Even before the recent ransomware attack on the City of Atlanta, both county- and city-level governments in Bartow have been taking precautionary steps to protect their electronic information from …
Even before the recent ransomware attack on the City of Atlanta, both county- and city-level governments in Bartow have been taking precautionary steps to protect their electronic information from hackers.
In the wake of that major security breach, however, there's a renewed focus on upgrading and safeguarding Bartow's municipal cyber-infrastructure — although most local governments are still without a formal policy to respond to potential ransomware incidents.
A relatively new form of hacking, ransomware entails the installation of malicious software on hardware that either locks users out of their systems or encrypts their files to be inaccessible until a payment is made.
The cyberattack on Atlanta is but the latest in a series of such ransomware incidents. Last year's WannaCry attack hit more than 200,000 computers in 150 countries, affecting The Boeing Company, FedEx and Honda, among many other corporations. That same year, the NotPetya attack cost pharmaceutical titan Merck & Co. more than $300 million in just one financial quarter.
The attack on Atlanta's cyber-infrastructure, however, is different from some of the more heavily publicized ransomware attacks on companies and municipalities in years past. Nathan J. Underwood, owner of Cartersville's Cyber Tech Cafe, said the cyberattack bears all the markings of the SamSam malware strain.
"The SamSam ransomware attacks the network itself instead of leveraging one of those social engineering attacks," he said. "It finds vulnerable servers or vulnerable hosts that it can access from the internet, so that it doesn't have to rely on that human to click a link or rely on a human to open an attachment."
Cartersville Assistant City Manager Dan Porta said he's not exactly sure what method was used to attack the City of Atlanta — or "how they ascertained the damage" — but he said the City of Cartersville nonetheless takes a "layered approach" to preventing numerous types of data breaches.
He said the city regularly monitors its servers for possible hacks and extensively uses spam filtering programs to root out any potential "phishers" — malevolent actors posing as legitimate email senders.
"We have servers that could contain data, obviously, we have detailed customer information, but we have safeguards in place already," he said. "For instance, if you come in and make an application for city services, you have to provide, for example, a Social Security number or credit card information ... that information is encrypted already, and once it's entered into the system you can only see, maybe the last four digits."
That kind of sensitive information, he added, isn't accessible to lower-level staff.
"With software vendors, there are protections in place for that information," he said, "and there are protections we put in place for city equipment before we even install it."
As for Euharlee's cybersecurity protocols, City Manager James Stephens said the municipality uses "a combination of cable third-party contractors" to protect the city's computer infrastructure.
"Per best practices," he wrote in an email, "we do not share our security practices and policies regarding our data and computer infrastructure."
Emerson Assistant City Manager Todd Heath said beefing up cybersecurity has been a growing concern for the municipality over the last few years.
"In 2014, we really started to get ahead of it," he said. "We've replaced our network hardware with domestic products, certified. As far as our client software, we sort of transitioned from more of a client-server base to sort of a cloud-based, integrated control through our network hardware. It's kind of like an all-seeing eye."
That proactive approach also applies to the city's smartphones and tablets.
"Even with our mobile devices, we use mobile device management now to funnel all of the traffic through a few certain areas," he said, "just so we can make sure all of the policies that the city has in place are being followed."
While ransomware attacks are worrying, Heath said that's not the only type of cyberattack that local governments should be concerned about.
"From a municipal perspective, what I have seen, noticed and want to point out to others is a specific 'spear phishing' technique where a higher-level official or someone with access to accounting information is targeted," he said. "It's more of a 'spoofing' mechanism. It could be voice, it could be a phone call, it could be email, usually some kind of urgent communication to try to activate a financial transfer."
The municipal phishing threat isn't limited to local government employees, however. Hackers have been known to "spoof" city and county government email addresses in order to trick residents into thinking they're receiving "official" correspondence from local agencies and utilities.
Porta said any residents who feel suspicious about emails sent to them by individuals claiming to be representatives of local government should give city hall a phone call.
"Just like the police department tells you, you have to always be on guard," he said. "You never know what's out there on the web, if it's accurate information or a valid email."
These kinds of attacks, Underwood said, underscores the need for and the importance of leveraging "offensive security" when it comes to network maintenance.
"Once you think your network is secure, bring in an unbiased third party to evaluate your work, to scan it from the perspective of an attacker, to see what you've missed," he advised. "The attackers look at these systems from very different perspectives, and right now we're asking those defenders to respond to threats that they've never had a chance to practice against ... the City of Atlanta is a glaring example of what happens in those cases."
"Our policy, obviously, we'd shut down the servers," Porta said. "We routinely back up our information, so we could technically go back to an earlier date and refresh the data and lose, maybe, some current information. It would just be a matter of, first of all, what they hacked and to what extent."
Although the City of Emerson does not have a formal policy on responding to a ransomware attack, Heath said the city does follow a general policy regarding potential data breaches.
"We have measures in place to quarantine network traffic, and we can enact tiered alerts in certain situations that will alert to suspicious activities, so it can cascade," he said. "For instance, if there were a suspicious email, suspicious data transfer, some certain files that were to be activated in unreasonable schedules — human resource files are accessed outside of business hours — those alerts can begin triggering."
And as a last ditch effort, Heath said the city does have the ability to completely shut down its network.
Bridget Lawlor, director of Bartow County Information Services, said the county is well aware of recent cyberattacks at other jurisdictions.
"Bartow County works with our third party systems vendor and the City of Cartersville to implement a security solution," she wrote in an email. However, she said she does "not feel it is prudent or in the best interest of the county or our citizens to disclose the details of these measures."
Bartow County Commissioner Steve Taylor said that his department heads have assured him the county's cybersecurity infrastructure is both well-protected and well-monitored.
"We've taken the proper procedures to protect our systems and everyone's password-protected within those systems," he said. "It seems like weekly we hear about a hack, that somebody has hacked into other municipality systems ... we feel comfortable with our systems so far, but we're always looking for new ways to improve our system security."
Taylor, however, said the county does not currently have an official response procedure outlined in case of a local ransomware attack.
"We don't have a policy in place, in effect, to either pay or not pay, but just offhand, we are totally against paying a ransom to anybody who hacks into our system," he said. "We would spend more money to create a new system rather than start paying ransoms to these people."