What City Officials Need to Know About Cybersecurity
Lea Deesing is chief innovation officer for the City of Riverside and executive director of SmartRiverside, a nonprofit that aims to narrow the digital divide in the Riverside region by empowerment through technology and education. She can be reached at firstname.lastname@example.org.
It’s Friday morning, and city staff can’t log in to their computer network. The Fire and Police Departments are now relying solely on radio communications, rather than their mobile data systems, to receive incident information. City staff is communicating via text with the few phone numbers they have in their personal smartphones, because the telephone and email systems are down. It’s a payday, and most employees rely on direct deposit to receive their paychecks, but no one received their electronic paycheck on Thursday night.
The counter service staff can’t log in to their systems and does not know how to handle manual transactions. Staffers keep picking up the phone to call the Information Technology (IT) Department help desk, but there’s no dial tone. The situation is causing massive lines to form in planning, permitting and cashiering and affecting other departments. Residents and business owners who need to conduct business with the city are becoming frustrated.
After several days of down time, IT staff determines that many city servers were compromised through a well-orchestrated cybersecurity attack. During recovery, there was great confusion and contention as to which services should be restored first. Weeks later, the IT Department discovers that a Trojan horse virus, transmitted via a city staff member’s personal flash drive, caused the chaos.
Although this scenario is hypothetical, recent cybersecurity breaches in both the private and public sectors have captured the attention of local government agencies. Highly publicized data breaches and cybersecurity attacks raised awareness of these challenges, and consequently many city officials are looking at historically underfunded municipal cyber defense programs.
Cybersecurity Awareness Training
Much like thieves operating in a neighborhood, hackers generally hit the easiest targets first. One of the most common breaches can occur after a user clicks on a link in a spam or phishing email. Such an attack may be financially based rather than an attempt to cause mayhem in your city.
“Trojan horse virus writing is big business now. A well-written Trojan horse virus like Cryptolocker can generate millions of dollars in revenue for its writers by encrypting your data and holding it for ransom until you pay a fee. With big money at stake, some of the top coding talent is being recruited to write these Trojans,” says R.J. Robinson, a Loma Linda-based cybersecurity expert. A Trojan horse virus is one that lies undetected until a future date. Such viruses contain malicious code that can carry out a specific action when the hacker signals the software. Robinson continues, “As a hacker, why would I try to breach a $20,000 security device when I can convince someone to insert an infected $5 thumb drive?”
Risk can be mitigated in many ways, but one of the simplest ways is through a good security awareness training program. A number of private-sector security organizations offer end-user security awareness videos at a relatively low cost. “Good awareness training and having a policy in place that deals with unknown media, suspicious calls that try to get staff to visit a website or getting emails with suspicious attachments go a long way in preventing internal breaches,” says Robinson. The City of Moreno Valley’s Technology Services Division Manager Steve Hargis concurs. He says, “Despite several well-known breaches over the past few years, many governments continue to rely on anti-virus and firewall protections alone while ignoring the paramount importance of end-user education.”
Security Audits and Monitoring
Among the many additional security efforts that deserve local government’s attention, one standout is the security audit and penetration test, where paid ethical hackers try to breach your system, then report back their findings so you can take pre-emptive action. “Upper management needs to understand the long-term cost of a data security breach. Not just the monetary cost, but the cost in losing customers’ trust. If you can quantify that, the light bulb usually goes on and suddenly $10,000 or more for a full security audit seems like a bargain,” says Robinson.
However, is an annual or biennial security audit enough in the ever-changing cyber landscape? It’s a starting point, but the new trend is to also hire 24/7 managed security service providers operating out of remote “security operations centers.” Such companies have fully dedicated certified security teams who watch your network, inside and out, to identify real time security threats and help develop preventive counter measures. “In the 21st century, when children typically know more about cyberspace than most adults, it’s smart to hire professionals,” says Hargis.
These managed security service providers often use special Security Information and Event Management (SIEM) tools that provide a dashboard view into security and server logs that your city’s IT staff probably doesn’t have time to monitor. Your staff may view these logs after an incident has already occurred, but usually not before.
