Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/11/2018
03:45 PM
Chris Park
Chris Park
Partner Perspectives
100%
0%

Avoiding the Ransomware Mistakes that Crippled Atlanta

What made Atlanta an easy target was its outdated use of technology: old computers running on non-supported platforms, which are also a characteristic of many municipalities and most major cities.

Last month, five of Atlanta's 13 government offices were "hijacked," as the city's mayor put it, by ransomware that disrupted far-reaching facets of the city’s digital infrastructure. From the courts to the police department to public works, government activity was essentially frozen as the hackers gave the city a week to pay the ransom – roughly $50,000 worth of bitcoin – or have critical data and processes deleted permanently.

While the event was eye-catching for several reasons, it's hardly an isolated incident. From Dallas to Denver, hackers leveraging ransomware not unlike the program that hit Atlanta have been able to "hijack" municipal networks largely because these entities were poorly protected.

It didn't take long for security teams to identify the virus in use – SAMSAM – or recognize and partially thwart the attackers' tactics. In fact, when word of the event spread around the cybersecurity community, the portal that the Atlanta hackers had opened to receive their ransom – complete with a countdown clock – was flooded with messages from hackers and cybersecurity pros alike, causing the hackers to take the channel down.

But what made Atlanta such an easy target – even for a relatively common form of ransomware – was its incredibly outdated use of technology in the broader sense. Old computers running on non-supported platforms, for instance, are a characteristic of many municipal operations, as most major cities support such a vast IT operation that updating every digital asset is time and cost prohibitive. This means that cyber vulnerabilities run rampant in local government, threatening the physical and intangible structures that hold society together.

Local governments typically have thousands of connected devices and many mobile employees who frequently connect and disconnect from the city’s network. If there aren’t security solutions in place that can secure these types of borderless networks, all it takes is one municipal employee to bring an infected device onto the city’s network to put the personal information of thousands at risk.

Common Sense Tactics Go a Long Way

Security teams working on any network – whether for a municipality or an enterprise – need to first assure that all the operating systems, platforms and devices using it are still receiving regular updates and support. For instance, Microsoft employs end-of-life support cycles for iterations of each of its operating systems. Mainstream support for Windows Vista and Windows 7 both expired years ago, with extended support for Windows 7 set to expire come January 2020, while Vista users were turned off in April 2017.

Because municipalities are notorious for employing technologies long after they were originally marketed, there are no doubt platforms running on most of these networks that haven’t adapted to the increasingly rampant threat landscape.

It’s also important that the cybersecurity tools that teams use to protect their devices deliver equal and effective protection across all the platforms and device types that populate the network. If the secure web gateway product a team uses to vet traffic entering the network doesn’t deliver feature parity for both new and legacy technology, it’s virtually ineffective, as hackers only need to find one vulnerability to get past the network perimeter and wreak widespread havoc.

Most importantly, teams need to be sure they are backing up their data, encrypting their traffic and isolating their encryption keys in environments that outside parties can’t access. This is easier said than done, but by turning to trusted data backup providers and established encryption methodologies like SSL (as opposed to proprietary products/methods that haven’t been proven on the market), you can rest easy knowing these tools receive regular updates and patches in kind.

 

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company's IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mugsprt
50%
50%
mugsprt,
User Rank: Strategist
4/17/2018 | 8:32:25 PM
Re: System failures
You can tell they really thought that out. :-)
Take Care,

Margaret

 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/17/2018 | 3:17:56 PM
Re: System failures
Stupid as stupid does ----- and why did Hartsfield Airport in Atlanta  have both primary and secondary power cables router through the same underground tunnel only a few feet from each other when a fire broke out taking about both primary AND REDUNDANT POWER ?????   Because nobody thought it could happen!!!
mugsprt
50%
50%
mugsprt,
User Rank: Strategist
4/13/2018 | 4:53:49 PM
Re: System failures
I agree to use it as a comparison for server failure. The recovery is going to be the same. What is wrong with the City of Atlanta? We as a group know it pretty much the standard best practices. I can't believe the City of Atlanta is that stupid. Now they have outsiders public and private wanting money to solve their problems. They really need to put on their big boy pants and solve it themselves. They will never be ready for the next server failure or attack. Much of the problem needs to solved from within.

