In recent years, small towns and municipalities have been increasingly targeted by cybercriminals, not only just for monetary profit, but also to disrupt infrastructure and even threaten citizens. Most recently, we saw a hacker try to compromise internal systems to effectively poison the entire town’s water supply in Oldsmar, Florida. While ultimately unsuccessful, this incident highlighted how damages could not only be reputational or monetary, but life-threatening.
The data shows that in 2020, almost half of all global ransomware attacks were targeted towards municipalities. During that time, nearly two dozen rural municipalities in Texas were extorted in the largest coordinated ransomware attack aimed at public governance bodies. In January 2020, a ransomware attack in Tillamook county, Oregon brought government computer systems down for a week. Then in May, the city of Florence, Alabama fell victim to a cyberattack that cost the city nearly $300,000 and the compromise of personal information of city employees and its customers.
Campaigns against small victims are usually highly targeted; attackers first discover weaknesses in IT infrastructure, operational processes and personnel and later exploit them to deploy malware, usually tailoring methodology and demands to each victim. Whether officials decide to pay or not, damages can be devastating, and full recovery may take weeks or even months.
The main reason small towns are attractive targets for cybercriminals is because they do not think they are. They often do not believe they will be targeted, and as a result, don’t dedicated their limited IT resources to bolstering cybersecurity standards and practices. This creates an exemplary subjective security paradox – a target that thinks itself less attractive means it will have weaker security measures, which then makes it more attractive. Because of the nature of government work, it is also quite common for these towns to have outdated technology stacks that make for easily exploitable holes. Unlike the private sector that can dedicate entire teams to cybersecurity measures, smaller municipalities generally have a lack of resources to dedicate technology challenges they do not perceive as direct threats. This creates a perfect storm that makes them an ideal target for bad actors.
The result of an elementary calculation favors everyday cybercriminals to choose small towns and municipalities as their worthy targets. With lower effort, they may reach smaller but still valuable data or disrupt less used, but still critical services. With lower investment, they can demand a comparable ransom to a larger target.
For example, in response to the recent incident in Florida, the Massachusetts State Cybersecurity Advisory issued a statement in which they said: “…All computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
This water treatment plant used a computer – with no firewall — running Windows 7 (which Microsoft ended support for) to remotely access the plant control systems, with a password that was shared amongst all employees for remotely logging in to any city systems that had a software called TeamViewer installed. On top of that, they were not even using TeamViewer anymore – according to reports, the County Sheriff Bob Gualtieri said the plant had stopped using the program six months ago, but left it installed.
These are egregious oversights. The greenest of hackers could have pulled this off – frankly, even a disgruntled former employee could’ve easily maneuvered it with no hacking experience whatsoever.
Hackers can and will take the easiest route in – if you recall, FireEye was tipped off to their own breach via SolarWinds through two-factor authentication (2FA), which is often considered a “basic” cybersecurity tool. Clearly, it is important. Do not skip the “basics”.
Small towns and municipalities often provide many critical services and protect a lot of personal data. In the era of integration and interdependence, even minor disruption can evoke a butterfly effect. Successful compromise of a town’s system may result in irreparable damages at the state level; therefore, the security of the tiniest assets becomes a matter of national security. With limited budgets and resources available, it can feel like a daunting challenge to get the latest and greatest cybersecurity solutions in place. Luckily, there are many resource-efficient measurements they can take to protect themselves against cybercriminals.
Segment and defend your network
Network segmentation makes it harder for cybercriminals to compromise an entire network. When you divide the network into several subnets, it significantly slows down the lateral movement of an intruder. Above all, you should separate guest Wi-Fi from the rest of the network because many threats can originate there and spread further. Additionally, you should separate the network into logical units utilizing VLANs. Consider also protecting your most critical services in a separate subnet.
If you want to keep cybercriminals outside the perimeter of your office network, use firewalls to help filter both inbound and outbound communication. These can be integrated with SOC or SIEM. There are both hardware and software firewalls. Hardware firewalls sit on the perimeter of your network or in front of your critical servers, whereas software firewalls operate on your endpoints. Both are essential for solid network security.
