Tag Archive for: Ransomware

Ransomware Realities: Exploring the Risks to Hybrid Cloud Solutions

Hybrid cloud frameworks offer a way for companies to combine the scalability of public clouds with the security and control of their private counterparts. Pandemic pressures have accelerated hybrid adoption. According to recent survey data, 61 percent of companies currently use or pilot hybrid clouds, while 33 percent have plans to implement hybrid options in the next two years. Meanwhile, research firm Gartner points to growing cloud ubiquity across enterprise environments driven by hybrid, multi-cloud, and edge environments.

Along with increased uptake, however, is a commensurate uptick in ransomware risks. With attackers leveraging the distributed nature of remote work environments to expand their attack impact, organizations must recognize potential challenges and develop frameworks to mitigate ransomware threats effectively.

What Are the Ransomware Risks of a Hybrid Cloud Environment?

Because hybrid clouds rely on a combination of public and private solutions, overall ransomware risks are effectively double.

Consider the recent ransomware attack on payroll provider Kronos. As noted by CPO Magazine, after details of the Java diagnostic tool Log4JShell vulnerabilities were made public on December 9th, hundreds of thousands of ransomware attacks were launched worldwide. One likely victim was Kronos, with the company’s private cloud forced offline after a ransomware attack leading to weeks of remediation. Private clouds are also under threat as attacks shift from outside to inside — even a single disgruntled employee with administrative access could wreak havoc on internal clouds by simply ignoring email protection warnings or clicking through on malicious links.

Public cloud providers, including Amazon Web Services (AWS), Google Cloud, and Azure, have begun publishing articles and offering resources to help mitigate the impact of ransomware in the cloud. While large-scale public cloud services have yet reported no major ransomware attacks, it’s a matter of when, not if, these attacks occur.

In practice, successful attacks on public or private clouds can lead to severe consequences.

Systems Downtime

Ransomware attackers encrypt key files and demand payment for release. As a result, the first line of defense against increasing attack impact is shutting down affected systems to focus on remediation. Cybercriminals may also pair ransomware efforts with dedicated denial of service (DDoS) attacks which force systems offline by overloading them with traffic volumes and resource requests, even as ransomware is deployed behind network lines.

Depending on the scale and severity of the attack, it could take days or weeks for IT teams to discover the full extent of the damage, remediate the issue and bring systems back online.

Monetary Loss

As noted by Dark Reading, the average ransomware payout hit $570,000 in the first quarter of 2021, more than $250,000 more than the 2020 average of $312,000.

But initial payouts are just the start of the problem. Even if attackers return control of critical files, companies must still spend time and money identifying the vulnerabilities that made ransomware attacks possible in the first place. Then, they must spend even more money remediating these issues and testing their new security frameworks.

There’s also the potential risk of costly data loss if enterprises choose not to pay and instead look to decrypt data using available security tools — or if they pay up and attackers aren’t true to their word. If security solutions aren’t able to remove ransomware before the deadline or criminals can’t (or won’t) decrypt data, companies are left with the daunting and expensive task of building data stores back up from scratch.

Reputation Damage

Eighty-eight percent of customers won’t do business with a brand they don’t trust to handle their data. Ransomware is a red flag when it comes to trust. Even if such attacks are inevitable, customers want to know that companies took every possible precaution to prevent data loss and need the confidence that comes with clear communication about the next steps.

As a result, the loss of data due to ransomware or the inability to articulate how information recovery will occur and how data will be better defended going forward can damage organizations. After a ransomware attack, businesses often face negative impacts on reputation, reduced customer confidence, and revenue losses.

Legal Challenges

Evolving regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA) all include provisions around the safe collection, storage, and use of data. Failure to comply with these regulations can lead to fines and legal challenges if ransomware attacks are successful.

Hybrid Cloud Security Measures

While it’s not possible to eliminate ransomware in hybrid cloud environments, there are steps you can take to reduce overall risk.

1. Deploying Offline Backups

If ransomware attacks are successful, malicious code can encrypt any connected devices. These include physically attached devices such as universal serial bus (USB) sticks or hard drives along with any online, cloud-connected drives across both public and private clouds.

