[BreachExchange] Hackers Increase Attacks on Local Governments

[Audrey McNeil]

http://www.cpapracticeadvisor.com/news/12201886/hackers-increase-attacks-on-local-governments

Michael Hamilton was the chief information officer for the city of Seattle
when he noticed the city's security systems had snagged a booby-trapped
email.

The threat was contained before it became a problem, he said, but the
malicious program apparently targeted power marketers, the utility
employees who negotiate with wholesalers for electricity. Power marketers
tend to keep their dealings fairly close to the chest, Hamilton said, so
how did one of them end up in the sights of cybercriminals?

Hackers in China, he said, breached Google in 2009. Google creates some of
its own electricity and has its own power marketers -- power marketers,
Hamilton said, who have connections with people at much larger utility
companies.

Small governments and local agencies generate troves of sensitive
information in the course of doing business. But what may be more worrisome
is that many towns and agencies are also connected to state networks or
infrastructure systems -- and local governments' resources to protect their
networks and stored data can vary widely.

Attractive targets

Hamilton, who worked for Seattle from 2006 to 2013 and is now the CEO at
the cybersecurity consulting firm Critical Informatics Inc., said the
errant message Seattle flagged was likely part of an effort to wrangle a
much larger prize, probably something under the umbrella of a larger
utility, such as a power grid.

"That's local government getting in the sights of a nation-state for the
purpose of, likely, disruption," he said.

Word of a major credit card data breach always sucks the air out of the
room for IT types, he said, but oftentimes most victims are going to get
their money back, along with free identity theft protection and credit
monitoring afterward, and banks catch a lot of the attempted fraud.

"I get another letter from a credit card company -- or my toilet won't
flush for three days," Hamilton said. "The lowest-hanging fruit is local
government."

It's hard to say how plugged in and networked public systems, such as
sewage or traffic lights, really are. If they are somehow networked, it was
likely done in a duct-tape-and-baling-wire fashion, Hamilton said, and
those kind of networks aren't hard to find for someone who knows what
they're doing.

In March, the Justice Department filed charges against seven Iranian
hackers, including one who allegedly accessed the control software for a
102-by-22-foot dam in a New York suburb.

The feds say the man who hacked into the dam systems could access
information about water depth or temperature, but the actual equipment to
operate the small dam's gates had never been connected.

Plenty of breaches aren't as brazen or spooky. In late February, someone
broke into and defaced the website for East County Fire & Rescue.

A firefighter logged in at the station and found that searches for the site
were being redirected toward pornography, according to a police report.

The fire district shut down the site and called the sheriff's office. The
case was suspended with no known suspects or leads.

The fire district is connected to county systems that have their own
protections. Its website was built separately, and mainly to share
information with residents, interim chief Al Gillespie said.

"It was more of a pain in the neck than a real problem for our
organization," he said. "It's not something we used to have to worry about,
but it certainly is the way of the world now," he said.

Networking risks

Local governments are attractive targets, said Sam Kim, Clark County's
chief information officer, in part because they're connected to state
systems or other large networks.

"That could be a huge vulnerability. That's why I say, regardless of how
big or small you are, you need to be vigilant," he said.

The State Auditor's Office has been ramping up its efforts in examining
information security practices in the past few years.

The office tested five state agencies and said in findings shared in 2014
that officials found hundreds of security flaws.

"It was a very specific, focused audit, where we looked at what state
agencies were doing in terms of old equipment, and their procedures and
policies," said Aaron Munn, the chief information security officer for the
state auditor.

Moving on from state agencies, Munn said, the office has recently started
working with more local governments about cybersecurity, and a few audits
were ongoing.

The auditor's office released its report on the city of Mill Creek in
Snohomish County, the first city to volunteer for a specific security audit.

Constant attacks

Kim said it's hard to say how many attacks the county fields, because there
are so many avenues that hackers try.

"We're constantly under attack, constantly being probed," he said.

He couldn't say where all the attacks were coming from, either, but plenty
didn't originate from the United States.

Munn said attempts to crack a network can range from phishing emails to
high-tech, nation-backed break-ins.

"It's difficult to answer that question, but every organization is
susceptible," Munn said.

