States striving to protect against ransomware would be wise to take a two-pronged approach that relies on both practical cybersecurity safeguards — like patches and backups — and relationships. , especially with employees and local governments, the speakers said during a January 20 discussion. by Fed Insider.
Whatever defenses they adopt, states cannot guarantee perfect security and therefore must be ready if and when an attacker passes through. That means keeping backups secure offline, where they can’t be contaminated if ransomware infects the state’s network, Michigan Deputy Director of Security Jayson Cavendish said at the event.There is also a risk that states will only detect malware after creating a backup copy of their systems, which essentially preserves infection. States should therefore be sure to keep multiple versions of backups, to ensure they have one prior to the incident, Cavendish said.
Of course, preventive measures remain essential and states must know what type of attacks to expect. Ransomware authors often find their way into victims’ systems by looking for known vulnerabilities that may have been patched for a year or more, not zero-day exploits, said Chris Jensen, head of business development and capture federal government at cybersecurity firm Tenable. The age of the vulnerabilities means that fixes are available, but also that these particular weaknesses may not be high on organizations’ radars.
The kind of weaknesses that ransomware hackers look for might not “even register, necessarily, on a [Common Vulnerability Scoring System] score CVSS” as a critical vulnerability, Jensen said.
There may be a number of such vulnerabilities lingering in state systems, making it important to identify which ones are most at risk of being exploited. Threat intelligence tools and services can help identify which malicious actors currently seem to be focusing on, helping states prioritize their remediation efforts, Jensen said.
It is also equally important for states to be alert to risky user behavior that could introduce vulnerabilities. Solomon Adote, Delaware Chief Security Officer said that organizations striving to adopt better cyber hygiene and implement the kind of access and identity management control and monitoring that can hinder hackers must consider the impact of these new methods on the experience of workers.
For example, staff who feel that multi-factor authentication (MFA) measures cause too much friction are likely to create workarounds, such as storing work files on personal devices to avoid having to go through login procedures, Adote said.
“You want multi-factor authentications to be a very user-friendly solution and let them accept login on your smartphone or smartwatch,” Adote said.
Smooth authentication measures, prompt deletion of accounts when employees leave, and careful monitoring of account behavior for suspicious activity can all help reduce risk, he said.
The Adote office has also seen success with other efforts like sending monthly two-minute cybersecurity training videos to employees, to supplement their annual mandatory training.
And states cannot afford to focus solely on their own operations if they are serious about keeping residents safe. Reaching out to help local governments is also essential, but only effective if states can earn those agencies’ trust, said Rob Main, chief risk officer for North Carolina.
For North Carolina, that means ensuring a strong local voice in statewide cybersecurity efforts. The North Carolina Joint Cybersecurity Task Force includes among its four key member groups a team of local government IT security professionals. This collaboration is key to opening doors when the state goes to respond to incidents at the local level, Main said.
That team — the North Carolina Local Government Information Systems Association IT Cyber Strike Team (NCLGISA IT Strike Team) — “is probably the single thing that allows us to most effectively support local governments,” Main said.