By Phil Richards, CISO, Ivanti
Just as healthcare organizations were a popular target of ransomware attacks over the past two years, public sector organizations (including school districts, municipalities and local and state public agencies) – now seem to be active targets.
Most recently, three school systems in the state of Louisiana were victims of malware attacks, which shut down phone systems and locked and encrypted data. The event was deemed serious enough that Gov. John Bel Edwards issued a state of emergency which allows the state to access resources from the state’s National Guard, technology office and state police to remediate the intrusions.
School Systems and Local Governments are an Increasing Target
But Louisiana school systems are not alone. In fact, according to CNN there have been as many as 22 known public sector attacks to date this year, already outpacing 2018. Among them is a RobinHood ransomware infection on April 10 which impacted computers operated by employees in the city of Greenville, North Carolina; a Ryuk ransomware attack on April 13 which hit both Imperial County, Calif. and the city of Stuart, Fla. forcing websites to go dark and consumer service shutdowns; and the still-unspecified malware that struck the municipally-owned Cleveland Hopkins International Airport on April 21 causing flight and baggage information to go down.
Perhaps a more heavily reported municipal ransomware attack was just over a year ago when the city of Atlanta was crippled by SamSam ransomware. As a result of that attack the city ended up spending $2.6 million in hard costs alone to respond to the attack – reportedly 52 times the amount of the $50,000 ransom attackers demanded. Reports of the full cost to the city of Atlanta show an actual cost of more than $17 million. SamSam was also the cause of the attack the Colorado Department of Transportation experienced in February 2018 for which is also activated a state of emergency which helped to activate state resources to help with traffic, road management, and transportation.
But the state of emergency called by Louisiana is different. It centers more squarely on gaining assistance from cybersecurity experts across multiple government agencies to help speed the recovery process. While mitigating cost, like what Atlanta reportedly paid, maybe one reason Louisiana called a state of emergency, it also signals to residents (and attackers) they are taking the breach very seriously and looking to recover as quickly as possible.
Three Steps for Cyberattack Prevention
While Louisiana works to get its impacted school systems back in action, the question is raised: “Can it happen in my local schools? Will an attack hit my city’s systems?” The answer is of course, “yes it can.” However, there are steps that can be taken to make the risk much lower. Consider these three steps:
- Patch All Systems. For most organizations, patching should be the first line of defense. Ensuring that operating systems and third-party applications are up to date will limit or even prevent cyberattacks. Special effort should be made to ensure that all critical patches and updates for applications such as Adobe Flash, Java, Web browsers and Microsoft applications are kept current. Patches should be prioritized based on criticality and policy and applied so that they don’t disrupt users or operations.
- Train Employees Regularly. Most ransomware is spread using phishing or spam emails. Thus, it is critical to train users to be savvy email consumers and careful web clickers. Criminals use many professional marketing and social engineering tools to improve their capabilities to trick users into opening fraudulent emails and increase their chances of success. It is likely that even the most educated user will be tricked. Education isn’t enough. Users need to receive periodic drills of phishing email campaigns that provide immediate feedback when they click on a link. When users see themselves getting “caught” is when they begin to change their behavior.
- Minimize Computing Privileges. An important tactic to mitigate the damage caused by many types of malware, including ransomware, is to limit administrative privileges to only those that truly need them. For example, the Petya ransomware requires administrator privileges to run and will do nothing if the user does not grant those privileges. Removing administrator rights is easy, but balancing privileged access, user productivity and enterprise security is not. Effective access control protects organizations against malware and ransomware. Access control that focuses primarily or exclusively on privileged user access rights will likely prove less than effective. Generalized access control can be highly beneficial for protecting files located in on shared drives. Users have legitimate needs to access and modify files on shared drives. After all, those files are document files created by legitimate users. As a result of this generalized access, a ransomware attack that successfully infects the system of a user with legitimate access rights can encrypt and hold hostage all the files on all connected, shared drives and folders.
In short, the recommendations of patching, user education, and privilege management, are critical pieces to prepare for and prevent cyberattacks. These steps are particularly important for public sector organizations and school systems where budgets may be tighter and resources slimmer. However, taking these steps can be made easier through best-in-class software solutions that use automation to apply the necessary protections. When properly implemented they can stave off risky, and costly attacks without placing an undue burden on security and IT teams.
About the Author
Phil Richards is the Chief Information Security Officer for Ivanti and is CEO of an IT Security Consulting firm. He has held other senior security positions, including the head of operational security for a medical device manufacturer, Chief Security Officer for a financial services corporation and Business Security Director for an investment company. In his various leadership roles, he has created and implemented Information Security Policies, has led organizations through many local, US Federal and international compliance efforts, has implemented security awareness programs, and established comprehensive compliance security audit frameworks based on industry standards. He has implemented Enterprise Risk Management and global privacy programs to address compliance and privacy internationally as well as for specific regions such as the European Union and Australia. Phil has been the recipient of multiple CISO of the Year awards, written and spoken extensively on a variety of security topics, and conducted training workshops for current and future CISOs, CIOs and Board Members. Transforming an organization requires a focus on the objectives, clear communication, and constant coordination with executive leadership, which is where Phil has focused during his security career.