Oct 14, 2019
State and local governments should continue to learn from and practice so-called Cybersecurity 101 lessons even as they adapt to newer threat vectors, public- and private-sector sources said recently.
Most public-sector agencies likely have had some form of cybersecurity policies and plans in place for years, but these must still be discussed, practiced, updated and followed, officials said at the third annual edition of a state cybersecurity summit. Among the takeaways:
• Look at your enterprise from the outside — the way a criminal might — for an unvarnished picture of its security levels. Unsecured remote desktop protocols (RDP) are one newer way bad actors have increasingly exploited to deploy ransomware in infrastructure, said Colin Ziegler, cybersecurity analyst at the California Cybersecurity Integration Center (Cal-CSIC). He participated in a discussion of the growth of targeted ransomware attacks against state and local, at the State of California Cybersecurity Education Summit 2019, on Wednesday.
“This is low-hanging fruit. Very low sophistication, very quick, very fast,” he said, recommending the use of tools like the Shodan search engine to find and block uninvited servers.
Justin Edgar, director of security solutions for Taborda Solutions, recommended using two-factor authentication and SSL interception to look at unencrypted requests and enable enforcement; and revoking local admin on endpoints.
• Cities and counties continue to be a significant focus of ransomware, and governments should consider the larger value of not paying the ransom, Edgar said. If no one pays, “then it kind of goes away,” Edgar said. He pointed to a resolution approved at the 87th annual meeting July 1 of The United States Conference of Mayors affirming that the organization “stands united against paying ransoms in the event of an IT security breach,” as proof that locals are reaching this conclusion.
• Test those backup processes — so they may then be comfortably used in a worst-case situation — and build in a test to ensure they’re not infected themselves. Having reliable, up-to-date backups, Edgar noted, gives governments more than ethical or financial reasons to decide to not pay ransomware. Agencies with current backups can sometime “negotiate” with criminals during the early hours of an attack — then break off talks, restore on their own and not pay, once copies are verified. But know your process, he said — which machines and applications are most critical and must be up – and approach backups from a “risk-first approach,” identifying assets that are most critical and most dangerous or most embarrassing to lose.
• Test your network disconnect process as well, so that it becomes more than theoretical; and, when an incident or breach occurs, your agency has the ability to “take the ax to the cable between user land and data center land, or user land and app land,” Edgar said. Too many governments understand network segmentation and disconnection in concept but not in practice — so build that actualization into policy, and ensure the person who has the “red button” knows it and is the first to be called during an incident.