To help mitigate this risk, it’s worth deploying secure offline backups that are not connected to internal hosts or external data sources once backup processes are complete. Consider a private cloud backup. To reduce ransomware impact, companies are best served by establishing a data backup schedule that includes provisions for device connection, data transfer, and device disconnection once the backup is complete. By utilizing multiple offline devices that are regularly backed up and then disconnected, businesses can ensure that data remains available even if primary systems are compromised by ransomware.

2. Implementing Two-Factor Authentication

Frustrating attacker efforts to gain network access can significantly reduce the risk of ransomware. Best bet? Start with two-factor authentication (2FA). While it remains relatively easy for attackers to compromise passwords using both social engineering and brute-force attacks, implementing 2FA solutions that leverage one-time text codes or biometric data can help protect networks even if account credentials are breached. What’s more, failed 2FA checks that accompany correct account information can signal to information technology (IT) teams that attack efforts may be underway, in turn allowing them to respond and remediate threats proactively.

Even more protection is available through multi-factor authentication (MFA) strategies that combine text codes and biometrics to frustrate attackers further. It’s also vital to create strong password policies that mandate regular password changes and include rules around required password length and the use of special characters or symbols to increase overall protection. While passwords remain one of the least secure forms of data defense, they’re not going anywhere. As a result, companies must address common password problems before they lead to compromise.

3. Disabling Well-Known Ports

While attackers are constantly developing new methods and leveraging newly-discovered vulnerabilities to distribute ransomware code, they’re also creatures of habit. If specific attack vectors continue to see success, they won’t abandon them simply because something new comes along.

Case in point: Ports connected to cloud services, such as ports 137-139, 445, and 3389, are common attack targets. By disabling these ports, businesses can remove some of the most-used ransomware distribution pathways, in turn forcing attackers to take more circuitous routes if they want to compromise and infect public and private cloud systems.

4. Turning off RDP

The remote desktop protocol (RDP) allows users to connect with another computer over a network connection and provides a graphical user interface to help streamline this process. The problem? Attackers can exploit insecure RDP deployments — which typically use transmission control protocol (TCP) port 3389 and UDP port 3389 — to access user desktops and, in turn, move laterally through corporate systems until they find and encrypt critical files.

While it’s possible to protect RDP with increased security measures, the collaborative nature of cloud deployments often makes it simpler to disable RDP up-front to reduce total risk.

5. Updating to SMB 3.1.1

The Server Message Block (SMB) provides a way for client applications to read and write to files and request server resources. Originally introduced for the disk operating system (DOS) as SMB 1.0, SMB has undergone multiple iterations, with the most current version being 3.1.1. To help protect cloud services from potential ransomware attacks, businesses must upgrade to version 3.1.1 and ensure that version 1.0 is fully disabled. Failure to do so could allow hackers to reactivate version 1.0 and leverage the WannaCry vulnerability to compromise systems and install ransomware.

6. Ensuring Encryption is Used for All Sessions

Encryption helps reduce the risk of compromise by making it harder for attackers to discover and exploit critical resources. Ideally, companies should use transport layer security (TLS) v1.3 for maximum protection. Much like SMB, it’s also important to disable TLS 1.0. Why? Because if TLS v1.0 is enabled, attackers could force your server to negotiate down to TLS v1.0, which could, in turn, allow an attack.

It’s also a good idea to boost encryption efficacy by using SSHv2.0 and disabling Telnet port 80 to frustrate common attacker pathways.

7. Prohibiting Macro-Enabled Spreadsheets

Macro-enabled Excel spreadsheets have long been a source of ransomware and other malicious code. If attackers can convince users to download and open these spreadsheets, criminals are then able to install malware droppers that in turn connect with command and control (C&C) servers to download ransomware.

Recent efforts see attackers sending emails to unsuspecting users indicating they’ve been the victims of credit card fraud. Customers call in, are directed to access a malicious website, and then download a macro-enabled spreadsheet that creates a ransomware backdoor on their device. To reduce the risk of ransomware, it’s a good idea to disable the use of macro-enabled spreadsheets across both in-house Microsoft Office and Office 365 deployments.

8. Increasing Total Visibility

Attackers rely on misdirection and obfuscation to install ransomware and encrypt key files. As a result, visibility is critical for security teams. The more they can see, the better they can pinpoint potential weaknesses and identify vulnerabilities.

