A government agency recently experienced a data breach after a computer became infected by a Trojan virus. This is not a story from 2004.
In late June, the Alaska Department of Health and Social Services (DHSS) disclosed that it experienced a cybersecurity breach which may have led to the exposure of the personal information of more than 500 individuals. The culprit behind the breach? The Zeus/Zbot Trojan virus, which was discovered in 2007 and which security firm Symantec first documented in 2010.
The breach, which occurred in late April, underscores the fact that many state and local agencies are susceptible to cybersecurity attacks that are about as old as the original iPhone. However, there are several tried-and-true technologies and best practices agencies can use to ensure they are as protected as possible from such attacks.
A defense-in-depth approach that emphasizes advanced threat protection, data loss prevention, encryption, endpoint security and next-generation firewalls can help agencies stay on guard. And, of course, the breach highlights the need for continuous cyberhygiene and training for users.
Alaska Breach Stems from a Single Trojan Infection
The breach in Alaska affected individuals who have interacted with the state Division of Public Assistance (DPA) in the Last Frontier’s northern region. DHSS urges those clients to take actions to protect themselves from identity theft.
On April 26, according to a DHSS statement, a DPA computer in the northern region offices was infected with the Zeus/Zbot Trojan virus, resulting in a potential HIPAA and Alaska Personal Information Protection Act breach of more than 500 individuals.
The DHSS security team’s investigation revealed that the infected computer “accessed sites in Russia, had unauthorized software installed, and other suspicious computer behavior that provided strong indications of a computer infection,” the statement says.
It’s unclear how the computer got infected. According to Symantec, Trojan.Zbot files are “generated using a toolkit that is available in marketplaces for online criminals,” and the toolkit gives the attacker “a high degree of control over the functionality of the final executable that is distributed to targeted computers.”
The Zeus/Zbot Trojan itself is “primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized,” Symantec says. The spam email message “warns the user of a problem with their financial information, online account, or software and suggests they visit a link provided in the email. The computer is compromised if the user visits the link, if it is not protected.”
According to DHSS, files on the infected computer contained residents’ pregnancy, death or incarceration statuses; Medicaid and Medicare billing codes and health billing information; criminal justice data; personal information such as Social Security and driver’s license numbers, first and last names, birthdates, contact information and other confidential data.
The malicious actors may have used the infected computer to steal data. However, Katie Marquette, state health department spokesperson, tells the Associated Press that there has been no indication that personal information exposed in the breach has been used in an unauthorized way.
“Upon discovery of these events, the department took immediate action to mitigate further access to the infected computer,” the state agency says. “The DHSS Information Technology and Security team continues to work quickly to determine the scope of data potentially accessed, and will provide up-to-date information to Alaskans who may have been impacted by this event.”
How States Can Guard Against Data Breaches
Security and risk management remains top priority for state CIOs, according to a recent survey by the National Association of State Chief Information Officers.
Further, as StateTech has reported, nearly half of local governments report at least one attempted attack daily and more than a quarter do not know how often they are attacked, according to a report from the International City/County Management Association (ICMA).
To guard against data breaches, especially those that arise from malware and Trojans, agencies should deploy advanced anti-virus and threat prevention tools that uncover, prioritize and remediate advanced attacks across endpoints.
Agency IT security teams need to take proactive, detective and reactive steps to protect systems against malware-borne threats. These controls should include deploying frequently updated anti-virus protection on servers, endpoints and network gateways. Agencies should also consider the use of advanced botnet and malware detection tools that incorporate threat intelligence information and provide a robust defense against evolving threats.
Further, agencies can restrict the flow of sensitive information outside of controlled environments through data loss prevention technologies. These systems may reside as a hardware appliance that monitors network traffic, a software solution that resides on endpoints and monitors user activity, or a cloud-based solution that filters email and web traffic.
Another option agencies can turn to is a next-generation firewall, a hardware- or software-based network security system that can detect and block attacks by enforcing security policies at the application, port and protocol levels.
Ultimately though, cybersecurity starts and ends with users, and human error can undermine the most thorough and advanced IT security tools. That’s why agencies need to engage in regular and robust security awareness training that helps users understand the threats facing the agency and their individual roles in protecting the confidentiality, integrity and availability of government information and systems. These efforts should include a particular focus on phishing and spoofing attacks as well as the proper use of government IT.