Sometimes all it takes is a malicious email to infect an entire municipality with ransomware, freezing important city systems from water utilities or websites.
That was the case with the Florida city of Riviera Beach, which paid hackers $600,000 after being hit by a ransomware attack that downed its computer systems for three weeks. It’s not just Riviera Beach. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted the municipality for $51,000. And The city of Baltimore is another recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more, demanding a $76,000 ransom.
With ransomware attacks against local governments repeatedly making headlines, what can cities do to better protect themselves?
In the second of a two-part series, Threatpost talks to Shawn Taylor, the senior systems engineer at Forescout who covers state and local governments across the country. Taylor, who was in the trenches during the infamous 2018 Atlanta ransomware attack, recounts what the experience taught him about how to best protect against ransomware threats.
[For part one of this two-part Threatpost Podcast series, see our first podcast, ‘Why Cities Are a Low-Hanging Fruit For Ransomware‘]
Below is a lightly-edited transcript of the podcast.
Lindsey O’Donnell: Welcome back to the Threatpost Podcast, I’m Lindsey O’Donnell. This podcast is the second in a two-part podcast interview with Shawn Taylor with Forescout who has told us about his experiences on the frontlines of the Atlanta Georgia ransomware attack and why more cities are susceptible to these attacks. In the second part of the interview Shawn talks about the top tips for avoiding these types of attacks.
So Shawn, what can cities do, right now, to better secure against these types of attacks? How can they be the most proactive that they can possibly be – whether it’s education, whether it’s patch management, whether it’s just backing up on all levels? What would your top tips be?
Shawn Taylor: When I go in and talk about ransomware, I leave audiences with some food for thought and they are really sort of the closing points, and go directly to the heart of this question. And first and foremost, there is a reason that that SANS and CIS layout, hardware asset management, H-WAN, and software asset management, S-WAN, as the first two controls, right. So that is my number one point, is to ensure that you have that continuously – at any given point in time, you know every device on your network, and you know every piece of software that’s on every device on your network, that then gives you the foundation. And that foundation says, okay, I can now start to analyze and say, Do I need to patch systems? Or is my patching mechanism and my patching process – Are those things adequate? Do they need to be revamped? Do they need to be enhanced? Do they need to be totally reworked? So it’s understanding the devices, it’s understanding their patch levels and their compliance levels. Because compliance can can mean different things to different people. But at the end of the day, understanding that whatever – whether you’ve got vulnerability solutions or scanning or what have you – understanding that each of those individual tools are in fact, sort of doing their jobs, and ensuring that you have backups of your systems that are offsite, that are offline, that are part of a disaster recovery plan that has been tested periodically, right, that you’ve actually done it, you’ve recovered to a clean environment that is offline.
Now both of those last pieces, the backups and and the DR [disaster recovery] plan presuppose that you have an adequately populated CMDB [configuration management database] and ITSM [IT service management] environment with which to work. And, and again, that is I think foundational, right? You cannot separate security from service management. And I think the need to have an adequately, accurately completely populated CMDB, understanding everything that’s in the environment – it’s only then can you start to analyze and make determinations on what are my critical assets, that in the event of a disaster can we recover from. I think that it’s understanding every device on the network, the software installed on it, are they adequately and accurately patched. Right, the processes and tools and systems you got in place, are they doing their jobs? Ensuring you’ve got an adequately populated CMDB, and ITSM environment, ideally sort of helps you with the governance of the processes, right? A disaster recovery plan that can take care of all of those environments, and ensure that you’ve got everything that will need to be recovered in the event of a disaster. And then of course, what you’re going to recover from or leverage in the recovery process or the backups. And ensure you’ve got an accurate set of backups.
And then oh, yeah, by the way, one thing that I did not touch on, but pen testing, both internally and externally. You know, I think one of the things – in just a real quick aside, when I was down in Tallahassee speaking to this industry group, I had brought up a website that I’ve talked about a lot with other groups, and it’s called Shodan.io. And it’s really interesting, it’s a website that aggregates internet facing IP addresses. And it shows you every port protocol service that is exposed to the internet. And you can see if you’ve got RDP exposed to the internet, right, you can see if you’ve got these open ports, or things that could be exploitable by an adversary or bad actor, that are exposed on the internet. So part of this process, this pen testing process is ensuring that you’ve got accurately hardened both internally right, for any insider threats, as well as on the outside for exterior threats.
I think those are really sort of the primaries, there are certainly more – user accounts, you know, there’s lots of, especially with older organizations, Active Directory can become tired, right? If it does not necessarily, if we don’t have a periodic process to clean up and improve the hygiene of our Active Directory environment, whether it is the the group membership and the hierarchy they’re in, or the GPOs [Group policy objects] themselves. Ultimately, organizations tend to get conflicting Policy Objects, you’ve got members that are logged into a domain system with elevated privileges, and they really shouldn’t be logged in with elevated privileges, because now all of a sudden, that gives them the ability to do things at a domain level, which could potentially harm the rest of the enterprise.
Right? So sort of gets to be multiple different things, there isn’t necessarily one individual thing. Ideally, it is really sort of going across the board looking at each one of those individual pieces. And helping just sort of say, ‘Okay, can we are, you know, do we know, every device? Are they patched? Do we have visibility into the vulnerabilities? Do we have visibility into the users and the user profiles?’
LO: Yeah, no, that’s definitely a great checklist for customers. And, you know, hopefully more local governments can be better educated about ransomware threats and how to protect against them. So, Shawn, this was a great chat. And thank you for coming onto the Threatpost Podcast to talk about ransomware threats and kind of the best practices against these types of attacks.
ST: Thanks, Lindsey. I appreciate your time today.
LO: You too. And once again, I’m Lindsey O’Donnell with threat post and I’m here with Shawn Taylor with for scout. catch us next week on the Threatpost Podcast.
Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More