The challenge? Increasing hybrid cloud adoption naturally leads to reduced visibility. With companies now using multiple private and public clouds to streamline operations, the sheer number of overlapping services and solutions in use makes it difficult to manage and monitor hybrid clouds at scale. To help address this issue, businesses need cloud security tools capable of delivering comprehensive and dynamic visualization that continually interprets access controls across cloud-native and third-party firewalls to help continuously validate security compliance.

9. Recognizing the Role of Due Diligence

No matter where your data is stored, you’re ultimately responsible for its protection. This is true regardless of the service you use. While your cloud provider may offer load balancing, availability, or storage services that help protect your data, due diligence around hybrid cloud security rests with data owners.

This means that if your provider suffers a breach, you bear responsibility if key security processes weren’t followed. As a result, it’s critical to vet any cloud security services provider before signing a service level agreement (SLA) and ensure robust internal backups exist if cloud providers are compromised, or last-mile connection failures interrupt cloud access.

Controlling Ransomware Risks in Your Hybrid Cloud

Unfortunately, it’s not possible to eliminate ransomware in hybrid clouds. Instead, effective cybersecurity in the cloud needs to focus on controlling the risk that comes with distributed data environments.

This starts with the basics, such as ensuring robust encryption, turning off commonly-used ports, and updating SMB and TLS software. It also requires the use of 2FA and MFA solutions coupled with staff education to ensure they recognize the impact of insecure passwords and practices — such as downloading compromised Excel spreadsheets — cloud security as a whole.

Finally, companies must recognize that ultimate responsibility for secure handling, storage, and use of data rests with them — and that the right cloud security services provider can make all the difference when it comes to reducing risk and enhancing defense in the hybrid cloud.

Want more info on ransomware? Check out this white paper on digital resilience and ransomware protection strategies.

If You Build It, They Will Come: The Top Four Cybersecurity Threats for Manufacturing Companies

Manufacturing companies face increasing risk from cyberattacks. As noted by IBM’s Security Intelligence blog, ransomware incidents rose more than 150 percent across the manufacturing sector from Q1 2019 to Q1 2020. Other recent survey data found that two-thirds of manufacturing firms believe their data breach risk has increased over the past two years.

There’s no single cause for this upward threat trajectory — the combination of always-on connected devices with growing cloud computing use and the increasing need for big data analysis in production planning and management all play a role in the evolution of manufacturing attacks.

Here’s a look at the underlying causes, possible impacts, and potential remedies for the top four manufacturing cybersecurity threats.

The Impact of Industry 4.0 on Manufacturing

Industry 4.0 changes the way manufacturing companies conduct day-to-day operations. From the use of always-connected sensors and devices that make up the industrial Internet of things (IIoT) to the integration of “smart devices” capable of proactively predicting maintenance needs, the digitization of Industry 4.0 represents a significant leap forward for manufacturing firms.

Unlike its operational predecessors — mechanization (1.0), mass production (2.0), automation (3.0), and globalization (3.5) — Industry 4.0 represents a substantive move into the world of always-on, always-connected devices. While this provides a wealth of data to help companies make better-informed manufacturing decisions, it also introduces significant risk. Frameworks such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) solutions that were historically cut off from external Internet connections are now part of a larger integrated ecosystem. Often, this ecosystem lacks the security controls and oversight necessary to identify and eliminate risks.

What the Cloud Means for Manufacturing

Cloud computing also plays a significant role in the shift to Industry 4.0 as firms look for ways to connect disparate tools and systems across both local facilities and global operations. The result is significant spend by manufacturing firms on robust cloud services. Recent data suggests the cloud market for manufacturing will grow by more than 15 percent year-over-year for the next five years.

But increasing cloud adoption also comes with a concern: complexity. As more applications and services are added to existing IT infrastructure, it’s easy for teams to lose track of what’s been deployed, where, and why. Consider the addition of public cloud services to help bolster computing resources and the storage of big data. Traditionally, these functions reside on-site, making it easy for teams to monitor operations. But as functions shift into the cloud, IT staff must contend with multiple layers of network connection and communication. As a consequence, teams find it harder to see exactly what’s going on — which potentially exposes key data to cybersecurity risk.

The Top Four Cybersecurity Threats

For manufacturing firms, four cybersecurity threats are now common: Data exfiltration, ransomware, phishing, and insider attacks. Let’s break down each in more detail.

