Article Source: San Mateo County Mosquito & Vector Control District - CA
Monthly Program Report
San Mateo County Civil Grand Jury Report on Ransomware.
Assessment of the district’s preparedness based on the Grand Jury Report recommendations.
Grand Jury Report on Ransomware
On October 7, 2020, the Grand Jury of San Mateo County released a report to highlight the risks and impact of ransomware to government entities in the county of San Mateo. In short, the report recommends an internal review of a government entity’s security systems and plans, by applying some of the best practices the grand jury compiled through its research and investigations on the topic.
• Report request on system security, backup, recovery, and prevention by November 30, 2020.
• Report provided to governing body by June 20, 2021
• (Optional) Request Cybersecurity review from U.S. Department of Homeland Security and/or cyber hygiene assessment from County Controller’s Office.
• Develop Cybersecurity Plan, based on Federal Communications Commission (FCC) Cybersecurity Planning Guide.
The grand jury best practices are based on in-depth interview with a private enterprise IT Manager and professional literature. These recommended best practices are repeated in several variations throughout the report, of which this district program report organizes into three (3) areas and nine (9) sub-areas: prevention, protection, and mitigation.
Firewalls and Firewall-Related Services
• Utilizing multiple layers of defense
• Using firewalls to protect internal environments from breaches.
• Filter incoming email for viruses, malware, and phishing attempts.
Anti-Virus / Anti-Malware
• Using malware detection software to monitor incoming emails and network activity.
• Install Anti-malware / Antivirus software on all machines and keep current (update at least monthly).
• Keeping systems up-to date.
• Anti-Malware definitions need to be constantly updated to retain their effectiveness.
• Software updates need to be kept current.
• Update at least monthly, patches for operating systems, firewalls, spam filters, malware, and other key applications.
• Strengthen the password policy (long, complex, with expiration dates).
• Employ 2-factor authentication (password then keycode) for external user access.
• To identify external emails, message rules can be used to flag external emails and thereby decrease the probability that a user clicks on bad content.
• To thwart phishing attempts, footers can be added to incoming emails to warn about opening attachments and clicking on links.
• Ensuring that users are educated and tested to learn what to watch for and avoid, especially in emails;
• Security training, awareness and assessmentneed to be routine along with testing all employees to recognize, delete and report attempted attacks.
Utilizing multiple layers of defense
• Utilizing protection software from multiple vendors
• Consider cloud-hosting of email and other applications to provide added security, backup & restore capabilities and filtering benefits to close the largest and easiest route for Ransomware to penetrate entity systems.
• Establishing a thorough and comprehensive backup process for all Servers using the 3-2-1 rule (three backups into two different media, including one offsite) and establishing a separate backup process for key users’ critical folders (e.g. administration, accounting, human resources) to be able to restore/recover from a secure onsite and/or offsite backup.
• Snapshots and/or image backups provide the most complete backup and the fastest recovery option.
• Developing and fully testing a thorough backup and restore strategy to enable a complete recovery from an attack;
Perform Backup & Recovery (focus on full testing of recovery);
• Putting in place internal controls such as subnets, which require departmental authorization to access other department’s data or programs.
• Use Subnets to section out servers with separate security permissions and limited access.
• Disable and block unused services, protocols and ports.
• Perform monitoring and auditing of failed logins, password changes, resource usage, and services stopping.
Security State of the District
Many of the best practices cited in the Grand Jury report have been implemented at the district approximately 8-9 years ago, and most of systems in place have been updated and/or replaced over time. The district demonstrated its resilience to cyber threats in 2016, when ransomware encrypted district files. The district was able to “clean” and restore files to approximately 8 hours prior to the encryption.
The district currently maintains a hybrid of on-premise and cloud-based technologies. Plans are also to leverage more cloud services. As suggested by the grand jury report, security for many of these cloud-based services are more robust and comprehensive, the maintenance for which is included in the service subscription costs.
Firewalls have been put in place at both district sites. The district also subscribes to firewall-based services, such as filtering Internet traffic, emails included, of known viruses, malware, illicit content, and other cyberthreats. In addition, desktops and laptops also have antivirus software installed for prevention at the endpoints.
Automatic updates are enabled where available, particularly for antivirus and operating system updates. Routine checks are performs, in case devices did not run updates as expected. For updates that cannot be set to run automatically, such as device firmwares, those updates are performed twice a year, or when a critical update is announced by the device manufacturer.
Workstation passwords have been set to expire after 90 days. The district is also implementing multi-factor authentication for their cloud service, where applicable.
