Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/11/2018
03:45 PM
Chris Park
Chris Park
Partner Perspectives
100%
0%

Avoiding the Ransomware Mistakes that Crippled Atlanta

What made Atlanta an easy target was its outdated use of technology: old computers running on non-supported platforms, which are also a characteristic of many municipalities and most major cities.

Last month, five of Atlanta's 13 government offices were "hijacked," as the city's mayor put it, by ransomware that disrupted far-reaching facets of the city’s digital infrastructure. From the courts to the police department to public works, government activity was essentially frozen as the hackers gave the city a week to pay the ransom – roughly $50,000 worth of bitcoin – or have critical data and processes deleted permanently.

While the event was eye-catching for several reasons, it's hardly an isolated incident. From Dallas to Denver, hackers leveraging ransomware not unlike the program that hit Atlanta have been able to "hijack" municipal networks largely because these entities were poorly protected.

It didn't take long for security teams to identify the virus in use – SAMSAM – or recognize and partially thwart the attackers' tactics. In fact, when word of the event spread around the cybersecurity community, the portal that the Atlanta hackers had opened to receive their ransom – complete with a countdown clock – was flooded with messages from hackers and cybersecurity pros alike, causing the hackers to take the channel down.

But what made Atlanta such an easy target – even for a relatively common form of ransomware – was its incredibly outdated use of technology in the broader sense. Old computers running on non-supported platforms, for instance, are a characteristic of many municipal operations, as most major cities support such a vast IT operation that updating every digital asset is time and cost prohibitive. This means that cyber vulnerabilities run rampant in local government, threatening the physical and intangible structures that hold society together.

Local governments typically have thousands of connected devices and many mobile employees who frequently connect and disconnect from the city’s network. If there aren’t security solutions in place that can secure these types of borderless networks, all it takes is one municipal employee to bring an infected device onto the city’s network to put the personal information of thousands at risk.

Common Sense Tactics Go a Long Way

Security teams working on any network – whether for a municipality or an enterprise – need to first assure that all the operating systems, platforms and devices using it are still receiving regular updates and support. For instance, Microsoft employs end-of-life support cycles for iterations of each of its operating systems. Mainstream support for Windows Vista and Windows 7 both expired years ago, with extended support for Windows 7 set to expire come January 2020, while Vista users were turned off in April 2017.

Because municipalities are notorious for employing technologies long after they were originally marketed, there are no doubt platforms running on most of these networks that haven’t adapted to the increasingly rampant threat landscape.

It’s also important that the cybersecurity tools that teams use to protect their devices deliver equal and effective protection across all the platforms and device types that populate the network. If the secure web gateway product a team uses to vet traffic entering the network doesn’t deliver feature parity for both new and legacy technology, it’s virtually ineffective, as hackers only need to find one vulnerability to get past the network perimeter and wreak widespread havoc.

Most importantly, teams need to be sure they are backing up their data, encrypting their traffic and isolating their encryption keys in environments that outside parties can’t access. This is easier said than done, but by turning to trusted data backup providers and established encryption methodologies like SSL (as opposed to proprietary products/methods that haven’t been proven on the market), you can rest easy knowing these tools receive regular updates and patches in kind.

 

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company's IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mugsprt
50%
50%
mugsprt,
User Rank: Strategist
4/17/2018 | 8:32:25 PM
Re: System failures
You can tell they really thought that out. :-)
Take Care,

Margaret

 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/17/2018 | 3:17:56 PM
Re: System failures
Stupid as stupid does ----- and why did Hartsfield Airport in Atlanta  have both primary and secondary power cables router through the same underground tunnel only a few feet from each other when a fire broke out taking about both primary AND REDUNDANT POWER ?????   Because nobody thought it could happen!!!
mugsprt
50%
50%
mugsprt,
User Rank: Strategist
4/13/2018 | 4:53:49 PM
Re: System failures
I agree to use it as a comparison for server failure. The recovery is going to be the same. What is wrong with the City of Atlanta? We as a group know it pretty much the standard best practices. I can't believe the City of Atlanta is that stupid. Now they have outsiders public and private wanting money to solve their problems. They really need to put on their big boy pants and solve it themselves. They will never be ready for the next server failure or attack. Much of the problem needs to solved from within.

