injury. In Mecklenburg, the county was unable to accept online tax payments, while Spring Hill couldn’t process payments for utility bills or court fines. In Englewood, the city’s civic center couldn’t accept credit card payments following a ransomware attack, while the library could not accept fines for overdue materials.

  • Taxpayer frustration: During attacks, government workers aren't the only ones unable to conduct business. Taxpayers are often disrupted, too. The malware that hit Harvey County, KS, for example, made it impossible for citizens to renew their driver's licenses and vehicle tags, and forced the courthouse to close. An attack on Davidson County, NC took down all county-operated phone lines, which meant residents had to physically show up to conduct business. In Spring Hill, the lack of online access to systems caused residents to line up outside city hall, frustrated with their government’s inability to meet their needs.

  • Erosion of trust and voter support: Just as private sector businesses must worry about their brand image, local governments also have a reputation to uphold for providing responsible, transparent, and efficient services. When malware strikes, this can cause public trust to waver and residents to question the reliability of their government and elected officials. This can make things challenging during election years, and harder to justify potential increases to taxes and fees. Residents may balk, questioning whether their money is being spent wisely and their interests are being served. These incidents may even lower a county or municipality’s credit rating, making it difficult to tap into the bond market to fund capital projects.

While some organizations can limp back to business in a few days thanks to thorough and reliable backup schemes, other recovery efforts can take much longer. After a SamSam attack took down the servers for Bingham County, Idaho, officials estimated it could take nearly a year and $100,000 to recover. Meanwhile, officials in Farmington, NM were still reeling nearly six weeks following their own SamSam attack, at which point a year’s worth of files still remained inaccessible.

The threat is real and not all prevention is equal

cdot-samsam-ransomware

Despite having antivirus installed, the Colorado Department of Transportation was infected by SamSam ransomware not once, but twice. Source: The Denver Channel

As these examples illustrate, government agencies face the same swelling tide of malware as private sector businesses. And, unfortunately, due to budget restrictions, lack of compliance mandates, or simply a misguided hope that attacks will always strike someplace else, many government organizations are dangerously unprepared.

Meanwhile, others have spent considerable sums of money in an effort to mount a defense, only to have it rendered useless by increasingly evasive malware. In addition to the SamSam attack that waltzed right past the Colorado DOT’s McAfee AV, Mecklenburg County had spent nearly $16 million on backup, firewall and equipment upgrades in the three years leading up to its ransomware attack, none of which stopped the crippling hack.

Farmington, NM City Manager Rob Mayes clearly articulated the sobering reality in the wake of the SamSam attack there:

I can tell you that we have a very sophisticated IT, lots of money invested in defense, three separate levels of defenses, including specialty software just for ransomware. And, it cut through it like butter.”

Rob Mayes, Farmington, NM City Manager 

Tips for mounting an effective defense

If malware can so easily get past even big-budget investments and the most prominent antivirus solutions, it's clear local governments must take a different approach to protecting their systems. Here are a few strategies that can help:

  1. Explore a new solution that improves on AV: In the majority of successful attacks, AV and other protections were in place, yet they failed to stop malware. That’s because the ways attackers are packaging, delivering, and deploying malware have evolved to evade AV detection. Instead, government organizations need to investigate using a new endpoint protection solution like Barkly, which is designed to block malware in addition to the underlying malicious behaviors and exploit techniques attackers rely on. As a result, Barkly blocks infections regardless of their source, and stops them in real-time before any damage is done. 

    Pinpoint the gaps in your endpoint security

    Find out if Barkly's stronger, easier-to-manage protection represents a step-up from your antivirus. Download our AV Gap Analysis

  2. Train employees to be vigilant. With the majority of malware delivered via malicious email campaigns, users are one of the first lines of defense. Yet, it seems only a very small percentage of municipalities have an effective security awareness and education program in place. Organizations are encouraged to teach employees how to spot phishing emails, the importance of smart password management, and to immediately report any suspicious activity, even if they think they may have accidentally contributed to the problem. The long-term impact can be far worse than the risk of embarrassment or punishment.

  3. Devise security and recovery plans. Increasingly, it’s not a matter of if an organization will be attacked, but when. That’s why it’s extremely concerning to learn that over 80% of municipalities in the state of New Jersey alone do not have a well-documented disaster recovery or business continuity plan in place. Having a plan is critical to avoiding lengthy and costly downtime. At the very least, a backup scheme that retains several days’ worth of system images both on- and off-site is a great start.

  4. Conduct port scans to see your network through the eyes of attackers. Email may be the most common way attackers get malware onto victim systems, but there's another well-worn path that arguably provides attackers with even easier access — scanning the Internet for systems with open ports that are exposing Remote Desktop Protocol (RDP), virtual network computing (VNC), or other remote administration services, and hijacking those services to get access to victim servers. IT teams should use scanning tools like Nmap, masscan, and Shodan to see if their networks have any of these services exposed. Attackers are already doing so, so it's well worth taking a few minutes to see what they see.  

  5. Schedule regular assessments/audits of security posture. With the threat landscape evolving so rapidly, a set-it-and-forget-it approach to security is doomed. Organizations must continuously reassess their defenses and make sure best practices and procedures are properly maintained. This can include such simple steps as setting user passwords to expire every so often, so that if they are captured by a credential stealer, they aren’t useful for very long. Hiring outside firms to conduct audits on a regular basis can be expensive, but the cost pales in comparison to the potential cost of an incident. Consider it an investment in peace of mind for public officials and their constituents.

In summary 

Municipalities, counties, and even state agencies are hardly immune to the growing risk of malware that threatens networks and systems around the world. By being more aware, more vigilant, and by combining stronger endpoint protection with basic best practices, policies, and procedures, government organizations can make big strides toward better safeguarding their systems as well as the public’s trust.

Learn more about how Barkly can help stop the latest threats in their tracks, blocking malware with protection that's stronger, smarter, and easier to use. 

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.