I just want to take moment to thank everyone on the posting of this article. I glad we have people still with solid foundation for systems and security.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/13/2018 | 12:10:51 PM
Re: System failures
A better comparison can be made with Merck which was hit hard by WannaCry in 2016.  I remember from all the chatter on the web that they discovered their recovery protocols were about nill!  Which hurt them big time.  YOU have to be able to recover whether from ransomware or drive failure or electrical power outage (Hello, DELTA/).  
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/13/2018 | 10:34:24 AM
Re: System failures
WOW!!!   LIKE I DON'T KNOW THAT?????   I used it as a comparison for server failure.   And the existance of a recovery plan which, from whati can see, does NOT exist in Atlanta.
mugsprt
50%
50%
mugsprt,
User Rank: Strategist
4/13/2018 | 10:17:37 AM
Re: System failures
9-11 had nothing to do with the City of Atlanta. Many of the mistakes were due to the security and the protection of data. I have worked on the inside temporarily. They have a tendency to have shadow IT departments. They are not unified in IT structure of who has control. NO IT GOVERNANCE and no incident response plan. Someone should have been aware of current possible threats like ransomware in general. Who let the media loose with a screen shot of how to contact the cybercriminals is totally stupid because the media contacted cybercriminals for an interview of questions and they asked for money. The security manager should have handled this quietly with the mayor. Controlled and gave the media constructive information. Handle it in the same fashion as the hospitals did before. If the mayor decided not to pay the $51,000 in Bitcoin. Make a plan. Take the infected systems off the network, restore from backup and recover any workstations the same way. Then have meeting with the stakeholders like the mayor and IT director to develop a plan for going foreward. SAMSAM is usually done by phishing attack using an attachment. Time for end user training along with strengthing your security armor. No one can be bullet proof in IT security but you can have a heathly security appetite. 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/13/2018 | 8:49:33 AM
System failures
17 years ago one morning in September, my data center crashed.  Dropped 103 floors to the ground when the South tower collapsed on THAT DAY.   I was 101st floor so mad eit out though many others did not.  In some ways a Ransomware attack CAN be equivalent to a total system failure.  You had better have a good disaser recovery plan in place and tested!!!!  Upgrading hardware and patching is a NORMAL IT FUNCTION.  It is what the IT staffers are PAID to do and testing a plan is icing on the cake.  It had better be done too because when needed, nobody thinks straight at 2AM rebuilding a server array.   The difference is the exfiltration of data but otherwise they are the same event in many ways.  From what I have heard, THERE WAS NO PLAN and they are rebuilding from ground up.  Horrible.  $3 million in costs to consultants.  
mugsprt
100%
0%
mugsprt,
User Rank: Strategist
4/12/2018 | 1:14:57 PM
Problems is not legacy boxes and out dated applications
I agree with the article to a certain point. Even the oldest software should have been updated. Why? The IT management did not update the software nor move the data to an updated secure platform. Supposedly the City of Atlanta has Cybersecurity manager is also the blame. There is no IT governance to audit the systems and apps to develop risk factors, then resolve them. I BLAME THE PEOPLE. There should be resignations being handed in and termination notices being handed out. The Mayor of Atlanta should be handing down orders to clean this mess up once and for all. I would feel bad for the people let go but there is a huge system to get a security net around and right now they have a lot of companies try to sell the City of Atlanta that they have all the answers.  OUTDATED APPLICATIONS CAN BE PROTECTED. OLD OPERATING SYSTEMS CAN BE HARDED. Read the 2018 Data Base Incident Report from Verizon. Ransomware is climbing on companies or organizations. EASY MONEY. Ransomware sold as service on the dark web. Ransomware is not going away, it will only increase. Now I expressed my opinion. The City of Atlanta will never have updated IT security defense and reasonable protection until they get rid of all the snake oil dealers trying to sell them the latest and greatest cybersecurity package and develop a real cybersecurity plan with a person in charge with the city of Atlanta interest in mind.

Margaret Grigor MCSE,MCSA,CSA,CASP
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19980
PUBLISHED: 2018-12-08
Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.
CVE-2018-19961
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
CVE-2018-19962
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
CVE-2018-19963
PUBLISHED: 2018-12-08
An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.
CVE-2018-19964
PUBLISHED: 2018-12-08
An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions.