Outdated IT systems and lack of employee training make local municipalities easy targets.

Edward Gately, Senior News Editor

November 26, 2019

10 Min Read
Cybersecurity Roundup, security roundup
Shutterstock

Louisiana is the latest state to be hit with a ransomware attack on multiple state agencies, with Gov. John Bel Edwards declaring a state of emergency.

Ten percent of the state’s 5,000 computer network’s servers that power operations across state government and 1,600 PCs were damaged by the attack. The state Office of Motor Vehicles was one of the agencies hardest hit by the attack.

This follows the trend of cyberattacks hitting local governments around the United States as nearly 150 government entities have been hit this year alone.

Lancaster-Kevin_Kaseya.jpg

Kaseya’s Kevin Lancaster

To find out more about this trend, we spoke with Kevin Lancaster, Kaseya‘s general manager of security solutions.

Channel Futures: Why do ransomware attacks on local governments matter and what is the larger impact on society?

Kevin Lancaster: Ransomware attacks in local and state governments can have reverberating effects for residents. Both ransomware attacks in Louisiana ended up halting major state systems, including three school districts and the Louisiana Department of Children and Family Services. This meant that state residents not only risked their personal information being exposed, but they also potentially lost access to critical services they needed to live. Another example is the March 2018 ransomware attack against the city of Atlanta, where residents couldn’t pay their utilities or pay for parking tickets, police and other employees had to write out their reports by hand and court proceedings for people who are not in police custody were canceled for weeks. A lapse in services like these, even if brief, can negatively impact thousands of citizens.

CF: Is there anything unique or unusual about the ransomware attack on Louisiana state agencies?

KL: There is not anything particularly unique in the Louisiana ransomware attack as opposed to similar government ransomware attacks. The attackers utilized Ryuk, which was first seen in August of 2018. With the exception of their response, they didn’t stop the attack, but they had a plan and process in place to address and recover from the incident. State and local governments are rich targets because they are large and widely distributed, with aging and underfunded infrastructure that provides critical services expected to be available 24×7 to millions of individuals. The state initiated their cybersecurity response rapidly by shutting down their systems to stop the spread and recovered from good backups. The ability to execute this process across a large, multidepartment network demonstrates that proper planning can minimize the impact of a cybersecurity incident and should provide a lesson for other government offices.

CF: What aren’t local governments doing that they should be doing to protect themselves?

KL: Outdated IT systems and lack of employee training make local municipalities easy targets, and hackers know it. While it’s bad enough when…

…a company’s network goes down, hackers also recognize that downtime is not an option for local governments who need to provide critical services to residents and businesses. State and local governments can also be hot spots of citizens’ personal information, making it a prime target for hackers.

CF: Are there ways local governments can protect themselves so they don’t have to pay a ransom when ransomware hits?

KL: First, create a proactive incident response plan. Government agencies should prepare an incident response plan that details the role of every individual in case of a breach. Organizations must also bridge gaps in coordination between employees and third-party vendors, if any, to enable proactive risk management.

Second, patch on time to reduce risks. The U.S. Department of Homeland Security (DHS) recently issued a new Binding Operational Directive (BOD 19-02) instructing government organizations to patch critical vulnerabilities within 15 days, and high severity vulnerabilities within 30 days. Patching on time helps reduce the attack surface and ensures vulnerabilities are mitigated quickly. Automating patch management is moving a step ahead. With tight budgets and
limited manpower, government agencies can make sure that patches are not missed across the entire network with an automated patch management solution.

Third, have [and test] a proper business continuity and recovery plan. Government agencies need a solid backup and disaster recovery (BDR) plan. This is a critical requirement to protect against ransomware attacks, for example. A foolproof method of backing up data would be a combination of onsite and cloud backup, also known as hybrid cloud backup.

And finally, develop cybersecurity skills in the workforce. For government organizations to be fully prepared to tackle cyberthreats, IT directors should have a long-term vision which includes up-skilling their employees in areas of cybersecurity. With budget constraints always at the forefront of concerns, it might not be feasible to routinely train every member of the team. Instead, areas to focus on can be prioritized and worked upon to implement effective up-skilling.

CF: Can MSSPs and other cybersecurity providers be doing more to help local governments protect themselves from ransomware attacks? If so, how?

KL: The biggest thing MSPs, MSSPs and other cybersecurity providers can do to help local governments is focus on doing risk assessments, incident response and process creation. So often we are focused on developing and implementing a technology or product, but that technique alone has been demonstrated as ineffective. I liken it to getting a flu shot: It may protect you 65% of the time, but it is not 100% foolproof. Despite this, you should still absolutely get a flu shot.

You should also, in the case of this cyberattack, ensure you are using next-gen antivirus, doing cybersecurity training and phishing simulation, configuring end-user machines with least privilege, and disabling non-essential services like remote desktop protocol (RDP) from anywhere as used in this attack. That could have stopped this incident, but note that it won’t stop them all. Louisiana had a way to stop the spread and recover from backups. It is…

…no easy task, but the services that the vendor community provides, along with ensuring availability during the incident is the best way we can help organizations minimize the impact of the next one.

