CISA Offers Ransomware Guidance as Attacks Evolve
The CISA guidance includes the following recommendations:
- Maintain offline, encrypted backups of data and regularly test backups
- Create, maintain and exercise a basic cyber incident response plan, resiliency plan and associated communications plan
- Mitigate internet-facing vulnerabilities and misconfigurations to reduce the risk of actors exploiting this attack surface
- Reduce the risk of phishing emails by enabling strong spam filters and implementing a cybersecurity user awareness and training program
- Practice good cyber hygiene by ensuring anti-virus and anti-malware software and signatures are up to date, implementing application whitelisting, ensuring user and privileged accounts are limited, employing multifactor authentication, and putting in place other CISA cybersecurity best practices
“Over the past year, we have seen ransomware attacks surge among state, local, tribal and territorial governments, as well as small and medium businesses,” says Boyden Rohner, CISA associate director for vulnerability management. “It is an epidemic affecting cities, police, hospitals, schools, manufacturing and critical infrastructure targets, and ransomware actors do not discriminate based on sector or organization size.”
Even when they don’t make national news, these attacks are happening all over the country and impacting everyday life.
“We’ve seen horrific examples of state DMV systems being compromised, and people can’t renew their driver’s licenses. Local governments are being hit with ransomware, and they can’t process marriage licenses, death certificates,” says Matt Pincus, director of government affairs at the National Association of State Chief Information Officers.
These create growing concerns for people, who may think, “I’m not going to be able to go to school, I’m not going to be able to get treatment at a hospital, I’m not going to be able to do anything with my state or local government,” Pincus says.
Traditionally, malicious actors have demanded ransom in exchange for decryption; CISA’s guidance explains that threats have evolved to become “more destructive and impactful.” Now, a growing number of hackers exfiltrate data, including personally identifiable information, and threaten to sell or leak it if organizations don’t pay up.
“Malicious actors evolve their ransomware tactics to take advantage of unpatched systems, lack of network segmentation and trust relationships within systems,” Rohner says.
Cyber Hygiene Is Critical to Agency Security
In NASCIO’s latest report on its annual survey of state CIOs, respondents overwhelmingly listed ransomware attacks as their top concern for the continuity of government. Twenty percent said their state had experienced a cyber incident since the pandemic-induced shift to remote work coupled with the increasing adoption of new technologies, which has increased the risk for state systems, the report states.
NASCIO fully supports the measures outlined in CISA’s guidance, says Pincus, who emphasized the federal agency’s recommendation to implement a cybersecurity user awareness and training program.
“I can’t tell you how important this is for state CIOs,” he says. “A lot of the cybersecurity attacks and ransomware attacks all occur because of human error. You click on a link, and guess what? You’ve compromised your entire state network. You’ve compromised your entire local government.”
Taking a ‘Whole-of-State Approach’ to Cybersecurity
Pincus says states likely have these types of safeguards already in place, but he advises officials to work with local government agencies, such as school districts and hospitals, on cybersecurity safety as well.
“I think what it comes down to is what we call a ‘whole-state approach,’ which is every single state agency, every local government agency, the National Guard, CISA — everybody has a role to play,” he says.
This is happening in states like North Carolina, where officials formed a Joint Cybersecurity Task Force in 2018 that includes multiple state departments and the National Guard. It’s also home to the North Carolina Local Government Information Systems Association, which deploys trained strike team members to jurisdictions undergoing cybersecurity incidents to help with response and recovery resources at no cost. The National Guard offers no-cost services such as vulnerability assessments and employee education for counties to leverage as well.
“There’s a number of different opportunities that can be brought to bear at the local level: engaging in strong cyber hygiene, strong passwords,” says Rob Main, North Carolina’s new chief risk officer. “Oftentimes, you can implement multifactor authentication at no cost based on your current network operating environment.”
It all goes back to user education, according to Main. “It kind of follows the ‘See Something, Say Something’ model,” he says,
CISA’s Rohner says these proactive measures are key because “the battle against ransomware doesn’t start the day you get hit.”