Ransomware Shuts Down Municipalities; How To Protect Our Cities
0
Dan Gavin
Ransomware Shuts Down Municipalities; How To Protect Our Cities

On June 9, 2024, the city of Cleveland, Ohio uncovered a “cyber incident” which was later determined to be a ransomware attack. Since the attack, city hall has been closed to the public for over a week.  Citizen facing services have been offline as well. To contain the damage of the ransomware, the city shut down the affected systems until they could restore them safely.  On a positive note, emergency services, works, utilities and healthcare were not impacted. 

Details about the attack have been kept close-hold as the investigation continues.   Some employees were allowed back to work on the 12th, but many issues remained.  They could not process building permits and birth/death certificates.  After over a week, the mayor’s office still has not disclosed what information was exposed.  The city did say that they were not negotiating with the hackers and will not pay the ransom.

This is not the first major city in the U.S. to get hit with ransomware.  In 2019, the city of Baltimore, MD was hit with a devastating attack that crippled their municipal services for weeks.  The cleanup cost the city over $18M.  In May of 2023, Dallas, TX was hit with ransomware that disrupted the city’s 911 emergency services. New Orleans, Knoxville, and Las Vegas also have joined the Ransomware Victim Club. 

Don’t think that this only happens in faraway places in different states.  The city of Kingman, AZ experienced a significant cyberattack where the city’s computer system was compromised.  The breach included social security and driver’s license numbers mostly affecting employees. 

There are several reasons why hackers target city governments.  For one, cities have valuable data.  This includes sensitive information such as personal records and financial data.  Secondly, hackers assume that municipalities are a soft target.  Municipalities often lack the necessary funding and skilled personnel to address technology challenges.  Often the IT infrastructure is outdated, making them vulnerable to attack.  Lastly, municipalities provide critical services.  Hackers think that if they take down critical services, the city will gladly pay the ransom.  

Many of these municipalities had cybersecurity services which monitored their systems.  So, how did the hacker install the ransomware?  The problem with this method is that the hacker must be actively inside the network before the threat can be identified, and sometimes that is too late. New malware (zero-day attack) is not in the antivirus databases and is not automatically stopped.  

The solution to this problem is “application whitelisting” or “application allow listing.” With this method only applications which have been validated previously can run on the computer.  Even if an employee clicked a malicious link, when the software tried to run on the local system, it would fail. It is not on the allow list.  There is upfront friction with this implementation where users cannot load anything they want whenever they want.  They submit a request for their new software to be put on the allow list.  The cybersecurity personnel validate the software in their testing environment looking for unusual behavior.  If it checks out, the software is approved for use.  

Another cybersecurity aspect which is often neglected by municipalities is continuous cybersecurity training.  The one-time annual cyber classes are not effective. However, if the training is kept short, about three minutes per week every week, delivered to user’s email box, the results are exponentially better. Cybersecurity is top of mind. 

The lesson to be learned is that every government municipality is a target, not just big cities.  The data is valuable to hackers.  If they can take down emergency services, the hackers expect a fast payment.  Does your local government have the proper cybersecurity measures in place, such as application whitelisting and continuous training, to avoid the disaster that Cleveland is experiencing?

The original article was published in the Sierra Vista Herald and can be found here.

The Rising Importance of Cybersecurity in Our Digital Age
0
Dan Gavin
The Rising Importance of Cybersecurity in Our Digital Age

Tom and Dan were camping deep in the woods one night when Dan runs into the tent and says “There’s a bear attacking our site, we have to go!” Tom is confused when Dan stops to put his shoes on. Tom says, “What are you doing that for, you can’t outrun a bear?” Dan says, “I don’t have to outrun a bear, just you.” That’s how it is in the cyber world. In general, hackers are lazy. If it’s too hard, they move along to an easier target. 

Cybersecurity is crucial to our very survival. As technology continues to advance, so too do the threats that lurk in the deep recesses of the World Wide Web. From individuals to businesses and governments, everyone is a potential target for cybercriminals who seek to exploit vulnerabilities for their gain. 

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes. The internet is ubiquitous. The proliferation of connected devices means the scope and scale of these attacks have grown exponentially. Cybersecurity is no longer a concern solely for large corporations or government agencies. It is a critical issue for individuals and small businesses as well.

One of the most common types of cyberattacks is phishing. Phishing attacks involve sending fraudulent emails that appear to come from reputable sources, tricking recipients into revealing sensitive information like passwords or credit card numbers. Another prevalent threat is ransomware. It is a type of malware that encrypts a victim’s files and demands a ransom payment to restore access. Ransomware can have devastating consequences, leading to financial losses, reputational damage, and operational disruptions.

The increasing frequency and sophistication of cyberattacks highlight the need for robust cybersecurity measures. You must be vigilant about protecting your personal information online. Simple steps such as using strong, unique passwords for different accounts, enabling two-factor authentication, using an adblocker on all your browsers, and being cautious about clicking on links or downloading attachments from unknown sources can go a long way in preventing cyberattacks.