Protect from malware
To combat any attempts of malware deployment, each workstation should be equipped with an enterprise-grade security solution. The solution should be configured for aggressive blocking of malware and emerging threats. Modern endpoint security solutions deploy machine learning and advanced reputation-based cloud protections to block even advanced malware.
While endpoint security solutions can be highly effective, their deployment might not be possible for smaller municipalities due to budget constraints. In such cases, administrators should instead deploy security policies built into operating systems, such as attack surface reduction rules, HVCI and AppLocker in Windows. These technologies can provide a high level of security without any additional costs of third-party solutions.
Secure remote connections
Sometimes, employees want to connect to the intranet from other networks – especially during the pandemic when they are forced to work from home. Virtual private networks (VPNs) are great security solutions for that scenario. A VPN creates an encrypted tunnel between the remote network and the intranet, ensuring that the communication is safe, even if the employees connect from an unsafe network. Often overlooked, it is critical for system administrators to secure any and all VPN access with 2FA.
Authenticate by more means
Protection of sensitive accounts with multi-factor authentication (MFA) is a necessity. While any form of multi-factor authentication is beneficial, the level of protection they offer is not equal. SMS-based authentication is vulnerable due to weaknesses in telecommunication protocols and systems of mobile operators. Furthermore, any code-based authentication can be manipulated via phishing attacks or other social engineering tactics. phished. From a protection standpoint, connected tokens should be viewed as the gold standard in authentication since they are more difficult to compromise through tactics like phishing. The biggest drawback is increased cost, as they require the purchase of dedicated hardware.
Backup all data
When dealing with critical data, it is crucial to have a thought-out backup strategy. Backups always come in handy, whether you encounter ransomware or any other means of data corruption. You should back up the data on separate systems that would not get caught in the same line of fire in the event of a rapidly spreading network intrusion. Remember the basic rule of 3-2-1, which suggests three copies of files on two media types with one of them offsite. Moreover, backup your data regularly and always check to confirm the backup is not infected before restoring it.
Keep in mind that backing up your data is not enough. I recommend doing a disaster recovery run at least once per year to verify that your company can restore mission-critical functions from your back-ups. Be sure to remember that if the backup drive remains connected to the device after the backup process has finished, it is not protected against ransomware or other illegitimate access.
The ‘principle of least privileges’ means that each user can perform only specific actions that are needed to fulfill his or her tasks. In practice, regular users are often left with administrator privileges on their work machines, which makes it easier for malware and attackers to gain foothold. We just saw this happen with the recent breach of camera company Verkada. A hacker breached the company and released thousands of customer video streams. In the process, he revealed that several employees, even those at the intern level, were granted super admin access to customers’ camera feeds, even when “privacy mode” was enabled.
Ideally, only IT administrators should be able to perform high-privileged actions. Domain admin accounts should not be used for administration of endpoints, because credential caching can allow an attacker to steal them. In newer domains, usage of protected account functionality can mitigate this risk. Even better consider using a local administrator password solution (LAPS), which sets and enforces a different local administrator password for each device.
Raise security awareness
No tech protection is 100% effective — there is no silver bullet for cybersecurity. Even a highly advanced solution can be bypassed, therefore software should be complemented with security awareness training for both non-technical employees and IT staff. Training should include at least malware, social engineering, clean desk policies, and proper handling of sensitive data. Repeated phishing tests are a great way to determine which employees are still susceptible to phishing and perhaps need a refresher. Employees should be aware of the local IT or CSIRT team and instructed to report any suspicious emails or messages. I also recommended teaching at least one IT personnel how to create a forensic image and how to preserve as much volatile data as possible in case of an incident.
Cyberthreats to small towns and municipalities will continue to prove a formidable challenge. Local governments must take these threats seriously and need to have plans in place to combat threats and preserve their critical operations. Those that follow best practices in cybersecurity resiliency and invest in the software, hardware and staff will be best positioned to remediate and recover from future ransomware campaigns.