[BreachExchange] Ransomware Attacks for Local Governments and Public Agencies: A Primer

[Audrey McNeil]

https://www.jdsupra.com/legalnews/ransomware-attacks-for-local-25736/

Background

The recent ransomware attack on the City of Atlanta highlights the fact
that the threat of ransomware affects all organizations, regardless of the
nature of their industry, business, or operations, and that political
subdivisions and quasi-government entities face particular challenges in
protecting themselves and responding to attacks. Counties, cities,
political subdivisions, and nonprofit corporations have become a favorite
target for cybercriminals because they are increasingly leveraging
technology to collect, store, and use personal information to deliver
services and programs to individuals, and because their networks tend to
run on a complicated fabric and interconnectedness of legacy systems that
are difficult to protect and defend. As a result, attackers are targeting
emergency response systems, disaster response systems, public utilities
payment and information systems, police department systems, election and
voter information systems, medical information systems, and general
operating systems of public entities. A recent International City-County
Management Association survey of chief information officers found that
about 44 percent of local governments reported experiencing daily
cyber-attacks (without regard to type or threat vector), with about
one-quarter of local governments reporting attacks at least as often as
once an hour. Yet, less than half of the local governments surveyed said
they had developed a formal cybersecurity policy, and only 34 percent said
they had a written strategy to recover from breaches.

While public entities are often resource limited, there are basic steps
that they can take to better lower and manage certain risks from
cybersecurity attacks. Below, we review some of the basic attack vectors to
which public agencies and sector industries are particularly vulnerable,
and some of the best practices that resource-constrained organizations can
implement.

Ransomware and Other Cyber-Attacks

Ransomware is computer code (malware) that is typically deployed into a
network, often when an unsuspecting user clicks on a malicious link or
opens a file in a phishing email. Once inside the network, ransomware
typically self-proliferates and encrypts data inside the environment,
rendering the data inaccessible and essentially, useless. A successful
ransomware attack can result in the temporary or permanent loss of
sensitive information, serious disruption to operations, financial costs of
restoring systems and data, and possible reputational or brand impact to
the enterprise.

Generally, the attacker will provide a decryption “key” only after the
company pays a ransom (almost always in hard-to-trace Bitcoins). Other
forms of ransomware can destroy or delete data, hide data by relocating it
within the network, or even ex-filtrate data outside of the company’s
environment.

In addition to ransomware, attackers are deploying a fairly standard array
of attacks on public entities, in an effort to gain access to their systems
and data, or simply to disrupt their operations, including:

- Denial of Service: Disrupting operations by bombarding the network with
commands/requests that overload the system, taking down the network; often
accompanied by a ransom demand to stop the attack.
- Computer Intrusions (Hacking): Gaining unauthorized access to a network
and its data, usually by compromising some administrative or technical
control.
- Phishing: Typically an email embedded with malicious code or links that
dupes the user into taking some action that compromises data or the
security of the network.
- Spear Phishing: Same as above, except that the email/attack specifically
targets an individual (or small subgroup of individuals) with information
about them to make the attempt more authentic.
- Data Breach: The release or disclosure of data potentially to an
unauthorized third party; can result from one of the above attacks or
improper records disposal, inadvertent email/transmission of data to the
incorrect recipient, public accessibility of protected information from a
website or similar.

Not Just “Ransomware” Anymore

Historically, ransomware attacks were viewed primarily as a business
continuity issue, with the primary post-ransomware workflow focused on
getting back online and restarting operations. However, as cyberattackers
have become more sophisticated, ransomware has become more than just the
end-goal, with some attackers utilizing ransomware to mask or conceal other
exploits. In other words, a ransomware attack may just be a sign of
something worse, and thus merits a more sophisticated response. In
particular, several regulators have articulated concerns that organizations
should address in responding to a ransomware event.

Health Information Portability & Accountability Act (HIPAA): For HIPAA
regulated entities, the Health and Human Services Office of Civil Rights
(HHS OCR) issued guidance warning that the HIPAA Breach Notification Rule
is a “fact specific” inquiry, and where Protected Health Information is
“encrypted as the result of a ransomware attack, a breach has occurred
because the PHI encrypted by the ransomware was acquired (i.e.,
unauthorized individuals have taken possession or control of the
information), and thus is a disclosure not permitted under the HIPAA
Privacy Rule.”

