Tullahoma partners with VC3 to take proactive approach to cyber security

By Kate Coil
TML Communication Specialist

When Jennifer Moody took the role of city administrator for the city of Tullahoma in 2018, one of her goals was to learn about how the city operated and how she could help keep things running smoothly.
One of the first tasks Moody hit upon was looking into the technology the city used and how secure that technology was.
“IT is one of the areas we know is changing all the time,” Moody said. “There is new technology and new ways of doing things, but also new threats. It’s similar to other kinds of infrastructure. We are very reliant on our technology, so we need it to be reliable. I was looking at this process from the standpoint of making sure we are up-to-date with current security methods.”
Joe Howland, chief information security officer with VC3, said cyber attacks are becoming more sophisticated all the time.
“If you have your computer hooked up to the Internet, hackers have access,” he said. “The most common attacks we see now are phishing or spear phishing attempts that come in through email. These email attacks are so effective because many users are not trained and do not have the awareness to identify one of these attacks. A hacker can spend a few hours typing up a realistic looking email that’s going to send them money or initiate an attack. We have seen some very sophisticated email attacks.”
Phishing attacks involve a hacker pretending to be a reputable person – sometimes even an employer, coworker, or colleague – who asks for sensitive information such as usernames, passwords, credit card details, and even phone numbers. As phishing attacks have evolved, hackers have been able to emulate professional emails and other documents from banks, medical offices, companies, and government agencies.
Governments are also becoming a higher-level target of cyber security attacks.
“One of the important things to recognize is that governments in the past few years have become one of the most targeted groups in the U.S.,” Howland said. “Hackers, malicious users, and others have recognized that governments are fairly open and susceptible targets. Most governments deal mostly with the public. So there isn’t as much need for security, but they are not immune to leaking confidential information like employee Social Security numbers, phishing attacks where people are trying to get wire transfers for money, and crypto attacks where hackers shut down their operations.”
In March 2018, the city of Atlanta was hit by a ransomware attack that paralyzed municipal government for eight days. Atlanta’s mayor later estimated the attack cost the city some $20 million. The hacker group known as SamSam managed to get access to city data and lock the files. The hackers then sent the city screen shots of their locked files, initially demanding $51,000 in order to restore municipal access to computers and data.
It wouldn’t be until November – eight months after the attack – that two men would be charged in the attack by the FBI. During their investigation, the FBI found that a similar attack on the city of Hinesville, Ga., the month before may have been a trial run for the Atlanta attack.
Major cities like Newark, N.J.; San Diego, Calif.; and Baltimore, Md.; who had the city’s 911 dispatch system taken down, have been frequent targets of these attacks. However, as the bigger cities beef up their cybersecurity, hackers are turning to smaller communities with less resources and expertise to execute attacks.
City officials in Valdez, Alaska, found themselves under intense scrutiny after admitting they paid off ransomware hackers more than $26,000 in funds demanded after city systems were taken down in July 2018. Muscatine, Iowa, was hit by an attack in October 2018 and, after city leaders decided not to pay the demanded ransom, it took nearly a month for the city to restore all of its systems.
“Everyone is vulnerable,” Howland said. “Regardless of your size, everyone is receiving these attacks. Whether you are being attacked as a specific target like Atlanta was or whether you are just being attacked through a mass propagation attack, you are vulnerable. Attacks are going to have an impact on you if you are vulnerable to them, regardless of whether it is a dedicated attack against your city or it happens that a user got an email and launched a virus.”
Howland said there is a reason that governments are seeing a higher number of attacks in recent months.
“Governments have underspent on security while corporations that have credit card information and have a lot of data that is considered very protected have really ramped up their spending on security and locked things down,” he said. “Municipalities are also on limited budgets. It can be hard to invest in new technology. Most municipalities, especially small municipalities, don’t have a full-time IT professional on staff. If you have one or two people on staff, they may know about servers or websites, but IT encompasses a broad range of skill sets. You usually don’t find someone with an IT security background working for municipalities.”
