Employee Training Helps Westbrook Prevent Cyber Attacks
Westbrook town employees spent two hours in late January hearing about spoofing, phishing, malware, and ransomware. All were addressed at mandatory cyber security training designed to prevent attacks on the town’s computer systems.
The training was provided by the Connecticut Interlocal Risk Management Agency (CIRMA), a not-for-profit association that provides municipalities, school districts, and local agencies with risk management services and insurance. CIRMA is part of CCM, the Connecticut Council of Municipalities. As a member, Westbrook was able to offer the training to its staff at no cost.
“This is the first time we’ve had this kind of training here,” said Westbrook Information Technology Director Ken Butterworth. “I’ve only been here about a year, a little less, and recognized the fact that even though we have things in place from an infrastructure standpoint...one of our best defenses is an educated populace.”
The purpose of the training was to “bring us up to an awareness of what’s going on in the world,” he explained. “People get hacked at home. This education will help with that, as well.”
Recent and Local Attacks
Local public entities are particularly vulnerable to hacking, CIRMA training notes said. In October 2019, the Lower Connecticut Valley Council of Governments (RiverCOG), for which Westbrook First Selectman Noel Bishop serves as treasurer, was attacked by ransomware on the same day that Hamden Town computers were hit with malware.
“We’re still working on recovery,” said RiverCOG Executive Director Sam Gold in January.
While RiverCOG did pay the hackers a ransom through CIRMA, its insurance company, it found that the bulk of the cost was the work required afterward to recover and rebuild its system.
“What we learned is that the process of getting hacked and being subject a ransom attack—the recovery afterwards is the most difficult and most costly portion because everything has to be gone through,” Gold explained. “Data has to be unencrypted and really you have to rebuild everything from scratch to ensure that there are no viruses or other things that were hidden in the data.”
The CIRMA training addressed hackers’ motivations for attacks and the various ways they carry them out.
Information is valuable, explained CIRMA trainer Ian Havens. On the dark web, the unregulated and unsecure part of the Internet, hackers can get around $50 for each medical record, $5 for each social security number, and $1 to $2 for each credit card number. While that might not sound like a lot of money, the information is stolen and sold in large quantities.
Employees are often contacted via email, but malware can be inserted into PDF and Word documents, which most people consider benign, according to the trainer. He suggested ensuring that documents sent by email are confirmed to be from trusted sources.
Spoofing and Phishing
Spoofing can take the form of an email, phone call, or text: It’s the automated call from the IRS, claiming the recipient is in arrears on taxes; a text message requesting a charitable contribution; or an email that appears to be from Apple support. Even a friend request on Facebook might turn out to be a bad actor posing as someone familiar who later sends or posts a request for emergency funds or a donation to a charity.
In other words, spoofing entails pretending to be someone else, someone the recipient trusts.
Phishing generally targets large numbers of people in the hope that roughly one percent will bite. Clicking on a link might install malware, a program that will lock up systems or search and retrieve information.
A good dose of skepticism is crucial at work and at home. Hovering over a link before clicking on it will reveal the file name or URL behind it. A link purporting to open up a PDF document, for instance, might be revealed as a website—a clear indication that something is not right. Whereas names of PDF files end with “pdf,” a file whose title ends with “.exe” is an executable program that will make something happen.
In the Hamden attack, several employees clicked on links in an email that infected their computers, according to the New Haven Register. The IT department instructed all employees to shut down their computers to prevent the virus from spreading further.
Redirecting Transactions
In another scheme, an email is sent to the payroll department, purportedly from an employee asking to have his or her banking information changed. Or, as happened to a municipality in Connecticut, a vendor provides a new transaction I.D. number for future payments. The vendor later contacted the town to ask why it hadn’t been paid in months.
These sorts of requests, suggested the CIRMA trainer, should be confirmed by phone. Alternatively, employees requesting a change to sensitive information should have to fill out a form and hand it in personally.
Instituting Policies
Towns need to institute policies so that employees know who to contact if they suspect they’ve received a suspicious email or clicked on something suspicious, the trainer suggested. Acceptable use policies make clear how employees may and may not use technology at work.
Following its October 2019 hack, RiverCOG contacted the Connecticut Division of Homeland Security and Homeland Security, as well as the state police and CIRMA, and was advised to pay the ransom.
“We host a regional election monitor [who] was using our server and she has been hacked as well,” Gold said. “[S]ince she is an election official, this is taken seriously.”
Paying a ransom can be tricky, the CIRMA trainer explained. For one thing, once paid, there’s no guarantee that the perpetrators will send the encryption key, as promised. Or they may send an encryption key that doesn’t work, or an encryption key that fixes part of the system and leaves another part to lock up again at a later date, when they’ll demand another ransom.
The only way to truly restore a system, the trainer said, is to wipe the system clean and restore it with a backup.
Backing up is possibly the most crucial tool for protecting computer systems, Havens said. Town leaders need to assess how much information it can lose and continue to function: a month’s worth? A week’s? A day’s? That determination should determine how often the system is backed up.
At the January RiverCOG board meeting, Gold discussed cyber attacks with local legislators.
“We didn’t have a legislative proposal for our legislators,” he said, “but it’s important for them to know.”
Gold is hoping, he said, “that the state can steps to help us prevent these things from happening.”