Build a Continuity of Operations Plan
In the scenario described earlier, systems should be prioritized in advance through a continuity of operations plan. Such plans are vetted through departmental meetings where questions are asked, such as, “What would happen if your computer system went down for two hours? A day? A week? A month?” It’s surprising what occurs when you have these discussions with departmental staff. They may say, “I never thought it would be possible for systems to be down that long. If we simply take this extra step, in advance, we will be as prepared as possible when the systems fail.” For example, a payroll team saves the last successfully run payroll in a PDF format and stores it in a secured location, along with blank check stock. On the day of a disaster, all checks are printed and signed, and required payroll adjustments are made after system recovery. Dennis Vlasich, IT director for the City of Fontana, made it a priority to develop a continuity of operations plan. He says, “Business continuity planning represents the opportunity to take an introspective look at what’s really important in your operations. Just going through the exercise of imagining the impact of the loss of critical systems on the public as well as the agency itself will help you to understand what is important and what is just convenience.” Prioritization of system recovery should be based on criteria such as the critical nature of system transactions and potential scope of impact.
Questions for Leaders to Consider
The measures described here and numerous other security efforts may already be underway in your city’s IT Department. But how might you support current cybersecurity efforts in a collaborative way? Do policies need to be written that require executive sponsorship? Can the Human Resources Department help support a security awareness training program? Is support needed for new hardware, software or services? With limited funding, an assessment should be performed at the executive management level regarding the amount of risk your organization is willing to mitigate or simply accept. You can never be 100 percent secure, and most security experts would agree with R.J. Robinson, who says, “If an attacker has the time and desire, they will gain access one way or another. That is why a good backup and recovery plan is so important.”
Cybersecurity Checklist for Cities
Policies, Planning and Training
|$$TT||Create a cybersecurity strategic plan.|
|TT||Create a security policy signed by all employees and review with new employees during their orientation.|
|T||Create mobile device and “bring your own device” policies with clear security protocols.|
|T||Create email distribution lists to share and coordinate threat and vulnerability information with interested parties within your organization.|
|T||Conduct regular internal security meetings.|
|TT||Create a cybersecurity awareness training program, tied closely to an established security policy.|
|TT||Create an incident response plan specifying, in advance, what IT staff would do if x, y or z category of attack occurs.|
|T||Perform routine login account audits ensuring all accounts are active that should be. Disable accounts not used in a certain number of days.|
|T||Create a solid policy for in-out employee processing to ensure that all account access is shut down when employees separate from your organization.|
|T||Standardize on active-directory (AD) or Lightweight Directory Access Protocol (LDAP) compatible applications so passwords can quickly be deactivated across multiple systems.|
|T||Enforce strict password requirements meeting industry standards for complexity, length, and reset time limits.|
|$||Procure multi-factor authentication tools requiring a use to provide “something you have and something you know” for remote access to the network.|
|T||Implement a patch management program to keep servers and desktops up to date with the latest security patches that prevent known vulnerabilities.|
|$$$||Seek funding for a hardware replacement program so aging hardware doesn’t become unsupportable and vulnerable.|
|$$TT||Create a Continuity of Operations Plan (COOP) to document manual procedures during outages and prioritize recovery of systems.|
|$$TT||Create a disaster recovery plan to back up and recover data, equipment and infrastructure in the event of a disaster.|
|$T||Create a Continuity of Government (COG) plan in case of a major natural disaster, whereby certain governmental decision-making authority may be temporarily assigned to alternates.|
|$$$||Create a full-time information security position.|
|$$||Fund staff training and certifications. You are competing with hackers who receive upwards of $100,000 per person in training to learn how to breach your network.|
|$$T||Procure routine outside security audits, including penetration testing and Payment Card Industry (PCI) scanning for credit card systems.|
|$$||Procure additional security services through your Internet service provider (ISP) such as Distributed Denial of Service (DDoS) monitoring and mitigation.|
|$$$||Procure 24/7 managed security services through Security Operations Centers to identify real-time security threats and develop preventive counter measures.|
Physical Security, Software and Hardware
|TT||Maintain and routinely test backups keeping in mind public records and/or information access laws, records retention schedules and policies.|
|$$||Maintain redundant, off-site data storage in a hardened environment. (In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability.)|
|$$$TT||Harden data centers.|
|T||Permit limited physical access to data centers, and perform regular security audits of those entering data-center facilities.|
|$$$TT||Consider moving to cloud services in a Tier 4 data center. A Tier 4 center guarantees 99.995 percent “up time,” allowing less than an hour of interrupted service during a one-year period.|
|$T||Automate and maintain up-to-date virus protection for servers and desktops.|
|$$T||Procure next generation firewalls and tools including features such as intrusion prevention/detection, data loss prevention, anti-spam filters, anti-bot filters, content filtering and reporting, and threat emulation.|
|$$TT||Procure Security Information and Event Management (SIEM) event correlation and reporting tools.|