Pool members just like you have been hit by cyber crime in the last year. Hiding from the problem simply isn’t enough anymore.
We have been talking about cyber security for years, and up until now, it’s always seemed like a distant threat. To many, it seemed like small public entities in Colorado were not the targets or victims of cyber crime. They didn’t have the kind of strategic information that a large public entity like a state government might have. They certainly did not have the kind of cache of personally identifiable information that a large corporation or a hospital might have.
But the days where we could say that this was a far off concern are over. Districts are being hacked and ransomed for their information now. In just the last year, six different Pool members have experienced cyber crime. The following stories are post-mortems on a few of the actual incidents from CSD Pool members over the past year. Some of the facts may vary for greater emphasis on critical issues to underscore the severity of cyber threats, and we have obscured some specifics to avoid naming individual districts or employees.
I was just browsing for gift ideas!
Earlier this year, several employees at a park and recreation district were checking their personal email accounts at work and searching for gift ideas on Google and other search engines. While doing so, one person inadvertently clicked a popup ad that led them to a site that infected the computer with malicious software, or “malware.” This malware allowed a cyber criminal to gain access to the district’s system and offer the information for sale on the Dark Web.
The Dark Web is a part of the Internet only accessible by using special software, which allows both the users and operators of the sites to remain anonymous. These parts of the net are difficult, if not impossible, to police and track, and are rife with things like illicit sexual materials, stolen credit card and identity information, and even information of value to terrorist groups.
Though in this case the cyber criminal did not attempt to extort money from the district, the expenses incurred from data restoration, lost staff hours to the recovery and cleanup process, and the installation of new security software ended up costing roughly $15,000.
Post-incident measures: The district has since employed new internal processes to prevent future occurrences, including forbidding personal email use, limiting internet access to work-related sites only, new mandatory user credentials for guests, and stricter task delegation to ensure only a limited number of employees could access sensitive internal data such as billing and payroll.
Analysis: Notice that all of the actions taken by the district’s employees seem fairly innocent. Checking your personal inbox, searching for gift ideas, or looking up sports scores, are all pretty common uses of the Internet. However, with the proliferation of cyber crime, even these seemingly innocent activities could end up seriously affecting a district’s operations and resources. Remember, there isn’t anything inherently risky about those actions. It’s the threat of inadvertent actions, like accidentally clicking the popup ad, that can lead to problems.
The bottom line is that the actions taken in response to this particular incident could have been taken earlier, and prevented it from happening. While those innocent activities weren’t intended to damage the district, they did, and those activities would have been much more appropriately performed at home or on the employees’ personal computers or smartphones.
Additionally, because this was a park and recreation district and some of the data lost belonged to consumers, this district had been required to meet the standards of the federal Red Flags Statute. These rules require any organization, private or public, to expend a certain amount of their budget and time, even at the board level, to ensure the safety of their information systems and by proxy of any person whose information is held therein.
It didn’t seem like anything was wrong.
A technician at a water and sanitation district clicked a link in what was in reality a phishing email. The employee did not report this since nothing seemingly happened and their computer continued to perform normally.
However, while later accessing the district’s SCADA system, the operator unwittingly allowed a ransomware virus obtained by clicking the link in the phishing email to infiltrate the system, which attempted to extort money in return for data it controlled. No payments were made, because their IT staff diligently performed system backups, but they incurred over $10,000 in costs to hire a forensic technician to analyze if the system could be cleaned. Ultimately, the technician decided to instead step back to an earlier backup and lose a few days worth of data and work. The district manager felt, after the fact, that they had been lucky it hadn’t been much worse.
Post-incident measures: The district now uses a Virtual Private Network (VPN) client in order to access their SCADA system, allowing field personnel to securely access the system via their mobile devices. Additionally, the district updated its anti-virus and malware detection software, and instructed its staff to take the free computer security coursework in TargetSolutions.
Analysis: VPNs are common used by organizations with telecommuters. Luckily, the company hired to remove the virus and cleanup their system had recommended investing in a VPN for its remote operators. Many anti-virus and malware software go through periodic patches to update the list of known viruses for scanning or adding new features. It’s considered best practices to routinely check for updates.
What’s particularly important to note is that the district had some cyber security measures in place prior to the incident that could have prevented this from happening, most notably a firewall capable of blocking unauthorized access. However, the phishing email with the malware virus circumvented that preventive measure. No matter how sophisticated your digital security is, it can be undone by a single click. Training your team is, perhaps, the most cost effective investment in your district’s cyber defenses.