Federal Trade Commission (FTC): Although the FTC has very little
jurisdiction over public entities, it is seen as the leader in data
security enforcement, with many other regulators looking to it and its
actions as the North Star for enforcement theories and priorities. The FTC
recently reinforced the seriousness of ransomware, signaling that
preventable ransomware attacks – ones that exploit known vulnerabilities –
may violate Section 5 of the FTC Act. As then Chairwoman Edith Ramirez
explained: “A company’s unreasonable failure to patch vulnerabilities known
to be exploited by ransomware might violate the FTC Act.”

Federal Bureau of Investigation (FBI): The FBI recently urged companies to
come forward and report ransomware attacks to law enforcement.
Notwithstanding organizations' concerns with reporting ransomware to law
enforcement, the FBI is calling on organizations to help in the fight:
“Victim reporting provides law enforcement with a greater understanding of
the threat, provides justification for ransomware investigations, and
contributes relevant information to ongoing ransomware cases. The FBI does
not support paying ransom demands.” According to the FBI, some
organizations never get a decryption key, even after payment. And, every
payment “emboldens the adversary to target other victims for profit,”
incentivizing similar conduct by other criminals seeking financial gain.

Moreover, U.S. state breach notification rules are generally triggered by
an unauthorized “acquisition” to certain delineated types of unencrypted
personal information. Ransomware that only encrypts data inside an
environment, but does not allow an attacker to ex-filtrate it (e.g.,
download, email, transfer), is unlikely to trigger a notification duty
under the statutes that define breach as the “unlawful and unauthorized
acquisition” of personal data. However, for the small number of states that
define a breach as the “unauthorized access” to personal information,
ransomware could trigger breach notice if the attack resulted in the
viewing of ex-filtrated personal information.

In addition to the direct damage caused by a breach, a cyber-attack in some
cases could potentially cause a public entity’s credit rating to be
downgraded. While no government yet has been downgraded because of a
cyberattack, an S&P Global Ratings analyst has said that a cybersecurity
incident could affect a public entity's credit rating. This is not only due
to the financial cost of a cyberattack, but also the accompanying loss in
taxpayer trust and the ability to raise taxes. The risk increases
“particularly for smaller governments with less financial flexibility.”

What to Do?

The ransomware landscape dictates that organizations should consider
proactive and reactive measures.

Proactive: On the proactive front, the focus should be on reasonable
defenses and training. Among other things, organizations should consider:

- Cybersecurity awareness training for employees, contractors, local
elected officials, including specific training around phishing, incident
response, ransomware, and password management and best practices.
- Improvements to patch and vulnerability management programs,
incorporating periodic penetration and vulnerability assessments. Automatic
updates to antivirus and anti-malware solutions and conduct regular scans.
- Managed use of privileged accounts.
- Disabling macro scripts from office files transmitted over e-mail.
- Implementing software restriction policies or other controls to prevent
programs from executing from common ransomware locations.
- Enhancing business continuity and disaster recovery programs to account
for ransomware attacks, to ensure regular back up of data and systems, and
verification of the integrity of those backups.
- Procuring cybersecurity, network interruption, and related insurance.
- Re-assessing proactive encryption at-rest strategies to take advantage of
notification safe harbors.
- Incorporating ransomware attacks into incident response planning, with
special attention paid to additional forensic analyses, PR/communications
work streams and notification considerations into enterprise incident
response plans (and/or security team field guides).

Reactive: On the reactive side, the key is not to treat a ransomware event
as simply that, but to conduct a reasonable investigation to determine
whether other data/information was subject to unauthorized acquisition
and/or access. The post-incident response workflows should consider (1)
examining the nature and extent of personal information involved, including
the sensitivity of the information and likelihood that it will be accessed;
(2) whether the personal information was actually viewed, accessed,
acquired or ex-filtrated; and (3) the extent to which the risk to the
personal information has been mitigated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180409/cab416e7/attachment.html>