For businesses, cybersecurity must be a top priority. It is no longer a cost center. It is a revenue guarantee. Businesses need to implement comprehensive security policies, conduct regular security assessments, and provide continuous cyber education for employees. Small businesses are particularly vulnerable. They often lack the resources and expertise to defend against cyber threats. They can take advantage of various tools and services designed to enhance their cybersecurity posture. For instance, investing in a zero-trust provider can help protect sensitive data and prevent unauthorized access.

Businesses should develop and practice an incident response (IR) plan to quickly address and mitigate the impact of a cyberattack. The IR plan outlines steps taken in the event of a security incident, including notifying affected parties, containing the threat, and restoring normal operations. By being proactive and prepared, businesses can minimize the damage caused by cyber incidents and recover more swiftly.

Cybersecurity is an essential component of our digital world. As cyber threats continue to evolve, it is imperative for individuals and businesses to take proactive measures to protect themselves. By staying informed and implementing robust security practices, we can collectively enhance our resilience against cyberattacks and safeguard our digital future. The key to success is to make yourself a hard target so that the bear goes after the easy prey instead of you. 

The original article was published in the Sierra Vista Herald and can be found here.

Cybersecurity Risks in Achieving UN SDG 16.9 with Blockchain Technology
0
Dan Gavin
Cybersecurity Risks in Achieving UN SDG 16.9 with Blockchain Technology

The United Nations (UN) Sustainable Development Goal (SDG) 16.9 aims to provide legal identity for all, including birth registration, by 2030. This ambitious target underscores the critical importance of identity in accessing a wide array of services and rights, from voting to healthcare. As we harness technology to realize this goal, blockchain emerges as a promising solution (1) for its ability to offer secure, decentralized, and tamper-proof ledgers. However, the integration of personally identifiable information (PII), personal health information (PHI), and other significant life events into a blockchain ledger brings to the forefront significant cyber risks that must be addressed.

Blockchain technology offers a revolutionary approach to managing digital identities, ensuring that every individual on the planet has a unique, unfalsifiable, and secure identity. By leveraging blockchain, we can create a system where all forms of PII and PHI are securely encrypted and stored, making them accessible only to authorized individuals and entities. This could dramatically reduce identity theft, fraud, and unauthorized access to personal information.

Using blockchain to manage sensitive data introduces complex cybersecurity challenges. While blockchain itself is highly secure due to its decentralized nature and cryptographic hash functions, the endpoints interacting with the blockchain, such as user devices and applications, remain vulnerable to hacking, phishing, and other forms of cyber-attacks. This vulnerability could lead to unauthorized access to the blockchain ledger, risking the exposure of sensitive personal information.

Second and maybe more importantly, blockchain data is permanent. It therefore presents a double-edged sword. Using blockchain to record EVERY event in your life ensures that once an event is recorded, it cannot be altered or deleted. This means it is an immutable history of an individual’s life events. This immutability raises concerns regarding the right to be forgotten. One may accurately suspect every individual has made choices they’d rather forget. This is not feasible with a blockchain-based digital ID. In Europe, the right to be forgotten is enshrined in data protection regulations like the General Data Protection Regulation (GDPR). Modifying or deleting personal data from a blockchain, once entered, is inherently difficult, if not impossible. This poses significant privacy concerns.

The concentration of vast amounts of PII and PHI in a single ledger, even if decentralized, creates a highly attractive target for cybercriminals. A breach could have far-reaching implications, potentially exposing the intimate details of individuals’ lives. While blockchain technology can significantly contribute to achieving SDG 16.9, ensuring the cybersecurity of such a system is paramount. And not to get overly controversial, errant governments could use the information in your personal life ledger to restrict access to important assets like your bank, or your job. This is already happening in China.

To mitigate these risks, a multifaceted approach is necessary. First, enhancing the security of endpoints through regular updates, robust encryption, and user education on cybersecurity practices is crucial. Second, implementing dynamic consent mechanisms where individuals have control over who accesses their information and for what purpose can help address privacy concerns. Additionally, exploring technological solutions, such as zero-knowledge proofs, can allow for the verification of information without revealing the information itself, further safeguarding privacy.

International cooperation and the development of global standards for blockchain security in the context of digital identities are essential. This would ensure a unified approach to tackling cyber risks, fostering trust in blockchain-based identity systems.

While blockchain presents a promising though possibly troubling pathway towards achieving UN SDG 16.9, it is imperative to navigate the associated cyber risks with a strategic, multifaceted approach. In this way, we can cautiously use blockchain technology to provide secure and immutable digital identities for all (if a person chooses to participate, but that’s another argument for another article), thereby unlocking access to essential services. One could even speculate that tying essential life services to a digital ID might do more harm than good.

