Just before Thanksgiving this year, as students were entrenched in virtual learning, a major ransomware attack took down Baltimore County Public School’s (BCPS) computer systems. As a result, schools closed for several days, many devices were unusable, and like any other major IT security incident, significant costs were incurred to remediate the damage. BCPS will most likely undergo an assessment to determine exactly how the incident happened and they will have to invest significantly to harden their systems and change how they operate.
Shortly after the BCPS attack, a few miles up the road, Greater Baltimore Medical Center (GBMC) experienced its own ransomware attack, which took down many of their systems. Fortunately, patient care was still mostly maintained, aside from some postponed elective care. It appears that data and operations will be back to normal in fairly short order, but there will still be costs associated with this, and certainly nobody at GBMC wants to be associated with a ransomware incident.
As we continue to see attacks on this scale and frequency it’s important to not just shake our heads at another incident and wonder what needs to change in order to stop seeing these headlines. Instead, let’s uncover what we can learn from these incidents to minimize our own risks, both personally and in our businesses.
Lesson #1 –Bad Guys Flock to Low Hanging Fruit
Unfortunately, BCPS is in a situation that many local governments and education systems face, which is a fairly low maturity when it comes to cybersecurity. While it may be tempting to chalk this up to incompetence or institutional failure, the reality is that many good people put in significant effort to do the hard work of maintenance, assessment, and upgrades to try and avoid these types of events. But sometimes, even the best efforts of good people may not be enough.
These relatively smaller government institutions often lack the resources to do the things that larger and wealthier institutions achieve with their cybersecurity plans. Several years ago, BCPS underwent audits of their IT systems, and many recommendations were made. In the response, BCPS IT leadership reported that they had implemented some of these recommendations, but not all of them, mostly due to cost.
There is only so much that can be done with limited resources, and the less you do, the more exposed you are. By extension, you will also be a more attractive target. I imagine many people reading this have had a similar experience to the one that BCPS had. You probably did some things to limit risk as a result, but not everything. Some of you may have never seen serious consequences from that, but a few of you probably have experienced the stress and pain from a major cybersecurity incident.
We all have to make choices with our limited resources. But if the consequences of an incident are severe enough to warrant it, we need to make significant investments in cybersecurity. Otherwise, we have to live with the fact that we will likely be next.
Lesson #2 – Make Sure You Have a Response Plan Before Disaster Strikes
Early in this blog I mentioned that GBMC was able to continue to provide high quality care to patients even in the midst of a major cybersecurity incident. This was only possible because they were able to anticipate a potential ransomware attack and have an operational plan to deal with it. Backup systems, both for how people work as well as systems to restore data, were in place well before the incident happened. Sadly, the healthcare sector has been dealing with the threat of cyber-attacks for a long time. So, knowing they were a high-risk target for cyber-attacks, GBMC had the foresight to implement a strong framework for compliance standards and risk management. Because they planned ahead and prepared for a security incident, GBMC created an environment where the impact of this ransomware attack is mostly inconvenience and interruption, as opposed to panic and sheer detriment.
Having a response plan goes beyond having technology in place and a cyber-insurance plan. It’s about having a team who knows what to do, including communication with staff and other stakeholders, as well as regularly revisiting these plans and running through disaster recovery exercises.
Lesson #3 – Don’t Get Too Confident
As I was writing this blog, three more high profile security incidents popped up, including with FireEye (a major cybersecurity player), the US Departments of Treasury and Commerce, and SolarWinds impacting some of their tools. It goes to show that you can’t even start analyzing a recent security event without hearing about a new incident. So, when you hear about new cyber-attacks, I recommend that you take the opportunity to look for information about them to better harden your own defenses, rather than point fingers or mock them.
For example, as I was traveling last year (pre-pandemic, of course), and news of a ransomware attack in Baltimore was making the rounds, people would talk to me and even joke about that incident as if it was only a Baltimore problem. I’m here to tell you that you are not immune to cyber-attacks, even if you are well prepared. Overconfidence leads to regrets.
Lesson #4 – Scrutinize Your Vendors and Trust Nothing
Look, there are many good technology products out there. Most vendors operate responsibly and have reasonable standards for securing and updating their products as the landscape changes and new vulnerabilities are discovered. But there is no foolproof solution.
Just because we are working with reliable vendors and products doesn’t mean that everything is perfect. Sometimes mistakes are made which could lead to a security incident. It’s hard to get things right all the time. But it only takes that one flaw to lead to an incident.
This also is why monitoring is important. Think about it. When we install cameras at a facility to watch out for intruders, it isn’t necessarily that we think the locks are broken, or the alarm system doesn’t work. The cameras are there to monitor these systems when they don’t do what we hope for them to do when their limitations are exceeded. It’s the same philosophy as having a battery backup for a server closet, or even a generator to guarantee power to a building.
Even most technology vendors don’t believe their products are foolproof, and one of the major points many will make when marketing their products is that they will work nicely with other products or monitoring solutions. They want you to have a versatile and robust system of risk management so that even if they happen to be the weak link in the chain, the consequences of an incident can be minimized.
Lesson #5 – There Are Flaws We Don’t Know About
Let’s say for the sake of argument that you are really on your game. You have implemented controls that align with a strong framework (such as NIST 800-171), maintenance is prioritized, products never hit End of Life in production, monitoring is in place, and your management is tight. Well, even with all this in place, an incident can still happen.
Every time you see one of those alerts about a discovered vulnerability, it’s not that the vulnerability itself is brand new, but rather the awareness of its existence is new. By that time, it may have already been exploited by hackers in a variety of attacks. Plus, some things may not be considered vulnerable now, but as standards change a previously acceptable standard just doesn’t cut it anymore.
We must always be vigilant and assume that attacks are coming. Being prepared is important and we should follow all best practices to minimize our cybersecurity risks. It may not be enough to stop an attack, but it is better not only to minimize the damage as well as prove to third parties such as auditors, customers or partners that we did the right thing to try and avoid the worst. This approach may also protect you from the most significant penalties if you are required to be compliant to some standard, as there is a difference between willful negligence and an unfortunate, uncontrollable incident.
As we learn more about the specific nature of these incidents, how they happened, what flaws were exploited, and so on, I’m sure there will be more takeaways. Chances are that a few months from now, when we are talking about another series of security incidents, the attacks will be different from these. But what doesn’t change over time is the idea that having a good approach to managing the risk associated with technology leads to the best possible outcomes, even if attacks can’t be completely stopped.
Want to learn how to better defend your
organization against cyber attacks?