Texas Chief Information Security Officer (CISO) Nancy Rainosek says agencies shouldn’t forget about cybercrime during the COVID-19 pandemic. According to Rainosek, the ongoing crisis presents cybercriminals with an opportunity to strike. With many agencies struggling to stop the coronavirus, the timing couldn’t be better for disaster.
Ransomware remains the weapon of choice for many of today’s cybercriminals. Ransomware is malicious software that blocks access to or threatens to leak the victim’s data unless a ransom is paid. For many agencies, ransomware attacks are a choice between spending valuable funds or disrupting their missions.
GovLoop spoke with Rainosek about how ransomware can rip through both the medical and public sectors. In the following Q&A, Rainosek also explained how agencies can survive cybersecurity incidents before, during or after events such as the COVID-19 chaos.
This interview was lightly edited for length and clarity.
GOVLOOP: What is ransomware, how does it work and why is it a serious challenge for state and local agencies?
Rainosek: Ransomware is a form of malicious software, or malware, that encrypts the files on a computing device. The cybercriminal that executes the ransomware will hold the key to decrypt the files, essentially holding the data hostage until the victim pays the ransom.
Ransomware is usually delivered through an email which lures the receiver into clicking on a link or attached file that secretly puts the program on the computer being used. Some forms of ransomware can propagate or move through a network encrypting everything as it goes, while other forms are dropped on one computer at a time.
Ransomware is a serious challenge for state and local government agencies because they need their systems and files to fulfill their missions and serve the public. For example, when a county gets infected by ransomware it can stop essential government services such as issuance of marriage licenses, title searches for real estate transactions, delivery of or billing for utilities, storage of criminal evidence, and performing traffic stops because video systems are impacted. That’s just a sample of the services that we’ve seen impacted.
How do state and local agencies’ budgets, citizens and manpower impact how they handle ransomware?
Many government organizations, particularly at the local level serving smaller portions of the population, are often challenged on how they spend their limited resources. This limits their ability to keep systems current and have the IT personnel on staff to adequately handle ransomware events. Organizations often outsource their IT to a managed service provider who is responsible for their systems’ availability and backups. This is what happened in August 2019 in Texas. One managed service provider was impacted, and the ransomware spread through their remote management software, which led to 23 organizations being impacted all at once.
What impact can major problems such as the coronavirus pandemic have on state and local agencies’ abilities to fight ransomware?
It can have several impacts. Now, more than ever, hospitals need to have working equipment to save the many lives impacted by this pandemic. Ransomware is not just something that attacks computers, it can attack medical devices as well. Hospitals are highly automated, from patient records to essential medical devices. I cannot imagine what it is like working in a hospital right now, and to introduce malware to impact their ability to serve their patients only complicates things and prevents hospitals from treating at-risk patients.
Telework also increases the attack surface and introduces new levels of risk because people are using home networks, which may have unknown vulnerabilities.
Finally, a situation such as this pandemic causes fear and increases people’s desire for information about the current situation. This creates a situation where people will be more easily duped into clicking on a link to retrieve information, only to be infected.
How should state and local agencies respond if ransomware strikes their networks?
First, disconnect impacted machines from the internet and their networks. If they can leave machines disconnected but not powered off, there may be evidence in memory on those machines that law enforcement can use to try to catch the cybercriminal.
Secondly, contact law enforcement. This is a crime and we recommend contacting the local FBI office.
Next, have someone who is experienced in incident response lead the effort to bring systems back to normal. We never recommend paying the ransom. When someone pays a ransom to retrieve their files, they are funding these criminals to perform further attacks and develop more sophisticated tools.
Lastly, I would not have someone immediately log into a backup system to retrieve files. If you have ransomware crawling your network, you need to be very careful to protect your backups so that they do not get encrypted when you log into the backup system.
What are some best practices you’d recommend for fighting ransomware, particularly for workforces that are working remotely now because of the coronavirus?
First, using virtual private networks to connect remotely. Use multifactor authentication to properly identify users. Finally, train your employees to be skeptical about clicking on links and opening documents that arrive in email or that they see on the internet. At Texas’ Department of Information Resources [DIR], we like to say, ‘connect with care, be cyber aware.’”
How do data backups, rapid recovery, granular data visibility, and similar tools help agencies find, stop and recover from ransomware?
Data backups have always been an essential part of an IT program, but they’re even more essential when it comes to ransomware. We’ve had counties in Texas re-key months of data to recover from a ransomware event. There have been instances in some U.S. jurisdictions where they had to release or defer prosecution of criminals due to the destruction of evidence for crimes committed.
I consider backups to be the number one protective measure for recovering from a ransomware incident. Also, governments need to know what data they have, and where it is stored to protect it adequately. That’s where granular data visibility comes into play.
What are some preventative and response measures agencies can learn from the coordinated ransomware strike against various agencies in Texas in 2019?
- Build a cybersecurity aware culture.
- Create security policies and plans, including incident response plans, continuity of operations plans, acceptable use agreements. Know where your data is, and the priority of what needs to be recovered in what order.
- Ensure contracts for managed IT services include cybersecurity and liability protections.
- Perform regular, automated backups and keep the backups segregated and offline.
- Modernize legacy systems and ensure software is as current as possible.
- Limit the granting of administrative access.
- Segment networks and install and tune effective firewall technologies.
- Keep software patches and anti-virus tools up to date.
- Ensure users properly manage passwords.
- Enable multifactor authentication, especially for remote logins.
What do you want readers’ main takeaway to be after reading this story?
Ransomware is real and can have a major impact on how governments perform their business, and therefore how citizens perform business. People often think cybersecurity is not a main part of their mission. If you can’t issue marriage licenses, enable property sales or arrest criminals, you can’t perform your mission. Technology is important and involves investment to make sure it is implemented properly and is secured so it works effectively and keeps criminals out.