1. Data Exfiltration

Data exfiltration occurs when attackers compromise manufacturing networks and then steal data to share or sell. Exfiltration often starts with malware — malicious actors may use legitimate-seeming emails that convince users to click links or download attachments, which then deploy malware to infiltrate network-connected storage systems. Personnel, product, or financial data is then in the hands of hackers, who may sell it on the dark web or threaten its release unless companies agree to pay for its return.

Take the example of Titan Manufacturing and Distributing. The company’s network was compromised by data exfiltration malware for almost a year, during which time attackers stole the names, billing addresses, and payment card details of more than 1,800 customers.

2. Ransomware

Another major threat to manufacturers is ransomware. This threat vector sees attackers infecting systems with programs designed to encrypt critical manufacturing data, rendering it inaccessible for companies. Then, they demand payment for decryption keys and threaten to delete or sell the information if their demands aren’t met.

Ransomware was responsible for the 2019 attack on Norwegian aluminum company Norsk Hydro, which has manufacturing operations in more than 40 companies worldwide. While the company didn’t pay the ransom, removing malicious code and remediating the damage — combined with lost revenue — cost the company almost $75 million.

3. Phishing

Phishing attacks happen when cybercriminals attempt to convince corporate users that they’re legitimate business contacts or members of the organization itself. In some cases, the intent of phishing attacks is to have users supply login credentials as part of a fake “reset” or “verification” process. In other situations, attackers attempt to compel specific — and costly — action. For example, attackers masquerading as C-suite executives may try to trick users into transferring funds into foreign bank accounts or request detailed HR data about specific employees. If staff can be convinced these emails are authentic, they often comply with requests immediately rather than double-checking because they don’t want to risk a management-level rebuke.

This was the case for aircraft parts manufacturer FACC. Attackers were able to convince multiple users that the CEO wanted money transferred into foreign accounts. The result was a loss of $61 million and civil prosecution of both the former CEO and chief financial officer for failing to detect and stop the fraud before it occurred.

4. Insider Attacks

Insider attacks may be the result of malicious action or accidental misuse of networks and data by employees. In either case, however, the results are the same: Manufacturing data is exposed, and corporate operations are put at risk. As noted by Industry Week, manufacturing firms now rank among the top five industries with the highest number of insider threats, and the average cost of an insider threat for a single manufacturing firm is more than $8.8 million.

Best Practices to Address Cybersecurity Concerns

To reduce the risk of manufacturing cybersecurity threats, firms need to follow three critical best practices.

Improved Visibility

As cloud and IIoT connections become more complex, it’s easy for teams to lose network visibility. This often creates a situation that sees companies acting based on what they think their network looks like rather than its actual structure. As a result, improved visibility is the first step on the road to enhanced cybersecurity.

Enhanced Agility

Agility is also critical. With cyberattacks on the rise, it’s now a matter of when not if firms will be attacked. Consequently, organizations must be prepared to respond ASAP if threats or vulnerabilities are detected across their networks.

Increased Access Control

As the number of public-facing connections and services increases, companies need granular access control to ensure that the right people are accessing the right data at the right time. Additionally, they must have processes to flag potential malicious actors are flagged and refuse access.

Making the Most of Comprehensive Cybersecurity

Making the most of cybersecurity starts by recognizing the risk: Threats such as data exfiltration, ransomware, phishing, and insider attacks are now commonplace and costly.

Firms must also account for the increasing attack surfaces created by cloud-enabled Industry 4.0 deployments. From unintentional exposure to public-facing Internet connections to previously undiscovered vulnerabilities, the move to modern infrastructure comes with a commensurate threat increase.

What can organizations do to protect themselves? To mitigate the impact of evolving threats, companies need security solutions capable of delivering improved visibility, enhancing overall agility, and increasing access control. Only then can organizations fortify themselves against threats and protect their growth and profitability.

Ready to get started? Find more information here or sign up for a live demo of RedSeal for manufacturers.

Lock Up Your Jewels: Reducing Exposure and Limiting Risk in a Ransomware-Riddled World

Ransomware is on the rise. That’s an often-repeated statement in the headlines — but what does it really mean for companies?

Data tells the tale. According to Tech Republic, attacks surged 57 percent between October 2020 and March 2021, while Purple Sec’s 2021 Cyber Security Trends Report notes that ransomware attacks have grown 350 percent since 2018. What’s more, the average ransomware payment rose by 82 percent to $570,000, with the largest single ransom demand coming in at $100 million.

