How do US cities tackle the ransomware threat in 2020?

If there’s one cybersecurity story that dominated the headlines more than any other in 2019, it was the surge in high-profile ransomware attacks on the US public sector. Municipalities all over the country were caught out, leading to major disruption of local schools, emergency services, courts and other public services. It was a reminder, if any were needed, of the absolutely critical role IT systems now play in society.

But what can IT security chiefs learn from the travails of the past year to improve resilience as we head into a new decade? I spoke to several experts recently for an upcoming Infosecurity Magazine feature.

Drowning in ransomware

According to estimates from Emisoft, 103 municipalities and 759 healthcare providers, along with 1,224 schools, may have been impacted by ransomware as of December 2019. These include major cities such as Baltimore and New Orleans, as well as countless other smaller local authorities like Pensacola and Riviera Beach.

Why are these organisations suffering in such great numbers? According to the experts I spoke to, it’s a combination of under-investment in cybersecurity, and the propensity of some high-profile targets to pay-up — encouraging copycat attacks.

“Public sector bodies have been very heavily targeted by ransomware lately. This trend has likely been helped by some public sector entities paying substantial sums to ransomware criminals,” said SANS Institute dean of research, Johannes Ullrich. “Access to information is also very important to public sector entities to conduct business, and under-investment in business recovery plans has led to a lack of backups or other fallback mechanisms.”

According to Scott Styles, data orchestration and resiliency lead at Raytheon Intelligence, Information and Services, current security systems are struggling to keep pace with evolving threat techniques.

“Ransomware is designed to avoid detection and exploit the social nature of the network by hiding in files or hyperlinks that businesses need for day-to-day operations. In addition, ransomware only has to be executed once to be successful and it must be detected as well as removed quickly before it can lock or overwrite files. This is unlike other malware that may need to remain in a system for a significant amount of time, or evade detection within a vulnerable system, allowing more time for detection and removal,” he told me.

“While the time-sensitive value of data and services within these organisations makes them prime targets, the main challenges are not much different than other sectors. Vulnerabilities are numerous, people make mistakes and the threat evolves quickly, creating a perfect storm.”

Weathering the storm

The good news is that a defence-in-depth approach utilising key best practice controls can make a big difference, he added. These include AV, up-to-date patching and configuration management, regular backups, and employee security awareness training.

“They should also consider a multi-dimensional approach that integrates hardware, software, network, and behavioural monitoring into a zero-trust resilient solution,” explained Styles. “These solutions typically have the ability to remain operational even if the threat has defeated perimeter defences or is an insider threat.”

For Kevin Lancaster, general manager of security solutions at Kaseya, one of the biggest threats to US public sector bodies is their use of legacy systems. This makes prompt patching more challenging, but also more important than ever.

“The US Department of Homeland Security (DHS) recently issued a new Binding Operational Directive (BOD 19-02) instructing government organisations to patch critical vulnerabilities within 15 days, and high severity vulnerabilities within 30 days,” he told me.

“Patching on time helps reduce the attack surface and ensures vulnerabilities are mitigated quickly. Automating patch management is moving a step ahead. With tight budgets and limited manpower, government agencies can make sure that patches are not missed across the entire network with an automated patch management solution.”

Local governments must get proactive, by developing and testing incident response and business continuity/disaster recovery plans — if necessary, in concert with third-party providers. However, city staff are also a vital asset in helping to mitigate the threat, Lancaster added.

“For government organisations to be fully prepared to tackle cyber threats, IT directors should have a long-term vision which includes up-skilling their employees in areas of cybersecurity,” he concluded. “With budget constraints always at the forefront of concerns, it might not be feasible to routinely train every member of the team. Instead, areas to focus can be prioritised and worked upon to implement effective up-skilling.”