Public agencies often lack money or resources for security, he said, and
many governments looked toward their IT departments as a place to cut back
during the recession.

Early last year, the Municipal Research and Services Center, a nonprofit
organization that provides research and data for local governments in
Washington, surveyed and interviewed officials from states, cities and
counties about information security. (Hamilton's consulting company, then
called M.K. Hamilton & Associates, did the study.)

About 80 percent of survey respondents worked for communities of fewer than
25,000 people, and 60 percent served fewer than 10,000.

Many of those organizations said they had zero staff members working in IT,
and more than half said they outsourced that work. Perhaps commensurate
with the size of their organizations, a majority of respondents reported
they had minimal or zero funding.

"There's a workforce issue, as to training," Munn said. "These are complex
issues we're dealing with that require maintenance, but there's also
availability challenges."

One of the biggest problems facing the public sector is the lack of
security professionals, Hamilton said.

"Cities, counties, public utilities cannot afford these people," he said.

Experts in demand

Demand in general for cybersecurity experts is high, according to the
Bureau of Labor Statistics. The number of people employed as information
security analysts, the bureau's title for IT professionals who specialize
in cybersecurity, is expected to climb 18 percent by 2024, much faster than
the average for other occupations.

The median pay for cybercrime experts in the public sector was about
$74,000 per year in 2014, according to the Bureau of Labor Statistics, and
it was $89,000 across all industries.

In a 2015 report, the National Association of State Chief Information
Officers surveyed IT chiefs from 48 states, and about 92 percent of
respondents said pay prevented them from attracting and keeping talent, and
that was for state governments.

Voters should talk to their local agencies or governments if they're
concerned about their town's information infrastructure, Kim said, but one
of the best things a person can do to bolster security at the government
level is to watch out for their own: Use good password practices, keep
browsers and operating systems updated and use two-factor authentication
systems where possible.

"Just like everybody else, the No. 1 vulnerability is not our systems, it's
people," Kim said. "It's the inside job, and it could be no malevolence
involved."

Most people who sit down at computers connected in a roundabout way to some
sensitive data somewhere are just trying to do their jobs -- and they
aren't hired to stave off computer criminals.

They make mistakes: Kim said one test IT programs will do is leave nice USB
thumb drives lying in the parking lot to see who takes the bait and plugs
in a strange drive into a secure network.

"Let's face it, cybersecurity, information security is not on the foremost
of anybody's mind," Kim said. "They want to complete their task."

A large piece of dealing with that is a matter of training to meet new
threats, he said, and that ought to be for everyone in an organization.

Getting buy-in from agency executives and elected officials can be another
hurdle, he said.

"When do burglar alarms get installed? After the break-in."

Little official concern

Public information technology workers told the Municipal Research and
Services Center that they generally agreed agency heads and elected
officials need additional education to understand the extent of the
problems.

Respondents said 75 percent of government executives had little or no
interest in addressing information security risks.

On a scale of 1 to 5, 75 percent of respondents gave government executives
scores less than 3 for their awareness of information security threats.

"In the focus groups, it was widely acknowledged that the level of threat
is increasing, especially to smaller organizations without the means to
defend themselves," the center said.

One advantage that governments and public agencies do have, Kim said, is
they can work together.

You probably won't see Lockheed Martin and Northrop Grumman working
together on security, he said, since they have trade secrets to protect and
an interest in looking like a more secure bet to customers.

Public agencies, on the other hand, all face the same problems, work in the
same space and can share resources and expertise. They don't have
competition, he said.

Kim said he's working on a plan to centralize information security and
network services for public agencies with the county.

The idea is that the county's towns and agencies could all share the same
standards and systems for storing their data and operating their networks,
all operating using the county's architecture.

The county's always playing interference and patching up weak spots, he
said. No system -- especially one that needs to be open and usable, like a
government's -- can be completely secure.

Most hackers tend to go for the path of least resistance, so a large part
of being secure is making sure you don't look like an easy target, Kim said.

"We just need to not be alarmist, but make sure we're all vigilant," he
said. "I think government in particular owes the residents of this county
to assure them, 'Hey, we're doing everything in our power to make sure
things are safe and secure.'"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160502/2608609a/attachment.html>