Now that attackers have successfully breached some business networks, companies are understandably worried about the risk of data exfiltration leading to downtime or revenue losses. As Security Boulevard points out, companies now spend almost $2 million to recover after an attack and, on average, suffer 21 days of downtime. Even more worrisome? Paying up doesn’t guarantee the return of encrypted data. Attackers may decide to keep or destroy data or return for another round of attacks once they know payment is possible.

What’s the bottom line? Reducing exposure and limiting risk requires more than recognizing that ransomware is on the rise. To combat these attacks and safeguard what matters, companies need solid strategies backed by advanced cybersecurity solutions.

Ransomware Attacks in the Headlines

Although attackers often target smaller businesses to reduce the risk of getting caught, that hasn’t stopped some groups from prioritizing bigger payouts. Case in point: The Colonial Pipeline attack. On May 7th, 2021, staff found a digital ransom note saying that attackers had already exfiltrated data from Colonial’s network. The company immediately suspended both IT and operations, leading to sudden interruptions in fuel delivery along the East Coast. Within a day, Colonial paid the $5 million ransom and began getting their systems re-secured and back online.

Also making the news were attacks using the REvil ransomware-as-a-service (RaaS) suite. According to the Department of Justice, a Ukrainian national was arrested in conjunction with attacks spanning the last three years, including the July 2021 attack of information technology company Kaseya. While Kaseya says it didn’t pay the ransom demanded, it took the company ten days to recover from the attack and bring their software-as-a-service (SaaS) servers back online.

Why is Ransomware on the Rise?

So what’s driving the rise of ransomware? Several factors are converging that make ransomware attacks easier than ever before.

Enhanced RaaS Tools

Taking a cue from legitimate businesses, some capable coders have created ransomware-as-a-service (RaaS) platforms that sell both basic and customized attack tools to interested parties. The result is a win-win for hackers: They take money up-front from buyers while simultaneously reducing their risk since they’re not actually carrying out the attacks. Many RaaS marketplaces now resemble more familiar eCommerce offerings. Attack designers offer promotions, sales, and even customer support to keep clients coming back.

Expanded Attack Surfaces

Ransomware is also on the rise, thanks to expanding attack surfaces. With more potential avenues of attack — via mobile connections, internet of things (IoT) networks, or open-source software deployments — attackers can pick and choose their preferred compromise method. This reality is forcing IT staff to look to secure multiple points of potential compromise.

Evolved Work Environments

With remote and hybrid work here to stay, businesses now face the challenge of securing networks both in the office and at a distance. For many, however, the abrupt initial shift to remote work created insecure frameworks that remain in use but lack proper protection.

What are the Common Attack Vectors?

The constant evolution of technology means that attackers are always exploring new avenues of compromise. For example, the rise in open source software and application programming interfaces (APIs) has changed how businesses design and develop new services while simultaneously expanding the attack surface.

Despite occasional boundary-pushing, however, most attackers prefer to stick with tried-and-true ransomware vectors.

Remote desktop protocol (RDP)

The remote desktop protocol makes it possible for administrators to access servers and desktops anywhere, anytime. But RDP also opens the door to ransomware attacks. If malicious actors steal legitimate account credentials, they can leverage RDP to access networks, install ransomware, and leave without detection.

Phishing

In 2020 alone, bad actors created almost seven million phishing emails and scam pages. Using promises of COVID vaccines or masquerading as instructions from C-suite executives, these emails create a compromise point for ransomware. If attackers can convince users to click on malicious links or provide account information, they can infiltrate networks and deploy ransomware.

Software vulnerabilities

Open-source software tools and APIs make it possible for companies to streamline software development and put them at risk of unknown or zero-day vulnerabilities. If attackers compromise unreported issues, they can gain network access and encrypt data before teams have a chance to respond.

DDoS attacks

Distributed-denial-of-service (DDoS) attacks are now being used in concert with ransomware. In some cases, cybercriminals hit companies with DDoS attacks and demand ransom for restoration of services. In others, DDoS efforts are used as a distraction while ransomware is deployed.

Combatting the Rise of Ransomware Attacks

To combat the rise of ransomware, companies are best served with a multi-step approach designed to reduce both the initial risk and overall impact of ransomware threats.

