By Dominic Hamilton, CGCIO, Director of Information Technology, City of Indian Harbour Beach
Almost every IT Support Specialist fears the dreaded phrase: “I clicked on something, and now my computer is acting weird.” The looming threat of cybersecurity lingers quietly over organizations around the globe. Like a natural disaster, cities can be struck by a cybersecurity attack at any time, losing millions of dollars to hackers. It has become such a prominent issue that states across the country are pushing legislation to better protect themselves from cyber-attacks.
Prompting Information Technology (IT) Departments to ensure staff are prepared for these situations through training, exercises, and even by sending out fake test emails to ensure security. However, all the training in the world doesn’t guarantee that your organization won’t have a cybersecurity incident. So, how can we best handle a cyber security incident when they do occur?
Well, that’s exactly what the Indian Harbour Beach IT Department had to accomplish after receiving the previously mentioned message.
First, make sure to take the device off the network. This is critical; many users will panic and pull the power plug, but this is not what you should do, as this can often prevent access to the system after a shutdown, and an investigation will be necessary later. Therefore, ensure that the user receives clear instructions. Be sure to get IT support on-site as quickly as possible to disconnect the internet cable, disable Bluetooth and Wi-Fi, and remove any other peripherals that may be attached (thumb drives, taking any USB storage devices for investigation).
Second, inform city leadership of the incident. Making them aware that this takes priority over all other projects. Upon arrival, IT engages in damage control, working to isolate the incident. They access the PC and work with the user to answer security questions: When did it happen? What were you working on? After some investigating, IT determined that an email was opened, after which odd things started happening and the user’s computer icons changed. There was no way of opening any document on the device. With the PC off the network, ensuring the damage cannot spread, and knowing what the threat is, IT has to switch gears fast, knowing that every moment counts in these scenarios.
The IT department turns its attention to the network, connecting to the most sensitive servers, payroll, HR, records, and the primary user server (domain controller). Locking the user’s accounts, freezing their email access, and a full audit of their systems is performed. Thanks to the implementation of certain IT permission policies, the servers remain free from any infection.
Now that the infected PC is isolated, the investigation can begin. At this moment, having sufficient backups pays dividends. Through these backups and examining the email, its headers, and the metadata, the department was able to determine that the device was infected with ransomware it received from opening an email attachment.
IT then moves to take steps to prevent future incidents, updating the server and blocking any connection to the sender. If there’s one thing that can compete with the importance of awareness training, it’s backups. Having device backups and backup policies in place minimizes data loss while allowing users to resume their responsibilities as fast as possible.
Once the incident is contained, leadership is updated on the situation. Unlike many other institutions that “turn off the lights” during these situations, we make sure to notify other agencies. By being registered with the Department of Homeland Security, reporting the incident, and communicating with the county sheriff, who has digital forensic capabilities for cybercrime, the department was able to provide them with information and resources that will help protect themselves and other organizations from this threat.
In the final stages of the incident, the backup server is accessed, and once it is double-checked for modified files, the type of ransomware can be loaded, and the files that detonated the malicious software are identified. After a thorough scan, the user’s files, applications, and data are loaded onto the PC that IT has wiped and reformatted, and additional security and auditing alerts are downloaded to ensure that no system files are being modified or changed.
Once the threat has been removed, and the user and city are no longer in immediate danger, it’s back to communication. Incidents like these can be scary and intense, but they also provide the perfect opportunity for training and reinforcing caution to users when communicating over email.
Lastly, the department produces a detailed incident report. These reports are a crucial final step as they serve as an opportunity to take a step back, assess the situation and reflect on the IT policies and procedures. This incident occurred through email, which prompts questions like: Are we using the best tools to protect users? Are there better options available for email security? How did we perform? The experience ultimately led the city to change email providers and add a suite of software tools for education, training and enhanced security.
Ransomware like this has the potential to be catastrophic to business operations. Hackers are able to encrypt swaths of a city’s records and information with no guarantee the information will ever be retrieved. Utilities, billing departments, transportation authorities, hospitals and schools have been shut down due to past breaches in cybersecurity. These trainings, protocols and policies make all the difference when your organization encounters an incident like this one and are what will be the difference between losing one computer and every device and account in use.
