These are certainly strange and dangerous times we are living in. Climate change, political upheaval, pandemics, murder hornets, and an unstable economy all lead to a mix of fear and mistrust. Fear and mistrust can lead to the rise of crime on a personal level and a global platform. Cybercrime is no exception.
The risk and severity of cyber attacks have clearly grown over the past few years. In fact, since 2018, humankind has witnessed some of the most horrific cases of cybercrimes related to massive data breaches, flaws in microchips, crypto jacking, and many others.
Every day we read news related to cybersecurity threats like ransomware, phishing attacks, or IoT (Internet of Things)-based attacks. However, 2020 comes with a whole new level of cybersecurity threats that businesses and municipalities need to be aware of. This topic is too large to address all of the risks and attacks, so I will narrow the scope to only a few things, but the key point is to stay alert to what you are seeing on your monitors and think before you click.
Cyber attacks are up 37 percent over the past few months, according to Infosecurity magazine. This should not come as a surprise in light of COVID-19 and people being isolated at home, online education, increased web surfing, a surge in online shopping, increased social media usage, and virtual meetings. As a result of all of this, online activity phishing attempts have soared by over 600 percent since the end of February, including traditional impersonation scams but also business email compromise (BEC) and extortion attacks, according to Barracuda Networks.
Among the most recent cyberattacks in 2020, ransomware/malware is still the most common. Ransomware attacks are still at the top of the list of hacks that are being used to extort money from people as well as towns and municipalities across the country. The other two top attack types are phishing and spoofing website addresses.
In most ransomware cases, the identities and whereabouts of the hackers are hidden by clever digital diversions. Intelligence officials, using data collected by the National Security Agency and others in an effort to identify the sources of the hacking, say many have come from Eastern Europe, Iran, and, in some cases, the United States.
The majority of hackers have targeted small-town America, figuring that sleepy, cash-strapped local governments are the least likely to have updated their cyber defenses or backed up their data. Unfortunately, this is very true in Vermont. Towns, cities, and municipalities are sitting ducks for hackers. Lack of on-site IT personnel, and town office personnel not having proper cyber security awareness training, all lead to an opportunity for hackers to obtain personal data of citizens or financial information of towns. During tax season, for example, property taxes can be diverted into the accounts of hackers rather than those of the towns.
According to government and private experts, the ransomware business is now proving so lucrative that the hackers are pouring some of their profits back into their own research and development, making their attacks more precise, and more clever.
Defense Against the Dark Arts (Hacking). All hope is not lost. While attackers always find new ways to fly under the radar, there are several ways that municipal employees can protect data from attacks in spite of the fact that funding to improve security is tight.
If your town offices use external hard drives to back up data, the drives need to be detached after every backup because ransomware will scan a system and encrypt external drives along with any other drives used to store data. It is inconvenient to do this, but to protect the data it is necessary. Don’t forget to store the external drives in a locked place, such as a vault or room.
If you were a student at Norwich University in one of my Information Assurance courses, you would quickly learn my mantra: DO NOT CLICK ON THE LINK! It has become a joke in our school but it is also a serious demand. Clicking on a compromised link can undermine all of the security defenses that have been put in place. If you don’t expect a link to be in an email, do not click on it! The best practice is to enter the URL yourself; do not copy and paste the link as that can take you directly to where the hackers can gather information. Just because a site includes a company's logo or looks like the real page doesn’t mean it is! Logos and the appearance of legitimate websites are easy to copy.
So, how do you know if a link is legitimate? Here are some tips.
In the email, look out for:
- Links containing an official company name, but in the wrong location. For example, https://www.yahoo.com is a fake address that doesn’t go to a real Yahoo! website. A real Yahoo! web address has a forward slash (“/”) after yahoo.com – for example, https://www.yahoo.com/ or https://login.yahoo.com/.
- Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a web address (for example, www.paypa1.com instead of www.paypal.com).
- “http://” at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with “https://” ― the letter “s” must be included. So, check the website address for any Yahoo sign-in page.
Activities for town and city officials:
- Focus on cybersecurity awareness. Educate employees on the importance of data protection and security protocols. A number of free or low-cost training programs are online.
- Create a unique and strong password combination and complement it with two-factor authentication to access the system.
- Invest in cybersecurity tools like antivirus software, firewall, and other privacy tools to automatically scan threats. Install and update your antivirus software.
- Have a strong backup policy. It will protect you from ransomware attacks.
- Apply end-to-end encryption to all your confidential files.
- Hack yourself! This will help you identify the vulnerabilities in the system.
- Investing in IT security services for monitoring and alerting can help spot malicious behaviors early and defend against attackers.
Summary. There’s no 100 percent guarantee when it comes to protecting data. There is a sad but true statement: “It’s not if you get hacked; it’s when you get hacked.” Because no matter how much security you have, it will happen. Everything can potentially be attacked, and if you’re hacked, there’s no guarantee that you’ll get everything back. Even if you’re backing up to the cloud, what happens if the cloud provider is attacked?
Municipalities can fight back. Tools and frameworks exist that enable local governments to secure their networks. For starters, state and local governments can follow the technical guidance of the recently created federal Cybersecurity and Infrastructure Security Agency (CISA) to harden their systems. This requires backing up data and retaining copies offline, maintaining consistent patch management, and updating security products and solutions.
Everything is at risk. There’s no foolproof way to protect yourself. There are only best practices. Take every step to mitigate and monitor, and hope your reaction time can mitigate loss. The most effective security is security awareness and training for employees. Humans are the greatest risk to security, but they are also the greatest asset if properly trained.
Some references with additional information. Below are some really great links. (Yes, you can click on these!) They contain a wealth of information to help maintain security of your data.
- 2019 Verizon Data Breach Report
- The Ultimate List of Cyber Security Statistics for 2019
- 52 Key Cybersecurity Tips
Kris Rowley, MSISA
School of Cyber Security, Data Science, and Computing