When ransomware plagues government agencies, hackers are here to help
As more and more local governments become targets of ransomware, the concept and costs of such attacks are creeping into the public’s consciousness as well as the average person’s vocabulary. These attacks are becoming common and have no end in sight — and why should they? They’re fairly lucrative and relatively easy to execute. In the last three months alone, we’ve seen several attacks on local governments, including Florida’s Lake City and Riviera Beach, which agreed to pay just over a million in ransom between them. There are likely other ransomware attacks that have not been publicized.
At the risk of oversimplifying, many of the pervasive and longstanding security issues that have persisted for decades explain the rise of ransomware. The risks from human error and unpatched software are equally important but require very different approaches and mitigation strategies.
Ransomware exploits government agencies’ reliance on older infrastructure and software and the relatively slow pace of workplace technology adoption and training. Point-in-case: Five years after extended support for Windows XP ended, it is still installed on millions of machines — many of them in government or large enterprises. It also depends on inattentive or unsophisticated users to activate attacks with an errant click or download. Combined, these factors make government agencies attractive targets for ransomware and other cyberattacks.
The human factor
Addressing the human element is one of the more challenging aspects of mitigating cybersecurity risk. All it takes is one well intentioned but misguided employee to expose an entire organization to threats. Whether tricked by targeted spearphishing or social engineering, it’s remarkably common for users to click on links they shouldn’t, visit pages of questionable repute or execute files that they shouldn’t. As a result, an attacker can gain a foothold and either begin exfiltrating data or encrypting it so that it’s rendered unusable as happens in ransomware attacks.
There are a number of tools that system administrators can use to try to mitigate these risks, but it’s borderline impossible to ensure all users have all the tools, training and access they need to eliminate the possibility of exploitation. In this regard, education must be the first and strongest line of defense — every employee must know how to spot suspicious activity and refrain from risky online behavior on work machines. Of course, this is easier said than done, but the importance cannot be understated because all it takes is one click to put an entire city or agency at risk.
In addition to the human element, ransomware attacks are often made devastatingly effective by virtue of the outdated and/or unpatched software many government computers are running. Getting someone to click on a link is just an attacker’s first step. The fact that the victim is running an outdated browser that’s vulnerable to remote code execution allows the hacker to pivot from a single compromised machine to attack others running similarly vulnerable software.
In theory, the solution is as simple as ensuring all machines have up-to-date software and are not running rogue apps or accessing servers that could offer areas of compromise. However, as anyone who has managed IT systems knows, this is much easier said than done. Systems administrators can use device management tools to decrease vulnerabilities, but the comprehensive audits and penetration tests that strong security requires are time consuming and laborious efforts — not to mention expensive.
Looking to hackers
To address the security issues caused by humans, training and education is a must. For vulnerable systems, though, a layered approach to cybersecurity can help. Many agencies are now looking to hire whitehat hackers to “hack them first” through crowdsourced security programs.
For example, a bug-bounty program allows agencies to leverage a group of ethical hackers to assess, identify and minimize risk in exchange for incentives. Whereas security checklists may help establish a certain baseline of best practices and point-in-time assessments, vetted whitehat hackers simulating real and insider threats give agencies valuable new perspectives and ultimately help them combat adversaries.
Several government entities are currently leveraging whitehat hackers. The Pentagon stands out for its work with the “Hack the Pentagon” program. The Swiss government similarly established a bug bounty program, encouraging good faith hackers to break into the country’s electronic voting system undetected, which also validated the crowdsourced security model.
At minimum, the easiest way to engage with this community is through a vulnerability disclosure program. Designed as “neighborhood watch for the internet,” VDPs set up a framework for receiving security feedback about any internet-facing asset from the global security community without the monetary rewards. In fact, recently there’s been a call by industry groups for governments to adopt standard vulnerability disclosure policies to help provide clear guidelines on how to best implement and manage these important programs.
At a time when the public and private sectors are under constant siege from increasingly effective ransomware attacks, cities and local governments must engage more with the ethical hacker community to tip the balance in their favor.