A Case of Mistaken Identity
A fire district board member received an email from what looked like another board member requesting funds be wired to a certain account. The board member had no reason to believe it was not authored by his colleague, given that it came from his email address, and proceeded to transfer over $25,000 of the district’s money.
Later that day, it was discovered that the colleague’s email address had been hacked and a cyber criminal authored the email. Once this was reported to the bank to which the $25,000 was sent, the board member was only able to recover a fraction of the deposited sum. In addition to the costs associated with scanning and cleaning up the hacked board member’s computer, the incident ended up costing the district nearly $35,000.
This was an example of spear phishing, where a criminal invents a highly effective phishing email by specifically targeting one organization or individual. This usually involves the criminal impersonating someone else, like a bank or a colleague or a family member, requesting that funds be sent to another account. Because that transaction is voluntary, the banks will not simply compensate you for lost funds as they would if your credit card was stolen.
Post-Incident Measures: The district has since drafted and implemented a new standard operating procedure for internal financial communications, specifically forbidding the transfer of any assets: financial, personal information, etc. Any internal financial requests must now have verbal confirmation from all related parties before proceeding. The district now mandates malware scans at the beginning of every business day.
Analysis: Aside from the aforementioned preventative measures that should have been in place before the incident, the district would have benefited from purchasing the Pool’s Crime coverage, which includes coverage for the voluntarily parting with district funds through what are referred to in the coverage form as “Social Engineering” and “Fraudulent Impersonation.” That would have allowed the district to recover more of its lost funds from the Pool, regardless of what the financial institution would do.
An Old Operating System Can Cost More than a New Computer
A small district of about four full-time employees and seven seasonal workers were using Windows XP on their office computers. Their reasoning was simple: everyone preferred the familiar system, it functioned well enough to accommodate all of their needs, and they’ve never encountered any problems with it.
That was until the summer of 2017 when the district’s computers were hacked by cyber criminals. Third party IT specialists determined that the criminals had gained entry through a well known vulnerability in their computer’s operating system. As we have reported in the past, Microsoft had discontinued its security patches for Windows XP three years earlier, due to it being nearly sixteen-years old at the time.
The loss of data, wasted operating hours, the cost of hiring contractors to wipe the district’s computers, and upgrading to Windows 7 amounted to over $12,000.
Post-Incident Measures: In addition to replacing their old operating system, the district has also instituted mandatory daily backups and enrolled their staff in cyber security training courses.
It’s no longer a matter of “if” you will be hacked, but rather “when.”
These are just a few of the cyber incidents Pool members have experienced last year. There were also a few we didn’t detail in this article. Of those, a few weren’t so bad, but a few were much worse and impacted a large number of people. Up until 2017, there hadn’t been any at all.
This type of incident not only damages the district, but can damage the credit, finances, and even careers of your constituents, ratepayers, employees, and most certainly management.
But while you should be concerned, you don’t have to worry. The Pool has been gearing up for the rise of cyber threats for years now, and while you’re with us, you have a growing suite of risk management tools for the cyber landscape. Here’s a brief roundup of them:
eRisk Hub® – This is the place to go to prepare for cyber incidents and respond to them. With best practices information, incident roadmaps, and lists of pre-vetted professionals, eRisk Hub is our premier digital security resource. (No cost to Pool members)
Cyber Assessments – Our partner, NetDiligence, can walk your district through a robust analysis of your systems and defenses and provide you with specific information on mitigating those threats and closing gaps in your security. (Cost depends on size and sophistication of your system; we do provide a limited number of these free annually to members)
Cyber Self Assessments – The Pool is partnering with the Center for Internet Security (CIS), a subsidiary of the Department of Homeland Security, to provide self-guided risk assessments to members at no cost. This program will allow your district to test your own systems for vulnerabilities and compare your stats to those of CIS’ world class benchmarks.
SecureTheHuman Security – This year we will be rolling out this program to members interested in training and testing their own employees on phishing threats. Offered by CIS and the SANS Institute, a for-profit digital security training firm, this service will test whether your staff might click a phishing email and allow you the opportunity to train them on those practices. If your district is interested in participating in this program, please contact us for more information at info@csdpool.org.
