The historic summit between North and South Korea is of course the most important security related news in April 2018. This promising security news was countered by tragic-comical IT-related security news. It is not about the privacy (Facebook) or security (Google Play) hassles of social media, but about a big city hit twice by malware.
In April 2017 and March 2018, the city of Atlanta was hit by ransomware. According to a security company, the 2017 malware infection might have used unpatched SMB vulnerability (the NSA backdoor double pulsar). In March 2018 the city was hit by ransomware again. The SamSam ransomware is known to use an old (2016) JBoss/Java vulnerability.
The Major Keisha Lance gave a press conference on the 22nd of March, in which she stated the system outage affected “applications that customers use to pay bills” and “court related information” was encrypted. The SamSam group had demanded a ransom to be paid in five days of 51.000 dollars.
On the 27th of March a city press release was posted in which employees were advised “to turn on computers and printers for the first time since the March 22 cyber attack”. One can assume that the internal loss of productivity by advising city civil servants not to use computers or printers must have been much bigger than the ransom asked.
The question arises: Why hadn’t they learned from the first attack? Had their IT department not investigated the cause of the first attack to adopt security policies? The answer to that that question is a jaw-lowering YES. They had performed an audit, but ignored the conclusions of that audit.
The audit reports of the City of Atlanta are published for transparency of public policy. It links to the full audit report which examines whether “it’s Information Security Management System is ready to meet certification requirements ISO/IEC 27001:2013, the internationally recognized information security management standard”.
The conclusion of this January 2018 audit is: “The current Information Security Management System has gaps that would prevent it from passing a certification audit including: missing or outdated policies, lack of formal processes to identify, assess, and mitigate risks and incomplete measurement, reporting and communication related to risks”.
After the city went public, CSO reported that the SamSam group took the contact server (to pay the ransom) off line. So, payment of the ransom to recover from the attack no longer seemed to be a viable option. Can we assess Atlanta City’s spending on IT-support and remediation related to this ransomware attack?
The purchase contracts of the City of Atlanta are also published. When we filter out the purchases of the Atlanta Information Management department the cost directly related to the ransomware attack seem to add up to well over one million dollars (as below list shows)!
To Major Keisha Lance’s defense, we have to explicitly mention that she took office in January 2018. The purchases also show that another two million dollars were invested to prevent future failures. So often, security only seems to become a priority when the damage has been done.
The Atlanta tragi-comedy is not exemplary. According to Steven Wilson, Head of Europol’s European Cybercrime centre “A large number of the attacks reported to the police are neither sophisticated nor advanced. Many of them work because of a lack of digital hygiene, a lack of security by design and a lack of user awareness.”