Massachusetts agencies took aim at the ever-increasing issue of cyber attacks against local government. The Oct. 7 virtual summit that was designed to inform local officials about how ransomware attackers strike, and direct them to appropriate and impactful state and federal resources. The event marked the first ever Massachusetts Municipal Cybersecurity Summit, convened by the MassCyberCenter, a state agency focused on bolstering cybersecurity across the commonwealth.
INCIDENT RESPONSE PLANS
Prevention measures — while important — cannot be expected to catch everything, and agencies need to have clear response plans ready to guide them when an attack strikes. These documents should specify each personnel’s role in the response, as well as which partners to contact first and what systems to prioritize when restoring from backups, speakers said. “In a ransomware attack, the goal is basically just to deny availability to your data,” said Bill Fisher, a security engineer at NIST’s National Cybersecurity Center of Excellence. “This provides a much greater level of immediacy, and a much greater business impact right away. For that reason, we always say, you've got to be prepared.” Given that ransomware extortionists lock down infected systems, agencies need to ensure that their plans — and any important accompanying information such as staff and partner contact information — are written down on paper, various speakers said. Rick Rossi, CISA’s cybersecurity adviser for New Hampshire, also warned that malicious actors might get into email systems and employees’ devices to monitor discussions about the attack. That makes it essential for agencies to pinpoint ways to maintain communication through devices unconnected to the impacted network. That could be by using personal cellphones, said MassCyberCenter Director Stephanie Helm. The risks of hackers spreading from one part of a system to another also means that agencies need to keep their backups isolated — to avoid the attack compromising them as well — and secure their network logs where cyber criminals are less likely to access and delete them. “Threat actors will typically try to clear out logs so that that will destroy a lot of evidence that law enforcement is going to rely on,” said Gavioli, who recommended securing them in a central location rather than storing them at each endpoint. Once organizations make their plans, they can’t just let their cyber incident response plans sit in a drawer. Personnel need to practice response and backup activities so they can smoothly put these steps into action when the time comes, speakers said. A variety of organizations offer free evaluations and tabletop exercises, including CISA and the Multistate Information Sharing and Analysis Center (MS-ISAC). Massachusetts also enables municipalities to leverage a statewide contract for cybersecurity and data security solutions, which can help them quickly identify vetted organizations and avoid needing to negotiate prices, according to the state Operational Services Division (OSD) website. OSD strategic sourcing services manager Tim Kennedy said the contract includes 44 vendors of various services such as risk and vulnerability assessments, penetration testing and managed threat detection.