How hackers breach municipal IT systems

BY SANDY REESER
VC3 Chief Executive Officer

We’ve all heard about what happened midway through 2018 in Baltimore. They lost their municipal 311 telephone service for several hours, but worse, they lost their 911 service for 17 hours.
Can you imagine how the more than 600,000 citizens felt about not being able to call an ambulance, alert their fire department, or summon a police officer for more than half a day?
Yes, of course, there are other ways to complete those calls, but the whole concept of 911 has made people forget alternate methods. If calling 911 doesn’t work, they’re stumped.
And that’s not the worst of it. Did you know that Atlanta, another city with almost half a million people, was without many city services for a week in 2018? Police were taking hand-written reports of crimes, the court system was clogged and backlogged, and people couldn’t pay their municipal bills.
How could that happen to any major city in this day and age, let alone two of them? The truth is that nearly every single city is attacked, every single day, and many of them on an hourly basis [ICMA Cybersecurity Research Report 2016.]
You Have Been Attacked
If you think your city is immune, you are wrong. Most hacking attempts go undetected unless the hacker deliberately sets out to make their feat obvious. Breaches sometimes aren’t discovered for months.
These breaches fall into three broad categories:
1. Attacks, attempting to gain access to private areas;
2. Incidents, breaching confidentiality, altering records, or “taking the system down;” and
3. Confirmed, successful attacks such as publishing social security numbers, or stealing personal data of citizens.

More than 400 U.S. municipalities and counties responded to the ICMA survey request, providing a clear picture of how municipalities are dealing with modern cybersecurity.
The report revealed that even the most aware cities — those that track these cyber-occurrences — 67.3 percent experience attacks, incidents, and/or complete breaches on an almost daily basis, and 36.8 percent experience attempted attacks on an hourly basis.

How They “Get” Us
“This Day and Age” is precisely the problem. Cities are stuck with aging infrastructure, outdated software, almost non-existent security policies, and ancient technology. They are expected to fight a battle against hackers that are incredibly well-educated, possess the latest hardware and technology, and let’s be honest, determined to demonstrate their computer prowess in the most extravagant fashion possible. And who better to hit than an entire city?
Many more hackers are in it strictly for the money. A prime target for attack is your e-mail system.
Email Phishing
Phishing is a word that describes sending random emails to people in hopes that they will perform a foolish action. When a high-level executive is targeted, it is called spear-phishing and involves having personal information about the target.
A spear-phishing attacker may steal an email account for the mayor and then tell the city CFO to issue checks to a target bank account. They then empty the account and vanish, leaving the CFO holding the bag, thinking the mayor authorized the transaction.
Generic Phishing
With general email phishing, it only takes one employee opening a dubious attachment to infect an entire network. This is the primary path that criminals utilize to insert ransomware.
This type of attack encrypts essential files on the network so that they are inaccessible, and this is precisely what happened in Atlanta. Attackers then demand a fee in Bitcoin, or other untraceable cryptocurrency, offering to give you the code to unencrypt your files.
Deception
Another attempt is the too-good-to-be-true offer. For example, a low-priced travel offer for a trip to the Bahamas. Alternatively, it can be a simple offer for harried workers like “10 quick tips to gain two extra hours per day.” When you click the malicious link, it takes you to a malware site that secretly installs a virus program on your computer which can then compromise the whole city network in a matter of minutes.
Education of employees is essential; don’t open any attachment that isn’t from an expected source. Even if it is from a known source, if there is anything suspicious about it, call the sender and ask if they sent it to you.
Other Attack Methods
A poorly executed online response form, provided by the municipality, might ask a citizen to fill in some fields such as name and address. If that form is unprotected, someone can enter a command-line symbol and instructions instead of a name, enabling them to access the city’s network. It’s just a wide-open doorway, inviting a criminal to bring your city to its knees.
Preventative Measures
The WannaCrypt/WannaCry Malware attack of 2017 affected more than 100 million legacy Windows users, including entire municipal networks. The attack was so pervasive that Microsoft felt obliged to provide security update patches for systems that were long since removed from the support chain. The patches went back to Server 2003, Windows 8, and even Windows XP.
Cities are still using outdated versions of Windows that are no longer supported by Microsoft such as Windows 3.1 (first introduced in 1992), Windows 95, 98, 2000, XP, Vista, and more. Why?
Some municipalities are stuck with old software that won’t run on a modern operating system. Replacing their sewage, transit, traffic control, water, and electrical grid management computer programs would be very costly for a city trying to decrease spending. Councils and administrators also argue that retraining users would be very expensive.
It’s More Complex Than You Think
Having up-to-date software is always the first and best solution. Even if you have the latest operating system, it is essential that you have regular updating and patching being performed. It needs to be done regularly to make sure your system stays secure or minimizes your exposure to hackers.
Your email system must incorporate anti-SPAM filtering to get rid of most of the threats. Remember that this is only to supplement the education of your workers; you must teach them not to assume everything in e-mail is safe.
And your security of your software and email are only part of the equation.
If workers use portable devices like laptops, tablets, or smartphones, those devices must incorporate remote system locks and remote system erasure to prevent data from falling into the wrong hands.
Equally important, they should include two-factor authentications (2FA), meaning that users must possess an object (such as the device) and some knowledge (which is known only to them) to access the contents. Like an ATM card, you need the card and the PIN to make it work. Either alone is useless.
Web filtering keeps employees from visiting unsafe sites, while malware filtering forbids known malware from running at all.
And this only scratches the surface.
What Can I Do?
You may expect that you can call upon your IT staff to manage all this, but they often lack the experience or time to implement the needed security protocols. Their strengths lie in keeping your system running and overcoming everyday problems, not fighting sophisticated hackers. Additionally, hiring a staff of cyber security professionals is not in the budget for most municipalities.
Partnering with VC3 to perform a Security Readiness Analysis will provide you with critical insight as to where your municipality stands on cyber security, detection and response. VC3 will review your current system and tools and provide you with an understanding of how likely you are to avoid a security incident, how readily you can recover from a security incident, and what steps you can take to strengthen your security profile.