What I’m playing: I haven’t been watching anything recently but I’ve put 871 hours into Civilization VI since it came out and I’ve been playing a lot of it this past week.
What I’m listening to: Chance The Rapper’s new album pretty much non stop for the last week — Give this song 30 seconds and you won’t stand a chance.
Hey! It’s been a while since I wrote one of these, and a lot has changed since then. In fact, I was almost sure that my topic would have been covered by now, especially since NPR did a story on it nearly a month ago. In fact, since my last #MorningBuzz, CNN, NYT, CNBC, and other major outlets have all covered it.
Yet, if you search the term “Ransomware” on this site only three things come up … two of them are written by victims of it (one … doesn’t contain the term at all).
And it’s becoming more and more prevalent (here’s a list of 20+ from last month alone), affecting cities from Albany to Atlanta and even the Cleveland Airport. The airport, y’all. As I’m writing this, it’s Saturday morning and I bet at least one of you is reading this in an airport. Imagine if that airport suddenly lost the ability to use its computers.
Or … don’t.
In order to really grasp this issue, we have to understand what ransomware is, and why cities are being targeted.
For starters, ransomware is a type of cybersecurity breach in which an attacker or group of attackers will breach a computer system by targeting internet-facing communication endpoints in the operating system. Oftentimes, they gain access by using default credentials (think usernames like “admin” and passwords like “default”), or by using social engineering to get humans to give them the credentials. Social engineering can come in a lot of forms, but often looks like a phone call or an email from somebody who says they’re something they’re not, like a boss or a systems engineer, who asks you (yes, you) for access to a system or to download some sort of helpful file.
Then, when they gain access, they use it to lock down important files — in the case of cities, this can come in the form of payment logs and software, email, planning documents, or sometimes the entire file system. In order to cede control, they offer a ransom, usually payable in some form of cryptocurrency (because they’re basically untraceable), and usually pretty modest — Atlanta’s was just $50,000 which seems like a lot until you realize they spent over $2.6 million to not pay, while LaPorte, Indiana got off for a clean $132 — this is specifically because by offering a modest ransom, the hackers can increase their chances of just getting paid and moving on.
But why are cities being targeted? Simple — the operation of local governments is essential for the common good. Not only that, but they’re also often large, sprawling organizations filled top-to-bottom with a variety of people, from the Chief Innovation Officer to the part-time landscaper. Finally, by and large, as a result of their nature of being reliable revenue generators, they’re flush with cash.
So, while I’m not going to suggest what your organization should do IF you get caught out on some ransomware or some other cyber attack (that’s an organizational decision that’s made based on your values and not my opinion), there are some objective steps that your city can take to prevent it.
The first and most important is education. Train your people (everyone, from the CIO to the gardener) to know what to look for in terms of social engineering. This is one of those rare, glorious moments when HR and IT can combine forces, making the whole organization stronger. Furthermore, make sure part of that education looks beyond password integrity to actual password safety. Don’t use default passwords, don’t write passwords down, and for love of Pete, don’t email passwords in plain text. I got a hundred dollars says someone in your organization did this in the past 28 days.
Secondly is proactive technical measures related to your email. As I always like to say (/stole directly from Steven Covey), “work on things before they work on you.” If your emails come with a big red warning at the top when they originate from outside the organization, that’s a great start. But there are also several (frighteningly easy) ways to spoof emails — surely if you have a personal Gmail your spam folder is loaded with unsavory emails that look like they came from you — and as a result, there are also several sophisticated countermeasures that your organization can look into, specifically DMARC, SPF, and DKIM, each of which are highly technical tools to make emails actually be from where they say they’re from (if that makes sense).
Related to that is DNS and URL filtering. (A URL is a website like “elgl dot org” and DNS is the system that translates the name to the website’s IP address.) Filtering these is a bit like whack-a-mole in the sense that the offenders are often fly-by-night operations, but it’s always a good idea to have a list of where things have been, so even if you don’t detect a pattern you can avoid going walking through a bad virtual neighborhood.
Finally, a less-common but incredibly effective approach is to host offline backups of files and systems. This is both proactive and reactive in the sense that it can allow you to wipe the infected systems clean with an image from “a better time” in the event that a breach does occur.
Anyway, it’s Saturday. I have to go walk my dogs and you have a flight to catch. Just try not to spend it thinking about the constant imminent threat of cyber attacks … that’s for Monday You to worry about.