Step 1: Identify Your Assets

First, pinpoint what you need to protect on your network. Think of the most critical assets as the “crown jewels” of your organization. Where are they located, and how are they currently defended?

Step 2: Prioritize Your Vulnerabilities

Next, conduct a security assessment — either in-house or using a third party — to determine where your risks lie. While on-site IT teams have greater familiarity with your network, using in-house personnel may be a security drawback because they may not recognize potential vulnerabilities. By contrast, third-party evaluators can often attack your network in unexpected ways to discover new or undiscovered weaknesses.

Step 3: Secure Your Workforce

Without a secure workforce, efforts at ransomware reduction won’t be effective. Addressing this issue requires the use of tools such as virtual private networks (VPNs) to protect connections and data. You should also deploy zero-trust security solutions that require two (or more) factor authentication and include robust identity and access management (IAM).

Step 4: Reduce Your Response Time

When attacks occur, you need to react ASAP. This rapid response requires the use of advanced cybersecurity solutions that help unify infosec response with end-to-end visibility that empowers teams to react in real-time.

Keep it Secret, Keep it Safe

Ransomware isn’t going anywhere. Attackers are constantly looking for new ways to compromise systems or leveraging tried-and-true methods to slip past IT security. Add in the risk of RaaS, increasing attack surfaces, and hybrid work, and it’s clear that companies need defensive strategies capable of finding, detecting, and defeating ransomware attacks no matter what form they take and no matter what vector they use.

Ready to ramp up your ransomware defense? Click here and see how Red Seal can help.

State and Local Cybersecurity Threats in 2021: Weathering the Storm

Recent pandemic pressures have created the perfect storm for state and local cybersecurity breaches. With some staff still working from home, state and local agencies face the challenge of deploying defense at a distance over networks, connections, and applications that are often insecure, unencrypted, and in many cases unapproved. What’s more, ransomware has surged — a significant problem since less than 40 percent of state and local staff members have received training on how to prevent cyberattacks.

The result is an increasing volume of local and state government cybersecurity threats, which are occurring across the country. For example, GovTech reported that an issue with third-party software exposed more than 38 million health records across states, including Texas, Indiana, Maryland, and New York. Another case reported by Healthcare IT News detailed a smaller-scale breach in California caused by a single employee that occurred over ten months and exposed both patient and employee data.

With hybrid work here to stay and cyberattacks on the rise, government organizations need to improve cybersecurity practices. They must focus on protecting against breaches that can compromise data, impair operations, and cause significant expenses.

Identifying the Biggest Barriers in Effective Defense

Before agencies can deploy better cybersecurity measures, they must identify critical vulnerabilities and threat vectors. And while every state and local government faces unique data handling and security challenges, three barriers to effective defense are common: visibility, accessibility, and resiliency.

Visibility

Traditionally, state and local governments have been behind the curve when it comes to technology adoption. As noted by research firm Deloitte, however, evolving citizen expectations around access and ease of use “will require uprooting outdated systems and practices and replacing them with new models.” As a result, agencies are now looking to expand their agility to streamline service availability and improve collaboration. To meet these goals, many have integrated and deployed cloud-based software, platforms, and infrastructure.

While these solutions offer improved agility and efficiency, they introduce significant new security risks. IT teams can not keep track of every app and service in use, which reduces visibility while simultaneously expanding the total attack surface.

Accessibility

For most state and local governments, the problem here isn’t too little access for employees that require it — it’s too much for those that don’t. One common example of excessive access occurs when staff complete one project and move to another. In many cases, their existing permissions aren’t revoked. Instead, new access is simply layered on top of the old, which creates a security risk. And with insider threats often more challenging to detect than their external counterparts, it’s now critical for agencies to identify, control, and correct for excessive access.

Resiliency

Most state and local governments have familiar security controls such as firewalls and antivirus scanners in place to catch potential threats. However, many lack the tools and tactics required to remediate issues when they occur, mitigate the amount of damage done and get services back up and running.

The result is IT environments that are primed to respond but struggle with resiliency. To effectively manage evolving threat landscapes, state and local governments need security plans and policies covering all aspects of an attack — from initial compromise to identification, isolation, remediation, and restoration.

Exploring the Issue of State and Local Breaches

So what do these breaches look like in practice? Let’s explore the impact of three recent scenarios.