Original article can be found here.

(1) https://unite.un.org/sites/unite.un.org/files/emerging-tech-series-blockchain.pdf

Business Owners: Red or Blue Pill?
0
Dan Gavin
Business Owners: Red or Blue Pill?

The Choice: The choice is yours. Continue to read this article, and you choose the red pill. The true nature of existence will be revealed. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. This article isn’t intended to terrify you. However, at the end of it, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill. 

The Ransom: In July, 2019, on a sticky summer’s day in Rockville Center, NY, the IT administrator for the school district had a message pop-up on his monitor: “Your data has been encrypted.” He frantically pulled the plug on the infected computer.  He limited the damage, but key files were being held for ransom.  Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.  

A Different Result: Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom.  The cost of the ransomware and recovery came from the university’s pockets. 

Cyber Insurance: Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware.  The insurance covers the costs of:  the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime.  Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack.  Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.  

Just a Piece of the Puzzle: You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy.  Insurance companies have been known not to pay out if they find negligence on the part of the insured. Covered companies are supposed to implement industry best practices, policy, and training.  Some underwriters will require company-wide training programs prior to issuance of the policy. 

What About Me: You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance?  Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses.  Of those that suffer an attack, over 60% cannot recover from the residual financial loss.  So, it’s not only big companies that need it.  Small businesses have been flooded right out of business from cyber attacks, when not properly covered.  

Transfers Risk: Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier.  If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it.   The cost of an attack could shut your doors.  So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote.  If you run an AirBnB or a small-repair shop, you may be OK without it.  Several local organizations have been impacted by cyber attacks, so don’t think it only happens in the big cities.   Calculate the risk. If your company was attacked, what would be the impact?  There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny! So, is your organization prepared for the risk of the cyber world?  Would you be like Rockville Center or  like UCSF?  Consider the options, then … choose wisely.

The Dangers of Unencrypted Email
0
Dan Gavin
The Dangers of Unencrypted Email

Postcards from War: Recently, I was reading some of my grandfather’s faded postcards from World War I. I happened to read one in which he mentioned being released from quarantine: March 11, 1918, Fort Lewis, Washington – the Spanish Flu pandemic.

Then & Now: Postcards were how our grandparents sent brief messages over long distances. They are the antique analogs to modern email. The messages and attachments you send via email are every bit as private and secure as that dusty, old postcard.

Is This Normal: Recently, a close associate of mine, I’ll call him “John”, was required to take a defensive driving course. The business providing the service asked John to send a copy of his driver’s license. John promptly took a picture of his driver’s license in beautiful, high-definition color and attached it to an unsecure email. He didn’t even question it.

How It Works: Let’s look momentarily at a seemingly benign example to illustrate what happens when you hastily click the “send” button. Say you work for a medical practice and you send an email from your office to a patient. Here’s what happens:

  1. The email leaves your computer.
  2. It travels on your Internet Service Provider’s (ISP) network.
  3. It arrives at your mail server – a server you probably don’t control.
  4. Your hosted email provider then forwards a copy of the email to the patient’s mail server, probably webmail, like Gmail.
  5. A copy of the email languishes on the mail provider’s server.
  6. It then takes the last leg of the journey to land on the patient’s personal computer.

Everybody Sees It: As you can see, at any of those points, the email (like a postcard) can be read by anyone with access. That means, if any of those computers storing a copy of the emails is compromised, so are the emails. All of them.

Unsecure By Design: Email is by design, unsecure. That is why you should never, (let me repeat, EVER) include any important, private information in any email, not just the protected health information (PHI) of patients. Unencrypted email is simply the wrong medium for transmitting sensitive data.

From the hhs.gov website:

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.

For Healthcare: Now, I’m not a HIPAA lawyer, and this is not legal advice, but basically, if you are a medical practice, you know that much of your communication with patients is over email. In fact, many prefer it. So as long as you warn the patient that your email communication is over unsecure media, and the patient acknowledges, then you may be absolved of the consequences of a PHI breach … maybe. You can even get patient acknowledgment with (ironically) a simple email waiver form that the patient signs and returns to your office, over email.

Secure Options: If you only send PHI through your Electronic Medical Record’s application, it may take care of the encryption for you. But if not, there are email providers that will encrypt your emails. If you use Microsoft Office 365, there is a tier that will allow you to encrypt email. Other email providers like ProtonMail offer encryption capabilities. A Chrome extension even exists allowing you to encrypt Gmail. It can be a little inconvenient because you have to think up a strong password for each email, then you have to deliver the password to your patient by calling or texting them. If emails containing sensitive data are sent infrequently, the risk is lower. You decide whether you’d rather go through the effort or experience a breach.

You don’t have to protect sensitive data forever. Its value degrades over time. Conversely, that little postcard my grandfather hastily scrawled over 100 years ago is ever more precious to me. 

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981