April 3rd, 2018
Ed Snodgrass, CISO, Secure Digital Solutions
The City of Atlanta was recently the victim of a significant ransomware attack, holding several systems hostage including online bill pay and some law enforcement systems. The MO was standard, demanding payment in bitcoin for decryption of the affected systems. It is currently unclear whether customer or payment data was compromised. What is known for certain is that many of the city’s key systems suffered significant downtime – the effects of which are still having ramifications. This scenario is becoming all too common, as are the factors that lead up to it. This incident and the details surrounding it is yet another reason to look inward and examine the efficacy of your enterprise cybersecurity program.
I should make clear that I absolutely sympathize with the city IT and Security staff. This is one of the nightmare scenarios that all of us as security professionals try daily to counter and I have nothing but respect for those that fight the good fight. My goal with this piece is not to cast blame. Rather, it is to draw some possible conclusions and potentially take away some lessons learned from what is known about the environment.
In January of 2018, the City of Atlanta Auditor’s Office released a report detailing the results of an ISO/IEC 27001 ISMS Precertification Audit performed in 2017. The report comprised some 41 pages and contained the following key findings:
- Missing or outdated policies, procedures and guidance documents
- Inconsistent definitions of scope
- Lack of formal processes to identify, assess, and mitigate risks
- Lack of formal processes to manage risks associated with third-party service providers and suppliers
- Unclear data classification policies
- Incomplete measurement, reporting and communication related to risks
The report also went on to say, ‘While stakeholders perceive that the city is deploying security controls to protect information assets, many processes are ad hoc or undocumented, at least in part due to lack of resources. Dedicating resources to formalize and document information security management processes would prepare the city for certification, and, more importantly, provide assurance that the city is adequately managing and protecting its information assets.’ The assessor’s recommendations were straightforward and standard. Better communication of the security program, effective metrics, development of risk management, etc.
What can be inferred from this are symptoms and challenges that are seen frequently throughout cybersecurity and lead me to consider the following questions:
- Why was there such a pronounced lack of security resources to support an organization of this size?
This could be the result of several things. Perhaps the case for adequate security wasn’t being effectively made at the executive level in a way that decision makers could understand. This would be exceedingly difficult to communicate without risk management processes and metrics.
- Why was a data classification scheme and strategy not in place?
The amount of sensitive data processed, stored and transmitted by an organization of this type is significant. Everything from law enforcement information to payment information is presumably in scope. Data aggregation is extremely challenging as we all know, but we must start somewhere. It’s impossible to protect something if it hasn’t been defined as something that needs to be protected.
- Why were policies and standards so lacking?
These form the basis for any information security program and without them, guidance, and more importantly, accountability is difficult to demonstrate. Lack of adequate resources was an underlying challenge but was it possible to leverage expertise from other business units – HR, Legal, etc.
My takeaway from this incident is to analyze my own security program fundamentals. Are my building blocks solid? Do I have a sound foundation of people, process and technology that I am basing my security guidance and decisions upon and are my governance and oversight capabilities sufficient to tell me whether it is?
Socrates stated that the unexamined life is not worth living. The same can be said for an effective cybersecurity program.