1) New York State, January 2020

In January 2020, New York state officials found themselves up against a massive cyberattack that disabled access to databases used by the state’s civil service, environmental department, and police force. Likely the work of foreign actors, the hack went unreported for months, even as officials looked to restore critical access.

As noted by Security Today, the state received word about a potential flaw — and available patch — for its Citrix-based systems in December 2019. Unfortunately, the state did not install the patch in time to prevent the issue. As a consequence, more than 80,000 state devices were vulnerable to malware compromise. While it appears attackers didn’t access any citizen data, the state had to cover the costs of a three-week forensic investigation of more than 40 servers.

2) Multiple Municipalities, June 2021

Local government cybersecurity teams often look to save time and money by using the same services as other municipalities. It makes sense: They’ve been proven to work with government systems and generally have a track record for reliability.

However, if service providers become compromised, the results can be far-reaching. As reported by ZDNet, that’s what happened across dozens of municipalities in the US when a Massachusetts software provider used misconfigured Amazon S3 buckets. As a result, more than 1,000 gigabytes (GB) of data and 1.6 million files were exposed. Compromised data included email addresses, physical addresses, and driver’s license information, along with deed and tax records.

3) Oldsmar, Florida, February 2021

A cyberattack on Oldsmar, Florida in 2021 didn’t compromise data access or expose files. Instead, it nearly poisoned the town’s 15,000 residents. On February 5th, a plant operator at the local water treatment facility received an alert that someone had gained remote system access. The attacker opened multiple applications and services and then increased the concentration of sodium hydroxide — also called lye — to 100 times its normal level. Fortunately, operators were able to retake control and cancel the change quickly and prevent disastrous consequences.

Grant Funding for State and Local Governments

The good news is some new help is on the horizon for local and state government cybersecurity, thanks to the $1.2 trillion infrastructure package. The plan includes $1 billion in cybersecurity grants to help local and state governments boost their defense. If approved, the new program would offer $200 million worth of grants in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025. In addition, the plan funds creation of a response and recovery fund at the Cyber and Infrastructure Security Agency (CISA), which would give an additional boost to cybersecurity efforts.

Mitigating the Impact of Cybersecurity Threats

Mitigating the impact of local and state cybersecurity threats depends on a strategy of defense in depth. In practice, this requires a three-step approach: Identification, evaluation, and implementation.

Identification focuses on finding potential threats in current cyber defenses — such as those tied to open source software, authorized apps, excessive access, and unintended exposure to the Internet. Evaluation includes internal and external assessment of existing security policies to see what’s working, what isn’t, and what vulnerabilities state and local governments need to prioritize. Finally, implementation looks to deploy security solutions that directly address key concerns, such as comprehensive cloud security services that provide visibility into public, private, and hybrid stacks simultaneously to empower threat detection and response.

Battening Down the Hatches

State and local governments now face a trifecta of security challenges: remote work, ransomware, and worker education. The combination creates ideal circumstances for malicious actors. By taking advantage of ideal compromise conditions, attackers can breach government networks, access critical services, and exfiltrate citizens’ data.

The result is a growing need to batten down the digital hatches by creating and implementing an in-depth strategy to help build robust, reliable, and resilient security infrastructure. To prevent risks and a host of unwanted outcomes, state and local governments need to prioritize cybersecurity.

Ready to boost cyber resiliency and better weather the storm? Click here to see a demo of RedSeal’s cloud security solution in action.

Join us!

Hear from Shannon Lawson, CISO, City of Phoenix, how the state and local agency leaned toward hardening their environment from attacks, recognized exposures, secured infrastructures, mitigated risks, and stayed compliant. The live webinar is January 18, 2022. Register now and don’t miss out!

Petya: Recommendations for defense and remediation

The CyberWire | June 29, 2017

What can enterprises do, now, to protect themselves against Petya and the other, similar attacks soon to follow? This won’t be a one-time thing: WannaCry wasn’t, and it’s reasonable to expect fresh ransomware campaigns to keep coming, hard and fast. The attackers get a good return on investment from repurposing tools and exploits. There’s no reason to expect them to stop.

For your coverage of Petya, Ray Rothrock, CEO of RedSeal, said in an email, “It’s happening again. This time in a slightly different form and name, but it’s the same. A new strain of Petya malware is going after unpatched Windows systems via EternalBlue, the same stolen NSA tool exploited by WannaCry.”