Like many city officials, Moody said cost was definitely a concern when looking into how to provide better security for Tullahoma.
“One of the initial concerns I had was what they were going to find, and what were they going to tell me it was going to cost to fix it,” she said. “There was a little bit of that hesitation, especially since once I know the information I will want to act. Once you get over that hesitation, it’s easier because you know it’s better to know. Just like anything else in the city, being a manager, you are always balancing different needs. The fact that this was offered as a free analysis made it hard to say no.”
To combat cyber security issues, Moody decided to take a proactive approach by working with VC3 through the Security Readiness Gap Analysis initiative set up with the Tennessee Municipal League. To kick off the program, VC3, in partnership with TML, offered a complimentary analysis of what cyber security measures Tullahoma had in place and what aspects of the city’s cyber security needed improvement.
“We had things like firewalls and antivirus software in place,” Moody said. “Part of the analysis was verifying that the things you have in place are working, checking computers to make sure these programs haven’t been uninstalled, or that they are actually running the way you think it is. Sometimes we put things in place, but we don’t hold them accountable and verify they are actually working the way you expect. Whatever IT staff you have internally needs to be brought in and understand why you’re having the analysis done. This isn’t to criticize any work they’ve done. It’s about constant improvement. No matter how well you design a system, you always need another set of eyes to see if there is anything you missed.”
Moody said she was surprised by how quickly VC3 was able to perform the analysis, especially given the detail of information she received.
“From the time I said yes, it was a really easy process,” she said. “We had one conference call to kick off the project. They were then on-site for about a day-and-a-half to two days. They had to look at every computer we had. Then, a few days after that visit, we met again, and they laid out for us what they had found.”
Howland said the goal of the analysis is to not just find but also prioritize what cities can do to improve the security of their systems.
“We can come in and show the full spectrum of things you need to do,” he said. “Let’s prioritize these items because we understand cities have tight budgets. A lot of things you can do to improve security don’t cost that much, are very easy to implement, and go a long way to protecting you. There are more comprehensive things that are more expensive, but it’s a matter of balancing that cost. “
Moody said the analysis both looked into a wide variety of concerns and prioritized needs. In addition to proactive and prevention policies, Moody said VC3 also looked at ways the city could respond to an attack and how to make sure things could get up and running if an attack occurred.
“Some of the things were as simple as having a password policy and building protocols on how frequently passwords need to change or requiring a certain complexity for passwords,” she said. “Having a city-wide policy and standard we can enforce is something that was fairly easy and quick to address. There are also more technical issues that need to be addressed. A lot of communities know that they are backing things up, but we talked about how often you are checking to make sure things have actually been backed up. You don’t want to be in a situation where you have to restore a device only to find out data hasn’t been backed up. VC3 also looked at our website, which is something we don’t always think of as a vulnerability. Someone can attack your website, take it over, and change or remove information, causing things not to work.”
Having a third party review Tullahoma’s security also provided a new perspective for city officials.
“You would much rather have an ally or a friendly person find your vulnerabilities than find out because something broke or because there was an attack you have to respond to,” Moody said. “We are fortunate to have gone through this analysis. Cities need to prioritize the understanding of their IT structure. You have to realize the cost of recovering from one of these attacks, the lost productivity, the lost time, and the potential for lost data should be enough to encourage us to be proactive. Trust but verify. You trust your staff and that systems are set up well, but you still need to verify it’s as secure as you believe.”
Overall, Moody said it is important for government officials to approach cyber security just like they would any other security or emergency issue.
“You need to be both prepared and try to prevent these things from happening, but you also have to be prepared to respond when it does happen,” she said. “Just like we prepare for weather events, we have to get together and prepare for how we respond to IT security threats. We have to look at the steps we take if something happens. Also, just because you get hit doesn’t mean you have done anything wrong. This is the world we live in. It’s just the new normal that you have to be both prepared, secure, and ready to respond.”
To learn more about receiving a cyber security gap analysis through the TML’s preferred technology partnership with VC3, visit https://www.tml1.org/your-city-prepared-cyber-attack.