By John Forrester December 19, 2023
How Local and Regional Authorities can improve their ransomware defenses
A recent study done by the National Association of State CIOs (NASCiO) and Deloitte found in the US 75% of state CISOs view ransomware as a threat. As this Govloop report reported “…there’s good reason for that. A number of factos, the report notes that combine to make local and regional governments particularly vulnerable to this attack”.
- High impact: Ransomeware is capable of causing an organization’s operations to a halt. As an attack it is one of the most likely facing local and regional organizations.
- Easy entry: With commercialization of attacks using “Ransomware-as-a-Service”, even non-technical threat actors are able to profit easily from ransomware operations
- Emergence of distributors: Malware families tend to be, the Govloop article points out, prolific information stealers are linked to various ransomware operators.
Clearly local and regional organizations need to revamp their strategies to deal with these challenges:
- Known attractive targets for cybercriminals: Local and regional organizations hold valuable data, ranging from legal information to health care records. In addition, their responsibilities for critical infrastructure (transport, water, utilities) increases their liability.
- Evolution from “opportunistic” to targeted attacks: These days attacks first attempt to identify potential victims and then focusing on probable “high-yield” targets. The lack of training and awareness renders small organizations particularly vulnerable to these attacks.
- Transparency transformed into a liability: Local and regional organizations are usually obligated by law to disclose a series of financial details- all of which offer a rich source of data to attackers.
Clearly local and regional organizations need a comprehensive and strong strategy that would include, possibly, much of the following:
- End-user awareness: End users represent a weak point in any organization’s defenses. Certainly, raising user awareness is important but training and refresher courses have a limited effect over time. Unfortunately, Govloop (and many others) stop short of suggesting more innovative solutions to engaging end-users.
- Close the threat information gap: New threats and attacks are emerging all the time. Rather optimistically, this article urged local and regional “technology leaders “ to seek to “engage with information-sharing bodies to keep themselves abreast of the ever-changing threat landscape”. While sensible advice, it ignores the problem that many local and regional organizations lack the resources to keep themselves up-dated.
- Security controls: A modicum of security controls is certainly called for. Much could be done establishing and implementing basic security controls along with network monitoring. Unfortunately, host-level detection and response capabilities are beyond the reach of many small local governments and small businesses.
Best Practices to employ?
- Tailor training: Developing a focused tailor-made training program can help an organization derive the maximum benefits from end-user training. Frequency is important and tailoring by role more beneficial, since not everyone will access the same information. To be effective and aimed at developing an awareness of the security issues quick solutions do not exist. Time and patience are needed to achieve results.
- Secure external ports and services: Rightly so, the article reports that numerous ports and services within a IT infrastructure are accessible to threat actors. The IT department is probably using these and other services for remote access into the network. Encouraging organizations to check periodically that anything open to the outside world be closed, if not used, or secured with a “multi-factor authentication and a strong, complex password.” The advice is good but with a lack of qualified personnel and sufficient budgetary resources often not followed.
- Take patching seriously: Declarations like the one from Sayers “That means you need a vigorous, routine and timely patching schedule” are well meaning but fail to convey the need to develop carefully a “patching schedule” and not rely improvised “updating” by unqualified personnel.
- Double-down on backup: As the article notes, “backups need to be regularly tested and should be stored offline, and segmented from the larger IT environment” is certainly important but with untrained personnel and insufficient budgets is either not followed at all or implemented only partially. .
After all the discussion about security, many attacks still start with the mis-handling of a malicious email. “We still see a lot of ransomware attacks begin with something as simple as a malicious email, trying to get the end user to click on a link or download a file.” – T.J. Sayers
As we have seen in many small local and medium sized governments in Italy and elsewhere in Europe and the UK the most urgent issue is not so much technological and awareness on the part of the final user.