I just want to take moment to thank everyone on the posting of this article. I glad we have people still with solid foundation for systems and security.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/13/2018 | 12:10:51 PM
Re: System failures
A better comparison can be made with Merck which was hit hard by WannaCry in 2016.  I remember from all the chatter on the web that they discovered their recovery protocols were about nill!  Which hurt them big time.  YOU have to be able to recover whether from ransomware or drive failure or electrical power outage (Hello, DELTA/).  
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/13/2018 | 10:34:24 AM
Re: System failures
WOW!!!   LIKE I DON'T KNOW THAT?????   I used it as a comparison for server failure.   And the existance of a recovery plan which, from whati can see, does NOT exist in Atlanta.
mugsprt
50%
50%
mugsprt,
User Rank: Strategist
4/13/2018 | 10:17:37 AM
Re: System failures
9-11 had nothing to do with the City of Atlanta. Many of the mistakes were due to the security and the protection of data. I have worked on the inside temporarily. They have a tendency to have shadow IT departments. They are not unified in IT structure of who has control. NO IT GOVERNANCE and no incident response plan. Someone should have been aware of current possible threats like ransomware in general. Who let the media loose with a screen shot of how to contact the cybercriminals is totally stupid because the media contacted cybercriminals for an interview of questions and they asked for money. The security manager should have handled this quietly with the mayor. Controlled and gave the media constructive information. Handle it in the same fashion as the hospitals did before. If the mayor decided not to pay the $51,000 in Bitcoin. Make a plan. Take the infected systems off the network, restore from backup and recover any workstations the same way. Then have meeting with the stakeholders like the mayor and IT director to develop a plan for going foreward. SAMSAM is usually done by phishing attack using an attachment. Time for end user training along with strengthing your security armor. No one can be bullet proof in IT security but you can have a heathly security appetite. 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/13/2018 | 8:49:33 AM
System failures
17 years ago one morning in September, my data center crashed.  Dropped 103 floors to the ground when the South tower collapsed on THAT DAY.   I was 101st floor so mad eit out though many others did not.  In some ways a Ransomware attack CAN be equivalent to a total system failure.  You had better have a good disaser recovery plan in place and tested!!!!  Upgrading hardware and patching is a NORMAL IT FUNCTION.  It is what the IT staffers are PAID to do and testing a plan is icing on the cake.  It had better be done too because when needed, nobody thinks straight at 2AM rebuilding a server array.   The difference is the exfiltration of data but otherwise they are the same event in many ways.  From what I have heard, THERE WAS NO PLAN and they are rebuilding from ground up.  Horrible.  $3 million in costs to consultants.  
mugsprt
100%
0%
mugsprt,
User Rank: Strategist
4/12/2018 | 1:14:57 PM
Problems is not legacy boxes and out dated applications
I agree with the article to a certain point. Even the oldest software should have been updated. Why? The IT management did not update the software nor move the data to an updated secure platform. Supposedly the City of Atlanta has Cybersecurity manager is also the blame. There is no IT governance to audit the systems and apps to develop risk factors, then resolve them. I BLAME THE PEOPLE. There should be resignations being handed in and termination notices being handed out. The Mayor of Atlanta should be handing down orders to clean this mess up once and for all. I would feel bad for the people let go but there is a huge system to get a security net around and right now they have a lot of companies try to sell the City of Atlanta that they have all the answers.  OUTDATED APPLICATIONS CAN BE PROTECTED. OLD OPERATING SYSTEMS CAN BE HARDED. Read the 2018 Data Base Incident Report from Verizon. Ransomware is climbing on companies or organizations. EASY MONEY. Ransomware sold as service on the dark web. Ransomware is not going away, it will only increase. Now I expressed my opinion. The City of Atlanta will never have updated IT security defense and reasonable protection until they get rid of all the snake oil dealers trying to sell them the latest and greatest cybersecurity package and develop a real cybersecurity plan with a person in charge with the city of Atlanta interest in mind.

Margaret Grigor MCSE,MCSA,CSA,CASP
RIP, 'IT Security'
Kevin Kurzawa, Senior Information Security Auditor,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
iboss has created the first and only web gateway as a service specifically designed to solve the challenge of securing distributed organizations. Built for the cloud, the iboss Distributed Gateway Platform leverages an elastic, cloud-based node architecture that provides advanced security for todays decentralized organizations with more financial predictability. Backed by more than 110 patents and patents pending, and protecting over 4,000 organizations worldwide, iboss is one of the fastest growing cybersecurity companies in the world. To learn more, visit www.iboss.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17906
PUBLISHED: 2018-11-19
Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.
CVE-2018-9209
PUBLISHED: 2018-11-19
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2
CVE-2018-9207
PUBLISHED: 2018-11-19
Arbitrary file upload in jQuery Upload File <= 4.0.2
CVE-2018-15759
PUBLISHED: 2018-11-19
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...
CVE-2018-15761
PUBLISHED: 2018-11-19
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...