It seems that the bad actors are going after bigger and bigger targets (No pun intended!) Last year we saw ransomware hit health care organizations in England, France, Spain and India and we have seen different companies be the objective for cyber criminals.
In the past three weeks, we have seen some major cities in the U.S. become the focal point for attacks. A couple of weeks ago Atlanta’s city systems were attacked, and a ransomware payload was unleashed. The city has still not yet recovered. Last week, Baltimore’s 911 system was attacked and partially taken offline for 19 hours.
This new attack vector should have all public entities on high alert. Some institutions, who have public only information, do not feel that security needs to be as high a priority as it is in the private sector. With no classified or confidential information to be breached, security does not have to be as tight. Right? Wrong!
Security has three cornerstones: Confidentiality, Integrity and Availability. All three of these principles must be protected. We have to be concerned about all three principles and cannot discount some tenets because we do not use all of them.
For Baltimore, having the 911 system partially down for 19 hours is an Availability issue. In a Baltimore Sun article, the city said the “hack affected messaging functions within the computer-aided dispatch, or CAD, system.” It further stated, “[w]hen a CAD system isn’t working, as Baltimore’s wasn’t on Sunday, dispatchers must revert to taking a caller’s information verbally, with nothing to reference it against to make sure it’s accurate.” The CAD outage had other impacts. “[T]he city’s 911 calls are normally recorded online on Open Baltimore, the city dispatch logs stopped recording them at 9:54 a.m. Sunday and didn’t resume recording them again until 7:42 a.m. Monday”, stated a related article. The loss of this data could be significant in future events such as trials or investigations.
For Atlanta, they have been struggling for over a week now. Some systems are back on line, but many are not. The city was hit by a ransomware attack that wanted Atlanta to pay $51,000.00 in bitcoins for the unlock code. As of last Wednesday, Atlanta residents, “can't pay their water bill or their parking tickets. Police and other employees are having to write out their reports by hand. And court proceedings for people who are not in police custody are canceled until computer systems are functioning properly again,” reported CNN. Again, this is an attack on Availability. But ransomware can do more. The report further states that although, "there is no evidence to show that customer or employee data has been compromised,” [sic] city officials have urged employees and customers to contact credit agencies and monitor their bank accounts as a precaution.” Think of the cost. Not only do you have the ransom itself, but the deferred revenue, and salary expenses for doing things manually. Court dates that are pushed back could have repercussions down the road.
Ok, so you say that you are not a city government and your data or system is not critical like those discussed above. I would ask what is your charter? If you have public information and you need to publish that for public consumption, then you 1) better make sure it is correct, and 2) better make sure it is available when the public wants it. Those are two of the three principles of security you need to address. You need to ask yourself if someone hacked your system, what would be the impact if they changed data you have or took that data and made it inaccessible.
Every system needs to be concerned about Confidentiality, Integrity and Availability. You may not need to focus on these three principles equally, but you need to understand which of these impacts your institution. Once identified, you then need to take steps to protect the elements that effect your organization.