When ransomware plagues government agencies, hackers are here to help

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Grant McCracken
 

Connecting state and local government leaders

By Grant McCracken

|

Vetted whitehat hackers can give agencies valuable new perspectives on their systems and ultimately help them combat adversaries.

As more and more local governments become targets of ransomware, the concept and costs of such attacks are creeping into the public’s consciousness as well as the average person’s vocabulary. These attacks are becoming common and have no end in sight -- and why should they? They're fairly lucrative and relatively easy to execute. In the last three months alone, we’ve seen several attacks on local governments, including Florida’s Lake City and Riviera Beach, which agreed to pay just over a million in ransom between them. There are likely other ransomware attacks that have not been publicized.

At the risk of oversimplifying, many of the pervasive and longstanding security issues that have persisted for decades explain the rise of ransomware. The risks from human error and unpatched software are equally important but require very different approaches and mitigation strategies.

Ransomware exploits government agencies' reliance on older infrastructure and software and the relatively slow pace of workplace technology adoption and training. Point-in-case: Five years after extended support for Windows XP ended, it is still installed on millions of machines -- many of them in government or large enterprises. It also depends on inattentive or unsophisticated users to activate attacks with an errant click or download. Combined, these factors make government agencies attractive targets for ransomware and other cyberattacks.

The human factor

Addressing the human element is one of the more challenging aspects of mitigating cybersecurity risk. All it takes is one well intentioned but misguided employee to expose an entire organization to threats. Whether tricked by targeted spearphishing or social engineering, it's remarkably common for users to click on links they shouldn't, visit pages of questionable repute or execute files that they shouldn't. As a result, an attacker can gain a foothold and either begin exfiltrating data or encrypting it so that it's rendered unusable as happens in ransomware attacks.

There are a number of tools that system administrators can use to try to mitigate these risks, but it's borderline impossible to ensure all users have all the tools, training and access they need to eliminate the possibility of exploitation. In this regard, education must be the first and strongest line of defense -- every employee must know how to spot suspicious activity and refrain from risky online behavior on work machines. Of course, this is easier said than done, but the importance cannot be understated because all it takes is one click to put an entire city or agency at risk.

Unpatched software

In addition to the human element, ransomware attacks are often made devastatingly effective by virtue of the outdated and/or unpatched software many government computers are running. Getting someone to click on a link is just an attacker's first step. The fact that the victim is running an outdated browser that's vulnerable to remote code execution allows the hacker to pivot from a single compromised machine to attack others running similarly vulnerable software.

In theory, the solution is as simple as ensuring all machines have up-to-date software and are not running rogue apps or accessing servers that could offer areas of compromise. However, as anyone who has managed IT systems knows, this is much easier said than done. Systems administrators can use device management tools to decrease vulnerabilities, but the comprehensive audits and penetration tests that strong security requires are time consuming and laborious efforts -- not to mention expensive.

Looking to hackers

To address the security issues caused by humans, training and education is a must. For vulnerable systems, though, a layered approach to cybersecurity can help. Many agencies are now looking to hire whitehat hackers to “hack them first” through crowdsourced security programs.

For example, a bug-bounty program allows agencies to leverage a group of ethical hackers to assess, identify and minimize risk in exchange for incentives. Whereas security checklists may help establish a certain baseline of best practices and point-in-time assessments, vetted whitehat hackers simulating real and insider threats give agencies valuable new perspectives and ultimately help them combat adversaries.

Several government entities are currently leveraging whitehat hackers. The Pentagon stands out for its work with the “Hack the Pentagon” program. The Swiss government similarly established a bug bounty program, encouraging good faith hackers to break into the country’s electronic voting system undetected, which also validated the crowdsourced security model.

At minimum, the easiest way to engage with this community is through a vulnerability disclosure program. Designed as “neighborhood watch for the internet,” VDPs set up a framework for receiving security feedback about any internet-facing asset from the global security community without the monetary rewards. In fact, recently there’s been a call by industry groups for governments to adopt standard vulnerability disclosure policies to help provide clear guidelines on how to best implement and manage these important programs.

At a time when the public and private sectors are under constant siege from increasingly effective ransomware attacks, cities and local governments must engage more with the ethical hacker community to tip the balance in their favor.

NEXT STORY: Court stops Georgia from using ‘grossly outdated’ election equipment in 2020

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.