Barracuda Provides BEC Deep Dive

Business email compromise (BEC) makes up a small percentage of spear-phishing attacks, but it has cost businesses more than $26 billion in the past four years, according to the FBI.

Barracuda‘s latest report, “Spear Phishing: Top Threats and Trends Vol. 3,” reveals new details about these highly targeted threats, including the latest tactics used by cybercriminals and the steps you can take to help defend your business.

According to the report:

  • Ninety-one percent of BEC attacks take place on weekdays, with many being sent during typical business hours for the targeted organization to make them more convincing.

  • The average BEC attack targets no more than six employees, and 94.5% of all attacks target less than 25 people.

  • Eighty-five percent of BEC attacks are urgent requests designed to get a fast response.

  • BEC attacks have high click-through rates as one in 10 spear-phishing emails successfully tricks a user into clicking, and that number triples for emails that impersonate someone from HR or IT.

  • In the past 12 months, the average amount lost per organization due to spear-phishing attacks was $270,000.

MacLennan-Don_Barracuda.jpeg

Barracuda’s Don MacLennan

Don MacLennan, Barracuda‘s senior vice president of email protection, engineering and product management, tells us most organizations will have secure email gateways in place to filter incoming messages. Unfortunately, these are no longer enough to detect and block social engineering attacks such as BEC.

“Gateways are designed to look for signs of malicious activity: bad URLs, known spammer and malware are just a few examples,” he said. “BEC email attacks do not contain any of those. What organizations need today is technology that offers visibility beyond the gateway. Machine learning (ML)-based protection that is able to recognize abnormal communication within the organization — for example [an] email address that the CFO doesn’t usually use, or an email request to make a wire transfer that is unusual for a CEO. All of this analysis and subsequent remediation needs to be done in real time. In addition to deploying dedicated spear-phishing technology, businesses need to invest in user education training to make sure their employees are able to recognize and know how to report these attacks. Outside of IT, businesses should implement policies to protect wire transfers through fraud — for example, all wire transfers will need to be confirmed over the phone or in person.”

User security training and phishing simulation campaigns are two examples of ways in which MSSPs can provide a value-added service to their customers, MacLennan said. Some attacks do get through, especially BEC attacks. When they do get through and are reported by users, businesses need to act fast to remediate these attacks and remove malicious messages. MSSPs can use automated remediation tools to help businesses manage their inboxes, investigate and remediate any reported emails, he said.

“Hackers invest time to research their victims and their…

…organizations, they understand who has access to financial or other valuable information,” he said. “They carefully draft emails with personalized content and they use spoofing techniques in their impersonation attempts. The time spent on personalizing attacks pays off as people more likely fall for these attacks. And if they do, the payoff for the hacker is substantial. ”

Qualys Unleashes VMDR App

Qualys, a provider of cloud-based security and compliance solutions, has unveiled its new Vulnerability Management, Detection and Response (VMDR) app aimed at providing customers with one streamlined workflow to scan, investigate, prioritize and neutralize threats.

VMDR helps organizations of all sizes to strengthen their security by offering a complete VM workflow that: enables VM and IT teams continuous visibility of their global IT assets (known and unknown); identifies vulnerabilities across those assets in real-time; prioritizes remediation using ML and context awareness; provides built-in orchestration workflows; and allows one-click remediation with full audit tracking.

Malik-Karun_Qualys.jpg

Qualys’ Karun Malik

Karun Malik, Qualys‘ vice president of strategic alliances and channel development, tells us VMDR allows MSSPs to take the data and create more services from them, Malik said.

“By giving MSSPs the context and data available to scale in an excessively shortened amount of time, it gives them a competitive edge [with] more visibility and more context to support the services they offer and more quality data to determine these decisions, [and] extremely comprehensive and user-friendly, giving more visibility and usability across a company,” he said.

Arctic Wolf Launches Account Takeover Risk Detection 

Arctic Wolf Networks, a security operations center (SOC)-as-a-service company, had added Account Takeover Risk Detection capabilities, allowing customers of the Arctic Wolf Managed Risk service to identify corporate credential exposures to the dark web.

The external vulnerability assessment continuously scans customers’ public-facing internet environments against one of the world’s largest repositories of third-party data breach information recovered from dark and grey web sources. This insight is used to produce observations and a risk score assessment, as well as to raise alerts about potential account takeover situations.

Thiemann-Todd_Arctic-Wolf.jpg

Arctic Wolf’s Todd Thiemann

Todd Thiemann, Arctic Wolf’s director of product marketing, tells us Account Takeover Risk Detection provides added value to the Arctic Wolf offering. Channel partners now can go to their customers to explain that Arctic Wolf will notify them if their compromised account credentials have been exposed on the dark and grey web or have been harvested as part of a known data breach, he said.

“Account Takeover Risk Detection is something we have not seen from other managed detection and response or SOC-as-a-service players,” he said. “It will allow channel partners to explain that the Arctic Wolf Managed Risk offering is not simply looking at internal and external vulnerabilities, but also looking at the risk of compromised credentials which those systems would miss. Customers get the benefit of more comprehensive security coverage so they can better lock down their IT environments.”

Read more about:

MSPs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like