Last evening, it was announced that the City of Atlanta has been hacked and the threat actors have encrypted some city data.
According to a report from Atlanta NBC affiliate WXIA, a city employee sent the station a screenshot of a ransomware message demanding a payment of $51,000 to provide all the keys for affected systems. Employees are also receiving emails from the city's information technology department instructing them to unplug their computers if they noticed anything suspicious.
Based on the early information, it seems that malware, called "Samsam" by Talos, was leveraged in the attack. Once the malware had a foothold on a server, it spreads to Windows machines on the same network.
It also seems to be affecting payroll systems, as well. However, Atlanta officials have informed employees that they can fill out paper timesheets.
A very short time ago, Critical Path Security worked with a government agency in another region of the United States and found widespread gaps in security that persisted throughout the entire county, as maintenance was not being properly handled by their outside IT vendor.
Not dissimilar to what is being reported by responders inside the Atlanta breach, their incidents were caused by lack of proper access control, system and security monitoring, effective network segmentation, and proper patching. Fortunately, there was enough time to close the gaps and prevent highly disruptive major damage.
Unfortunately, this is a common problem in organizations with tight budgets and insufficient resources. A consultant or outside vendor is called in to install a new service, such as a payroll system, on a server and it is forgotten about. When the server is compromised, the credentials and access gained are used to laterally move around the network, collecting data, and encrypted contents along the way.
If the network is poorly segmented, often referred to as “flat”, the malware can spread incredibly fast. The outcome is a fight against time to get the preferred payment, generally in bitcoin, pay the ransom, and get the files… before the FBI seizes the domain or email addresses used to retrieve the keys. This topic has been heavily debated in roundtables and panels between FBI agents and Critical Path Security staff members, as well as many others. However, it was made clear that the FBI and Homeland would not be changing their stance.
It’s a ticking time bomb.
So, what’s the solution?
In fairness, there isn’t a single one-shot answer for this. However, I can offer the following advice that can greatly improve the security posture of an organization.
Develop a strong relationship with a Managed Security Services Providers, such as Critical Path Security. They can act as an advocate for the organization and provide continual support, in hopes of preventing costly events such as these.
Additionally, start with the CIS Critical Security Controls with emphasis on the 1st six.
- Inventory of Authorized and Unauthorized devices
- Inventory of Authorized and Unauthorized software
- Security configurations for hardware and software on mobile and IoT devices
- Continuous Vulnerability Assessment and Remediation
- The controlled use of administrative or root privileges
- Maintenance, Monitoring, and Analysis of Audit Logs
With these basics addressed, you and your vendor will have a clear understanding of what devices and accounts are in use on your network and how you should expect them to behave.
The bottom line...
Security is hard. It’s less the process of efficiently identifying the probable state of all enterprise platforms and users, but more so with identifying and understanding the applied risk of all possible operational states of systems and people.
Maintaining a clear understanding that a threat is not just the presence of events, but also the absence of events is an important concept to grasp. Sure, a piece of malware or other malicious action has to take place. However, a lack of proper technical and administrative controls will make those attacks more likely to occur.
A means of properly prioritizing and controlling growth in a meaningful and actionable way is imperative. This is a tough problem, but one that will maximize the limited resources an organization has available. Critical Path Security has extensive experience with local and national government agencies that can be applied to solving these problems.
Let us show you the value of Critical Path Security’s tailored management options. To arrange a demonstration or talk IR strategies give us a call.