Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

8/30/2019
10:45 AM
Sara Peters
Sara Peters
Edge Features
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities

Practical steps municipal governments can take to better prevent and respond to ransomware infections.

1. Buy Cyber Insurance
More organizations in both the public and private sector are investing in cyber insurance as part of their overall security strategies. That includes the city of Valdez.

"Whomever was responsible for getting the insurance for the city deserves recognition and/or a raise," says Valdez's Hinkle. "I can't emphasize enough how much it saved our community."

The mysterious savior who added cyber insurance to a broader policy helped Valdez pay for a wide variety of costs, including the ransom and the town's new IT infrastructure.

The insurer also had preferred provider relationships established with cyber incident response companies, forensic investigators, and other resources that could have been essential in an emergency.

(Simply having the policy, however, isn't enough, however. Calling the insurance company right away and documenting everything thoroughly is essential to getting a claim paid.)

2. Get a Third-Party Ransomware Risk Assessment Now
Earlier this year, the city of Baltimore opted for roughly $18 million of recovery costs over paying a ransom. In July, at the US Conference of Mayors, more than 14,000 US mayors signed a resolution agreeing they would not pay ransoms. A strong commitment to not pay would, hopefully, dissuade financially motivated attackers from going after governments in the first place.   

But let's not be too hasty.

"You've been violated, and you don't want to be a victim," says John Pironti, president of cybersecurity consultancy IP Architects. "But you have to take emotion out of the equation  because you have to make hard decisions based on cost."

A thorough risk assessment that outlines these costs — determining just what kind of outage is worth just this much of ransom, etc. — could help guide those hard decisions. And having that risk assessment done by a third party makes it easier to defend those decisions later against political opponents or public pressure. 

In Valdez's case, "I knew that I had all of my criminal cases encrypted," says Hinkle. "I had a homicide case -- all the evidence was gone. You name it. That's just one department. I knew that four Bitcoins, in my mind, was worth it and a good use of taxpayer money."

3. Identify Your Response Team Now
Check what official chain of command has already been established. Is the city comptroller, the police department, the mayor, or someone else the first call? 

When does the FBI get involved? What are your legal notification requirements, and when should attorneys and public affairs be called? Who hires the third-party advisers, the forensic investigators, and any other cybersecurity specialists?

Wouldn't you like to know these answers before your computer screen is locked and your phones don't work? 

Pironti, Admon, Hinkle, and Osburn all recommend identifying the people who should be part of the incident response team, FBI included, and building relationships with them now. 

"The longer we wait, the less evidence we have," Admon says. "So coming to authorities is extremely valuable." Quick reporting could help prevent infections at other sites as well.

4. Join Forces with Other Cities
By "join forces," we don't mean celebrate a hootinanny of a coordinated ransomware infection, as over 20 Texas towns did one day this month. We mean learn from one another and even share staff.

Valdez, Alaska, was aided by the fact that a nearby locale was hit by ransomware just a few days earlier and shared information about the attack.

Government agencies across the country complain about being outpriced by the high-paying private sector when competing for cybersecurity staff; the problem is even worse for small towns that not only have limited funds, but enough work to merit a full-time security specialist.

The Center for Internet Security's Harnish suggests small towns might address these staffing issues by "security through association." Towns like Valdez "could probably do better if they banded together with other surrounding villages," he says.

The Center for Internet Security and the Multi-State Information Sharing and Analysis Center (MS-ISAC), which serves the US's state, local, tribal, and territorial governments, provides information sharing, as well as free and low-cost educational resources.  

5. Awareness Training for Users & Taxpayers
Most ransomware attacks happen through human error, according to SOSA's Admon. "Just by educating, they can reduce the risk, but they're usually pretty bad at it," he says.

Admon suggests creating a simple security checklist for end users. Distributing and displaying a checklist of fundamentals will create a very basic layer of security that reduces the threat of phishing and human error that have caused many a ransomware infection.

Harnish suggests something even simpler. "One thing a small city can do is remind users, 'Hey, we're under attack [every day],'" he says. A little reminder in the morning and a simple request to be please be careful today could make all the difference.

"We really need to focus on human behavior as a solution, not technology," he adds. "Tech is a great backup." 

Spreading the word to the general public also helps to gain support for further investments. {Continued on Next Page}

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
2 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Edge Cartoon Contest: You Better Watch Out ...
Flash Poll