User awareness is generally good, due to the prevalence of “spam” emails and phone calls attempting to phish for personal information or install malicious software. Staff generally ignore and delete such emails or phone calls. Some emails have been reviewed and shared as educational opportunities to reinforce staff awareness on such threats.
The district employs multiple layers of “defense”, from multiple vendors, along with cloud-based email and storage services, as suggested among the grand jury report’s best practices. These include, but not exclusive to, firewalls, firewall threat protection services, antivirus software, and mobile device management.
Server-connected workstations, and critical servers, are backed up three times, in three locations, one of which is off-site: locally, on a separate server, and into a cloud location. Backups are set to run twice daily to some, and nightly to the cloud location. The cloud location maintain historical images of backups for up to 30 days. While not preventative of Ransomware 2.0 that can affect backup files, it can allow the district to recover unaffected files pre-dating the ransomware.
The district firewalls have only necessarily ports and services enabled. Most vendors and online services use conventional ports to communicate with devices or applications in the district. However, when a non-standard port is requested, vendors or other services must request approval, and justify the need for additional ports to be opened.
Additionally, the district network is separated so that wireless users – mostly field staff – can access their online services and the internet, but do not have access to the on-premise servers. The on-premise servers are subsequently partitioned, and access to sensitive partitions are limited to staff that require access to those partitions (i.e. Finance to financial drive partition.)
In addition to the San Mateo County Civil Grand Jury’s cited best practices, the district will consider seeking an independent assessment of its system
With repect to software updates, frequency of manual updates can be increased, as suggested by the Grand Jury’s cited best practices. Manual updates to maintain good, complex password, however, is a general challenge that many in the cybersecurity industry grapple with, one which adding a second-factor authentication does not completely address. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) continue to address the “human factor” to this challenge, identifying ways to address easy to remember and complexity. The district is actively exploring methods that balance complexity and ease of use, in addition to the multi-factor authentication for all users and accounts.
Despite the prevalence and general staff knowledge, more formal staff training and testing, as suggested by the grand jury report, can certainly help to reinforce, and to quantify user awareness and ability to recognize cyber threats. There are now many educational providers with sophisticated tools to test users on their ability to identify threats. The district will consider subscribing to one of these providers for cybersecurity education and testing for users.
While flags and footers of external emails may be good practice to alert staff of potentially malicious messages, it is the opinion of this IT Director that the number of false positive alerts erodes the efficacy of these alerts and can cause, if not already causes, alert fatigue. Such alerts should be employed when better rules are developed to reduce the number of false positives, and indicate true areas of discrepancies. For example, identifying links to “Microsoft secure messages” that do not direct a user to an actual Microsoft website.
The district will consider performing regular test of full recoveries, as suggested by the grand jury report’s best practices. These can be very time consuming, so frequency may need to be balanced with resources and availablility. The district may consider full recoveries less frequently, and interim subset recoveries of critical systems.
The district will also consider extending backups to more than 30 days. There is more to understand about Ransomware 2.0, how it affects backups, how backup providers are addressing this threat, and what practices the district should implement. Beyond the grand jury report best practices, the district may want to consider cloud-to-cloud backups as well.
The district may review additional separation of applications and the district network. More importantly, the district will look into monitoring tools and auditing services that can alert staff to unusual activity or potential threats to the system.
As recommended by the Civil Grand Jury report, the district will work on a Cybersecurity Plan. This will be a living document that should be reviewed and updated regularly, especially as new threats, security applications, and monitoring tools become available. As healthcare and public health systems are being targeted in this current climate where healthcare resources are needed to combat the Covid-19 pandemic, it is important to keep current on ways to combat cyberthreats.
San Mateo County Civil Grand Jury. Ransomware: It is Not Enough to Think You are Protected. October 7, 2020. [http://sanmateocourt.org/documents/grand_jury/2019/ransomware.pdf]
Department of Homeland Security, Cybersecurity & Infrastructure Security Agency, National Cyber Awareness System. Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Health Sector. October 28, 2020 (Revised November 2, 2020). [https://us-cert.cisa.gov/ncas/alerts/aa20-302a]
Donald E. Hester. MISAC Ransomware Prevention (Webinar). February 12, 2020.
Kaspersky. What are the different types of ransomware? No Date.
Mike Garcia. Easy Ways to Build a Better P@$5w0rd. October 4, 2017
Dmitry Dontov. The Future of Ransomware 2.0 Attacks. June 5, 2020.